With a “no-deal” scenario looking increasingly more likely, what steps should businesses be taking in relation to their data protection compliance regimes to prepare for 31 October this year?
The data protection framework in the UK post-Brexit
The EU General Data Protection Regulation (the “GDPR”) is the principal piece of data protection legislation across the EU. On exit day, the provisions of the GDPR will be incorporated into UK law by the European Union (Withdrawal) Act 2018 (the “Withdrawal Act”) and the GDPR will therefore remain the core law on data protection in the UK (subject to amendments to make the mechanics of the legislation work in light of the UK’s new status). Therefore, there will be no immediate change in respect of the data protection framework in the UK. In essence, post-Brexit there will be two versions of the GDPR – the existing EU version and a new UK version.
Cross-border transfers of personal data
The GDPR permits a free flow of personal data between EEA member states. Transfers out of the EEA are, however, only permitted in specified circumstances.
EEA to UKWhen the UK ceases to be an EU member state it will become a "third country" for the purposes of the GDPR and this free flow of personal data will therefore no longer be permitted unless one of the specified circumstances applies:
- the European Commission has determined that the country to which the personal data is being transferred “ensures an adequate level of protection” (an “adequacy decision”);
- prescribed “appropriate safeguards” have been put in place such as standard contractual clauses or binding corporate rules; or
- a derogation applies such as the individual to whom the personal data relates having given their explicit consent to the transfer (having been informed of the possible risks).
The UK government has made it clear that it is aiming for an “adequacy decision” to be made by the European Commission permitting transfers to the UK and that it is ready to begin adequacy assessments. However, the EU’s position is that it cannot start such assessments until the UK is actually a third country. Moreover, adequacy assessments and discussions can take many months even once started. Businesses therefore need to ensure that they have alternative arrangements in place as it is unlikely that the UK will be the subject of an adequacy decision for some time after exit.
UK to EEA
The UK government has confirmed that transfers from the UK to the EEA will not be restricted and can continue as usual.
UK to non-EEA
Transfers from the UK to non-EEA countries are likely to be subject to similar rules as those in place at present. The UK will recognise existing EU adequacy decisions and standard contractual clauses so it is unlikely that additional steps need to be taken at present, although businesses should keep this under review.
UK to U.S. (under Privacy Shield)In respect of transfers to U.S. organisations under the EU-U.S. Privacy Shield framework, modified arrangements will apply as this is a specific EU/U.S. arrangement. The government has confirmed it is making arrangements for the continued application of Privacy Shield to restricted transfers from the UK to the U.S. However, U.S. organisations participating in the Privacy Shield will need to update their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK.
Whilst international transfers of personal data are the most prominent data protection concern associated with Brexit, Brexit is likely to have an impact on a number of other issues under the GDPR.
UK/EU GDPR overlap
Given the extra-territorial effect of the GDPR, many businesses will post-Brexit be subject to both the EU and UK versions of the GDPR. Whilst the requirements in the UK will remain substantially the same, UK government ministers will have powers to amend the UK version of the GDPR to better account for its separation from the EU. Businesses should be aware that discrepancies may arise post-Brexit between their UK and EU data protection obligations, which may both apply in respect of the same processing (for example, where a UK establishment processes personal data about individuals who are in the EEA in relation to offering goods or services to individuals who are in the EEA).
For non-EEA businesses, the territorial scope of the "UK GDPR" will be equivalent to that under the GDPR, that is, it will apply to any controllers and processors outside the UK which offer goods or services to individuals in the UK or monitor the behaviour of UK individuals.
Representatives UK organisations without any establishment in other EEA member states may need to consider the appointment of an EU representative if they offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA. A representative will need to be appointed unless the organisation’s processing is only occasional, does not include large scale processing of special categories of data or criminal offence data, and is unlikely to result in a risk to individuals. After the UK exits the EU, the UK data protection legislation will require that a controller or a processor located outside of the UK (but subject to the provisions of the UK legislation) appoint a UK representative. Non-UK businesses should bear this in mind and consider the applicability of the UK legislation to them. Privacy notices Although the actual information required in a privacy notice is unlikely to change, it is worth reviewing privacy notices to check for any changes that may need to be made as a result of Brexit, for example, in relation to international transfers, references to lawful bases (see below), or representatives. Lawful basis All processing of personal data must be covered by a "lawful basis." One lawful basis is that the processing is necessary for compliance with a legal obligation under EU or EU member state law. Post-Brexit, a legal obligation under UK law will not constitute a lawful basis for processing under the EU version of the GDPR. Similarly, an obligation under EU or EU member state law is unlikely to constitute a "lawful basis" under the UK version of the GDPR. Businesses will need to rely on an alternative lawful basis. The most appropriate basis is likely to be that the processing is necessary “for the purposes of legitimate interests.” However, reliance on this basis requires businesses to conduct a balancing exercise to ensure that data subject interests do not override the legitimate interests.