The question of whether a Brexit deal can be reached remains unanswered, and the current draft Withdrawal Agreement governing the UK’s exit from the EU - approved by the UK government and all other EU Member States - was emphatically voted down by the UK Parliament on 15 January 2019.
The date of the UK’s exit from the EU – 29 March 2019 (the “Exit Date”) – is fast approaching, and there is now a distinct possibility of the UK leaving the EU without agreed terms (a “no-deal Brexit”). This briefing considers how Brexit will impact data protection compliance for businesses in a ‘no-deal’ scenario and how businesses can prepare.
What is certain?
On the Exit Date, there will be no immediate divergence from the general principles underpinning the UK’s data protection regime and the EU General Data Protection Regulation (“GDPR”). The GDPR currently applies in the UK as supplemented by the UK Data Protection Act 2018 (the “DP Act”). On the Exit Date, the GDPR will be transposed onto the UK statute books, alongside the DP Act, without any other arrangements attached to it.
So, UK data protection compliance standards will almost certainly stay the same. When the UK stops being part of the EU (and becomes a ‘ third country’), the uncertainty will revolve around practicalities such as implementing a data transfer regime for transfers of personal data to a country outside the EU and the role of the UK’s Information Commissioner’s Office (the “ICO”) as an EU supervisory authority (each, an “SA”).
What happens on the Exit Date?
Once the GDPR is transposed onto the UK statute books, it will be open to amendment by the UK legislature. At this stage, it is difficult to assess whether the UK legislature will want to amend the UK-transposed GDPR in this way and, if so, what changes would be made.
There is great incentive for the UK to keep being aligned with the GDPR in order to secure an ‘adequacy decision’ (see below), and the ICO has been vocal in the past about doing everything it can to maintain the UK’s personal data standards at the same level as the EU. Nevertheless, we cannot discount the possibility of the UK reviewing and amending the GDPR at any time after the Exit Date, starting to drift away from the GDPR over the coming years or even departing from it completely.
Navigating the issues:
The European Commission (EC) has the power to determine and formally acknowledge that a third country provides for an adequate level of data protection. Once a third country is granted an adequacy decision, an EU controller or processor may transfer personal data to that country as if the recipient were located in the EU.
The UK has always made it quite plain that it would prefer an adequacy decision. In a previous Brexit briefing in June 2016, we noted that an adequacy decision “at first [would] seem to be the preferred option”.
There are several factors assisting the UK in this respect. Most importantly, the UK already has an “unprecedented degree of alignment” with the GDPR and will continue to do so (at least initially) after the Exit Date. Therefore, the UK’s personal data protection laws will, upon the Exit Date, be equivalent to that provided by the GDPR. Note, however, that the UK government has extensive surveillance and investigatory powers, which have come under scrutiny both by the UK courts and the EU – these powers could potentially scupper the UK’s chances of getting an adequacy decision, much like the US’s investigative powers did the same for the US a few years ago.
The route to an adequacy decision
If there is a no-deal Brexit, it is extremely unlikely that an adequacy decision will be issued by the EC in favor of the UK in time for the Exit Date. While the UK has stated that it would offer adequacy to the EU, a reciprocal statement has not been made by the EC. Therefore, businesses should put in place a data transfer mechanism for any transfers from the EU to the UK; see our recommendations below in “What Action Should You Take?”
B. Alternatives to an adequacy decision
In the absence of an adequacy decision, the UK may look to other formal arrangements with the EU, one being the Swiss solution, which we covered in our previous Brexit briefing. In short, this would entail the UK agreeing “to adopt… any future EU legislation on data protection”. While this would obviously facilitate personal data transfers between the EU and the UK, it may prove unpopular with Brexit supporters because it would force the UK to sign up to many of the EU’s future rules, without having any role in the rule-making. An EU-UK Privacy Shield (similar to the existing EU-U.S. Privacy Shield) has also been mooted as an option; however, it would involve both parties negotiating issues similar to those involved for an adequacy decision. In addition, historically, there have been concerns about the stability of the EU-U.S. Privacy Shield, with suggestions that it could be withdrawn quite quickly; in comparison, there is a more formal structure for reversing an adequacy decision.
