Whilst the overall UK data protection legal regime will not change significantly, Brexit is requiring businesses to consider their data protection compliance and, particularly, whether any of their data flows will be disrupted. We assess below what steps can be taken to mitigate the risks.
Significant Impact post Brexit
The biggest potential impact Brexit may have on UK data protection law is that the UK will no longer automatically maintain unhindered and uninterrupted data flows with the EU and its Member States.
One of the core tenets of the GDPR, is the control of extra-EU (or to be precise EEA) data transfers. The idea is that a transfer of data outside the EEA should be subject to legal controls to prevent EU law being circumvented by data being transferred to a place with less stringent laws.
Legal transfer controls are not required where the European Commission (or potentially a Member State) has ‘white-listed’ a country, in other words issued ‘an adequacy decision’. Where a country has not been white-listed individual data controllers (i.e. businesses and other organisations that control personal data) must put in place their own legal mechanisms to legitimise a transfer of personal data or rely on a derogation.
Post Brexit, the UK will be outside the EEA and, as yet, it is not white-listed. As such, businesses that transfer data from the EEA to the UK should take the following steps:
- Assess their data flows to identify any personal data transfers that will be impacted by the UK leaving the EEA;
- Consider whether they need to put in place any legal data transfers mechanisms in place and/or other risk mitigation measures; and
- Consider writing to affected third parties (for example, customers) to explain their risk mitigation measures and provide some reassurance.
For completeness, the UK government is not currently imposing any restrictions of data from the UK back into the EEA (pursuant to the Data Protection Act 2018 as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc)).
Potential Significant Impact post Brexit
A particular impact of Brexit will be on international businesses that are only subject to the GDPR and/or the Data Protection Act 2018 (UK) on the basis of the GDPR’s extra-territorial applicability (i.e. a business that does not have a footprint within the EU or UK, but is nonetheless offering goods/services or monitoring behaviour within the EU in accordance with GDPR Article 3(2)). These international businesses post Brexit will be required to appoint a representative within the EU.
A representative is, amongst other things, a contact point for the supervisory authority, who must be designated in writing and given a mandate to liaise with the supervisory authority on a business’ behalf (GDPR Article 27). Relevant businesses should consider whether they are required to appoint a representative under both the GDPR or the Data Protection Act 2018 (UK).
Lower Impact post Brexit
Post Brexit, the UK will largely be free to shape domestic data protection law as it sees fit. The above said, whilst the UK may wish to take advantage of this freedom to a degree, there are strong reasons why the UK is unlikely to be reneging on its previous commitment to European-style privacy standards. A primary reason is the UK’s interest in procuring an adequacy decision from the European Commission to facilitate unencumbered transfers of personal data between the EU and the UK.
As such, whilst businesses should continue to monitor legal developments, the extensive GDPR compliance measures UK businesses have taken are unlikely to be in vain.