In this second Brexit blog, we will discuss some of the possible consequences in the field of data protection and privacy following Brexit on 29 March 2019.
Since the British Parliament voted against the proposed withdrawal agreement with the European Union (EU) on 15 January 2019, the public is anxiously awaiting the Prime Minister’s next steps. If we are to believe the EU’s firm stance, the window for a soft Brexit is closed. Although the European Court of Justice ruled that UK still has the option to singlehandedly cancel Brexit all together, many companies are (or should be) bracing themselves for the most drastic outcome of a hard Brexit and the UK becoming a third country as per 29 March 2019, as they are moving their offices, corporations and funds to the continent. Since a (new) compromise on Brexit is by no means certain, here is what organizations that remain to be in the EU should know on the topic of data protection and privacy.
The General Data Protection Regulation (GDPR) which entered into force on 25 May 2018, has direct applicability in all EU member states. In light of Brexit the UK has, however, also implemented the GDPR in national law through the “Data Protection Bill”. Even though the same legislative framework will continue to apply in the UK after Brexit (as the UK will no longer be a member of the EU), the UK will become a so-called third country. As a consequence, all data transfers to the UK will become subject to additional requirements (and should be governed e.g. by EU Model Clauses).
It has been speculated that the European Commission will adopt an adequacy decision for the UK, following Brexit. Such adequacy decision will allow the free flow of personal data from the EU to the UK and vice versa. Theoretically, adopting such a decision could be considered to be a mere formality seeing how GDPR has been implemented in UK local legislation. However, the European Commission has proven that in practice, the adoption of an adequacy decision might be a lengthy procedure even if no obvious obstacles are standing in its way, comparable with the adequacy decision for Japan (the first communication in that respect was announced in January 2017).
Where data transfers are taking place on binding corporate rules (BCR) approved by the UK Information Commissioner’s Office (ICO), the UK Data Protection Authority, companies will have to verify whether the BCR were approved by ICO as a lead authority. Although ICO has issued a statement that BCR approved by them will remain valid after Brexit, this statement may only apply in the UK (where the ICO has authority). It is uncertain whether such BCR will also be applicable in the EU, due to the fact that after Brexit ICO will no longer be a competent supervisory authority within the meaning of GDPR. For instance, ICO will no longer participate in the European Data Protection Board (EDPB) and will no longer have a say in the EDPB’s meetings or agenda. Therefore, in case of a hard Brexit such BCR should be (re)approved by another relevant supervisory authority to ensure adequate data transfers from the EU to third countries.
Furthermore, UK companies conducting business in the EU and possibly vice versa, might find themselves under the obligation to appoint a local representative. Post Brexit, a UK company offering goods or services to data subjects in the EU, or monitoring the behavior of data subjects in the EU, will have to appoint a representative in the EU. Seeing how GDPR has been implemented in the UK, EU companies conducting the same activities might likewise be under the obligation to appoint a representative in the UK.
In light of the above, companies would do well to check whether their processing activities might be at risk following Brexit and to start implementing alternative measures in a timely fashion.