Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal.
“No Deal” Brexit
Unless the UK can agree on a deal with the EU that meets the approval of the majority of the UK Parliament, withdraws its Article 50 notice, or can negotiate with the EU an extension to the 29 March 2019 departure (Exit Date), the UK will leave the EU without a ratified Withdrawal Agreement or an agreed Political Declaration (together, the Deal). The political uncertainties around the different scenarios warrant that businesses prepare for a “No Deal” Brexit in all areas, including in relation to the processing of personal data.
Under a “No Deal” Brexit scenario, the General Data Protection Regulation (GDPR) will form part of UK domestic law as “retained EU law” as a result of the EU (Withdrawal) Act 2018 (EUWA), with certain amendments made to it and also to the Data Protection Act 2018 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 under the (draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Privacy Exit Regulations), which is intended to come into force on the Exit Date. This is collectively being referred to as the “UK GDPR”.
The Privacy Exit Regulations are necessary to replace references to EU law, institutions and procedures with UK domestic equivalents so that the regime established by the UK GDPR can function properly in a post-Brexit context. The proposed amendments ensure that the UK GDPR will have extraterritorial effect in the same way as the GDPR. The UK GDPR will apply to controllers and processors located outside the UK whose processing activities relate to offering goods or services to individuals in the UK or to the monitoring of the behaviour of individuals in the UK.
Here are the five key areas in which businesses will need to take action to prepare for a “No Deal” Brexit:
1. Data Transfers From the European Economic Area (EEA) to the UK. The UK will become a “third country” on the Exit Date. The European Commission will not be able to issue an adequacy decision regarding the UK by the Exit Date (at least, not unless the Exit Date is materially delayed). Businesses transferring data from the EEA into the UK will need to put in place a data transfer solution. Since there is no equivalent of the US Privacy Shield, the European Commission-approved standard contractual clauses (SCCs) (i.e., model clauses) will be the main option for businesses, unless they have Binding Corporate Rules (BCRs) already authorised or can rely on an Article 49 derogation.
With regard to such data transfers, businesses should update their privacy notices and record of processing to reflect any changes to their data transfer solutions. Current BCRs will need to be updated to make clear the UK is a third country. For BCRs that are authorised by the UK Information Commissioner’s Office (ICO), businesses will need to find a lead supervisory authority for the purpose of such BCRs within the EU/EEA.
Data Transfers From the UK to Other Countries: Such data transfers will remain largely unaffected. Here is what companies need to know regarding transfers from the UK…
… to the EEA: The UK government will “transitionally recognise” all EEA countries as providing an adequate level of protection. The UK government says it will keep this transitional arrangement under review.
… to “adequate” countries: The UK government will recognise the EU adequacy decisions that have been made by the European Commission prior to the Exit Date. As a result, transfers from the UK to countries covered by an EU adequacy decision can continue uninterrupted.
… under SCCs: The UK government will recognise SCCs as continuing to provide an appropriate safeguard for transfers from the UK to “third countries” (meaning non-EEA countries and those not subject to an adequacy decision). As such, UK organisations can continue to rely on SCCs that have been entered into prior to the Exit Date and UK organisations may continue to enter into SCCs after the Exit Date.
… under BCRs: The UK government will recognise BCRs authorised before the Exit Date as ensuring appropriate safeguards for transfers from the UK. Accordingly, current BCRs that are in place covering a UK export of data can continue to be relied on. However, the ICO advises that organisations update their BCRs, so that the UK is listed as a third country outside the EEA (but covered by export in regard to BCRs that have already been authorised). In regard to BCRs that are authorised by the ICO after the Exit Date, the ICO will authorise these under domestic law.
… under the Privacy Shield to the US: UK businesses can continue to transfer personal data to US organisations participating in the Privacy Shield, provided that those US organisations have updated their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK. Further information on this can be found on the US government’s Privacy Shield website.
2. UK and EU/EEA Representatives. The UK government will require controllers or processors located outside of the UK but which are offering goods or services to, or monitoring, individuals located in the UK to appoint a UK representative. The ICO notes that, as a result, some organisations may require both a UK representative under the UK GDPR and an EU/EEA representative under the GDPR (if the organisation is offering goods or services to, or monitoring, individuals located in a the UK and an EU/EEA Member State).
3. Data Protection Officers (DPOs). If an organisation is required to have a DPO under the GDPR, the same requirement will continue to apply under the UK GDPR. According to the ICO, companies “may continue to have a DPO who covers the UK and EEA. The UK and EU GDPRs will both require that your DPO is ‘easily accessible from each establishment’ in the EEA and UK”. However, this does not exclude the possibility of appointing the same DPO for the UK and EEA countries.