C. Transfers from the UK to the EU (and elsewhere): adequate safeguards
Given that the GDPR will be transposed into the UK’s national laws upon Exit Date, any outbound personal data flows from the UK after the Exit Date will continue to be subject to a GDPR-like regime, and so adequate safeguards will be required to export the data from the UK.
In a notice published on 13 December 2018, the UK government stated that it will adopt an adequacy decision in respect of countries in the EEA and that it intends to adopt the same approach for other countries that already enjoy an adequacy decision under EU data protection law. This means that organisations in the UK will be able to freely transfer data to these ‘adequate’ countries. In respect of third countries that do not have adequacy status, the UK government confirmed that the EU’s Standard Contractual Clauses can continue to be used as a transfer mechanism for personal data transfers to those countries. The ICO will also have the power to issue new, UK-specific Standard Contractual Clauses after the Exit Date.
D. The ICO as an EU Data Protection Authority
The UK ideally wants the ICO: (i) to remain part of the European Data Protection Board (“EDPB”), a body made up of the DPAs of each EU Member State, and (ii) to continue to have representation under the “one-stop-shop” regime, which allows controllers with operations across more than one EU Member State to liaise with only one ‘lead’ DPA.
The UK government published a technical note on 7 June 2018, arguing that a data protection treaty with the EU is necessary, in order to prevent complications and duplications, particularly in the context of enforcement actions. The proposed treaty was subsequently rejected by Michel Barnier in May 2018, who commented that the EU could not share its decision-making autonomy with a third country.
In a report by the House of Commons Committee of Exiting the EU on 3 July 2018, the UK restated its intention to enter into an extensive arrangement with the EU, stressing that the UK has no desire to interfere with the EU’s decision-making autonomy. The report also conceded that if the UK wishes to retain membership to the EDPB, it would probably have to grant the European Court of Justice (the “ECJ”) jurisdiction over aspects of data protection law in the UK post-Brexit. Further, any presence of the ICO on the EDPB would necessitate the alignment of the data protection laws of both the UK and EU. The UK would therefore not be able to diverge too greatly from the GDPR as long as it wishes to remain on the EDPB.
What Action Should You Take?
Whatever happens by the Exit Date, the material provisions of the GDPR will very likely continue to apply in the UK (whether directly or via transposition), so your data processing operations may not need to change drastically. However, as it is highly unlikely that the EC will grant an adequacy decision in the UK’s favour per the Exit Date, businesses are well advised to proactively put in place a data transfer mechanism.
- Standard Contractual Clauses: These clauses have been adopted by the European Commission and include contractual obligations between the data exporter (in the EU) and the data importer (in a third country), as well as enforceable rights for data subjects. You may already have these in place with existing third parties in third countries. In the short term, these clauses will help ensure that your personal data flows are unaffected after the Exit Date.
- Binding Corporate Rules: These govern the transfer of personal data between different entities of a multinational group of companies and must be authorised by the relevant SAs before you can rely on them for your personal data flows. Given the application process for these, this option may not be suitable for all types of businesses. Helpfully, the ICO has stated that it will not cancel any existing BCR authorisations made under or prior to the GDPR. Companies that already have BCR in place are advised to verify whether their scope also covers the UK after Brexit, and, if not, to extend the scope of their BCR to include the UK as well. Their BCR should provide for a procedure for amending their BCR (which mostly requires publishing the update version on their website and sending the updated version to their lead SA).
- Consent: Under Article 49 of the GDPR, personal data flows can take place if the transfer falls within one of the stated derogations, one of which is where a data subject gives informed consent to the transfer. While this option appears straightforward, bear in mind that consent can be withdrawn at any time and is appropriate only in limited circumstances (for example, employees cannot provide valid consent to their employer, as per WP29 guidance).
In addition, if you have data processing activities in more than one EU Member State and the ICO currently qualifies as your lead DPA (in accordance with Article 56 of the GDPR), you may have to assess which of the DPAs of the other EU Member States is best placed to qualify as your new lead DPA.
The UK has “committed to the highest standards of data protection”, so businesses should not expect a drastic shift in expectations about their processing activities in the UK. We expect further guidance from the ICO closer to the time to outline steps that organisations would need to take to continue to meet their obligations.