Despite the whirlwind of uncertainty surrounding the UK’s departure from the EU without agreement (a “no deal” scenario), the UK government remains resolute that such an outcome is unlikely considering the mutual interests of the UK and the EU in securing a negotiated outcome before 29 March 2019. However should this not be the case, what would this mean for data protection in the UK?
Currently, the rules which govern the collection and use of personal data are set at an EU-level by the General Data Protection Regulation (GDPR). In the UK, the Data Protection Act 2018 (which came into force on 25 May 2018) incorporates and supplements the standards set out in the GDPR and ultimately provides for a comprehensive data protection framework.
The GDPR itself states that organisations are free to transfer personal data within the EU however are only permitted to transfer personal data outside of the EU if there is a legal basis for doing so.
At the beginning of this year, the House of Commons Digital, Culture, Media and Sport (DCMS) Committee highlighted in its report that retaining the ability to transfer data across EU borders is a fundamental issue to many UK technology businesses.
The report stated: “The success of the UK’s digital economy is underpinned by ongoing data transfer across the globe and particularly within the EU […] It is important to recognise that Brexit creates a potential risk that the UK’s ability to transfer data across borders will be limited”.
Bearing this in mind, what would all of this mean for the UK should there be no deal?
No deal: what happens?
The UK government has confirmed that should the UK leave the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.
Albeit the free flow of personal data from the UK to the EU would largely be unaffected following a no deal scenario, the issue arises in the converse; where personal data is transferred from organisations established in the EU to those established in the UK, as the legal framework governing such would change on exit.
The EU already has a mechanism which allows for the free flow of personal data to and from countries outside of the EU. The European Commission has previously stated that if the UK’s level of personal data protection is deemed to be effectively equivalent to that of the EU (i.e. the GDPR), it would allow the transfer of personal data to and from the UK without restriction.
The UK government notes in its July 2018 White Paper “The future relationship between the UK and the EU” that it believes the EU’s adequacy framework provides the right starting point for data protection arrangements between the UK and the EU after Brexit. The White Paper emphasises that the UK and the EU start their extensive agreement on the exchange of personal data from a unique position of trust in each other’s standards and regulatory alignment on data protection. It also supports the ongoing cooperation between the UK’s Information Commissioner’s Office and EU Data Protection Authorities.
However, given that the granting of any such “adequacy decision” is not certain, the DCMS suggests in its guidance published on 13 September 2018 that it is worth considering an alternative legal basis for the processing of personal data; namely, the use of standard contractual clauses. In short, this means that by including any model European Commission pre-approved data protection clauses within your contracts with EU customers (and ensuring that their respective customers enter into the same) you would have the required lawful basis to transfer personal data to and from the EU following Brexit.
In summary, all of this suggests that the UK government’s approach to data protection post Brexit is generally very similar irrespective of whether or not an agreement is reached.