The Government has issued a statement of intent on its plans to issue a Data Protection Bill shortly. This follows the publication of the House of Commons Library briefing paper on Brexit and data protection last week (the report supports Members of Parliament in carrying out their parliamentary duties). The House of Lords European Union Committee also published a report on Brexit and data protection on 18 July. A key issue to be addressed is the data flows between the EU and the UK after Brexit. The House of Commons Library’s briefing paper observes that three quarters of overseas data transfers from the United Kingdom are to the EU.
In February it was confirmed that the current Data Protection Act 1998 (DPA), which implements the European Data Protection Directive (95/46/EC), will be partially repealed to ensure it does not create inconsistencies with the General Data Protection Regulation (GDPR), which will apply directly to the United Kingdom from 25 May 2018. The GDPR is more stringent then the DPA in ensuring that data subjects’ rights to privacy are protected. Further information about the key changes introduced by the GDPR can be found here. We also now have a clearer view of the Government’s intended approach on the Data Protection Bill that it plans to adopt to implement these (and other) changes so as to strengthen the data protection regime in the UK.
International data transfers
After Brexit, the United Kingdom will, like any other non EU or EEA country, be considered a ‘third country’. Under the DPA and the GDPR, transfers of personal data to a third country will only be lawful if such a country has appropriate safeguards in place to protect the rights of data subjects.
Rules on data transfer
Once the United Kingdom leaves the EU or EEA, data transfers can therefore only take place if:
- the European Commission issues an adequacy decision in respect of the UK;
- a company has binding corporate rules in place; or
- standard model clauses have been entered into by a data controller and another data controller or data processor.
The House of Lords’ report considered that obtaining an adequacy decision would be the most appropriate route for the United Kingdom to ensure unrestricted data flows.
This requires the UK Government to seek that the European Commission adopts a decision certifying that the United Kingdom’s data protection laws offer equivalent protection to those of the EU. Such a decision can only be made once the United Kingdom is in fact a third country, ie after the United Kingdom has left the EU or EEA. The Lords Select Committee on the European Union noted that it is crucial that the United Kingdom ensures that a transitional framework is put in place during the Brexit negotiating process to guarantee the continued ability to transfer personal data lawfully between the United Kingdom and EU after Brexit, but before an adequacy decision is made.
It is important to remember that after Brexit, UK businesses will have to comply with UK domestic data protection law but may also have to comply with the GDPR itself if they are processing personal data of EU-based individuals. For example, a UK retailer selling its products to customers based in Germany will have to comply with the GDPR due to the GDPR’s extraterritorial approach.
Furthermore, if the EU issues an ‘adequacy decision’ in respect of the UK post-Brexit, the UK will have to ensure that it continues to meet the standards required by EU data protection laws in order to retain the adequacy decision.
The Data Protection Bill promises to ensure that the data protection regime in the UK is robust. The Government is no doubt seeking to ensure that the UK is in a good position to request an adequacy decision from the EU promptly following Brexit, to minimise the impact of Brexit on data transfers between the UK and the EU.