4. The ICO’s Role Post-Brexit (Can It Still Be a Lead Authority?). From the Exit Date, the ICO can no longer act as a lead authority for the purposes of the GDPR. However, the ICO says it “will still cooperate and collaborate with European supervisory authorities, as we did before GDPR and the one-stop-shop system, regarding any breaches of GDPR that affect individuals in the UK and other EU and EEA states”. The ICO advises: “If you will continue to carry out cross-border processing, and your current lead authority is the ICO, review the EDPB guidelines for identifying a controller or processor’s lead supervisory authority (last revised in April 2017), and consider which other EU and EEA supervisory authority will become lead authority on Exit Date (if any). You may want to contact them closer to exit date”. The ICO will, of course, continue to be what it calls the “independent supervisory body” for enforcement of the UK’s data protection regime.
5. The European Data Protection Board. The ICO will no longer be a member of the EDPB, which is the body established by the GDPR and made up of EU/EEA supervisory authorities in order to ensure consistency within the EU/EEA regarding interpretation of the GDPR and approach to regulatory action. However, the ICO has said it will seek to retain a strong relationship with the EDPB. Giovanni Buttarelli, the European Data Protection Supervisor, has said that he aims to “arrange the architecture to find a solution” to keep the ICO actively engaged with the EDPB.
When the authors of this blog post asked the ICO on 15 January 2019 about investigations that are currently in progress for which the ICO is acting as a lead authority, the ICO said it hopes to finalise any pending investigations, but that it will need to publish further guidance on this point. The ICO states on its website that it will be updating its “Guide to GDPR” to cover cross-border processing, lead supervisory authorities, and the one-stop shop in due course. In the meantime, it gives four scenarios to help organisations navigate the one-stop shop after Brexit, defining “cross-border processing” as when an organisation has an office, branch, or other establishment in the UK and its processing is likely to affect individuals in one or more EU or EEA states:
- Scenario 1: Where an organisation is currently cross-border processing in relation to two establishments (UK and EU/EEA) and the processing is not likely to substantially affect individuals in any additional EU or EEA state, then from the Exit Date it will have to deal with both the ICO and the supervisory authority in its EU/EEA establishment.
- Scenario 2: Where an organisation is currently cross-border processing in relation to two establishments (UK and EU/EEA) and the processing in the context of the activities of both the UK and EU/EEA establishment is likely to substantially affect individuals in other EU or EEA states, then from the Exit Date it will have to deal with both the ICO and its EU/EEA lead supervisory authority.
- Scenario 3: Where an organisation is currently cross-border processing in relation to three or more establishments (UK and two or more in EU/EEA) and the processing may or may not substantially affect individuals in any other EU or EEA state, then from the Exit Date it will have to deal with both the ICO and its EU/EEA lead supervisory authority.
- Scenario 4: Where an organisation is currently cross-border processing with an establishment in the UK and no establishment in the EU or EEA and its processing is likely to substantially affect individuals in one or more EU or EEA states, then from the Exit Date it will have to deal with the ICO and with the supervisory authorities in all EU and EEA states where individuals are located whose personal data is processed in connection with those activities.
This is a scenario where the government is able to achieve new terms from the EU and gain approval from the UK Parliament, in which circumstances the UK will leave the EU on the Exit Date under the terms of a revised Withdrawal Agreement and Political Declaration. The UK will then enter into a transition period that is currently due to end on 31 December 2020 but could be extended (Transition Period). It is currently assumed that any renegotiation of the Withdrawal Agreement will not change the provisions on data protection.
Under this scenario, the Privacy Exit Regulations will come into force on the Exit Date, but since there is a Deal, the GDPR will continue to apply during the Transition Period. The GDPR will apply to the UK in the same manner as to any EU/EEA state, other than in regard to the cooperation and consistency under Chapter VII of the GDPR, which appears to be dis-applied by the Privacy Exit Regulations and the Withdrawal Agreement. The role of the ICO in the Transition Period remains unclear and the ICO expects the EDPB to issue further guidance.
The current drafts of the Political Declaration and Withdrawal Agreement provide that an “adequacy” assessment for the UK will start after the Exit Date and that the EU will “endeavour” to adopt an adequacy decision in relation to the UK by the end of the Transition Period. In the meantime, transfers from the EU/EEA to the UK and vice versa will be considered adequate as under the current regime until the expiry of the Transition Period.
What Should Businesses Do Now?
While it is clear to those following Brexit that we continue to live in a period of uncertainty, businesses:
- That have the UK as a lead authority should reconsider their options and watch for guidance from the EDPB going forward (in particular as to the ICO’s role in the Transition Period for a “deal” Brexit)
- Should identify EEA to UK data flows and consider putting model clauses in place
- Whose US entities are certified under the US Privacy Shield must update their certifications and policies to ensure the UK is covered
- With BCRs should update their policies and documents to recognise the UK as a “third country” outside the EEA (but covered by export in regard to BCRs that have already been authorised) and consider a potential EU/EEA lead authority (see above) if the present lead authority is the UK
- With no UK presence should consider who will act as their UK representative (who must be located in the UK) if they are subject to UK law because they offer goods or services to data subjects in the UK or monitor their behaviour