On the 23 June 2016, the UK voted to leave the European Union (EU). The UK’s impending exit from the EU has left many businesses wondering what Brexit will mean for the UK’s data protection landscape and their global data protection compliance.
The General Data Protection Regulation (GDPR)
The European data protection landscape is expected to be radically overhauled with the coming into force of the GDPR on the 25 May 2018. The GDPR will increase EU data protection standards and will introduce new data protection compliance requirements. Some of these changes include: implementing and maintaining documented policies and procedures, appointing a Data Protection Officer, carrying out data protection impact assessments on high risk processing, enhanced data breach notification requirements and increased fines for non-compliance which can be up to €20 million or 4% of a business’s worldwide turnover, whichever is highest.
The GDPR will replace EU and national data protection legislation and will apply directly across all EU Member States. The timing of the UK’s exit is significant as the GDPR is expected to have come into force before the UK leaves. After Brexit, there is uncertainty about whether the GDPR will apply in the UK. After Brexit the UK will be free to determine its own data protection rules, and so many businesses with UK interests are now wondering what to expect post-Brexit. Given the level of trade that the UK does with Ireland and the rest of the EU, we expect that the UK government will try to ensure that its data protection laws do not overly inhibit trade or business interests overseas, which may mean that it will implement data protection legislation with broadly equivalent or similar compliance standards as those in the GDPR.
Irrespective of Brexit, the GDPR will have an impact on many UK businesses as it extends the territorial reach of EU data protection legislation to also capture non-EU businesses where they offer goods and services to EU residents or monitor their behaviour, regardless of whether the processing takes place in the EU or not. As such, UK businesses trading with EU residents will be required to comply with the GDPR and will still need to ensure that they are ready for the GDPR in May 2018.
Many businesses that transfer data to and from the UK are now wondering what impact Brexit will have on data transfers between the EU and the UK.
Current EU data protection laws and the GDPR restrict the transfer of personal data from the EEA to countries outside the EEA, known as ‘third countries’, unless that third county provides “an adequate level of protection”. To put the significance of this into context, even accessing personal data from a third country amounts to a transfer of personal data. As such, simply accessing from Ireland personal data stored in a US based cloud is considered a restricted data transfer. There are, however, a number of transfer mechanisms, which businesses can rely upon to legitimise transfers to third countries; such as, transferring to a white listed country, obtaining consent to the transfer, model contracts, binding corporate rules and the Privacy Shield.
It is not yet clear if Brexit will mean that the UK will no longer be part of the EEA as well as leaving the EU. Recent commentary seems to indicate that this is increasingly likely. Following Brexit, the UK may decide to implement new data protection legislation, imposing broadly equivalent or similar compliance standards to those in the GDPR, which may be determined as being ‘adequate’ by the EU Commission. In this scenario, personal data could be transferred freely from the EEA to the UK, avoiding costs for businesses.
Alternatively, the UK may decide not to implement ‘adequate’ data protection legislation and will be considered a third country. In this scenario, businesses will have to rely on the existing transfer mechanisms in place in order to legitimise data transfers to the UK. Some of these transfer mechanisms can be expensive to use and result in significant paperwork for businesses.
Cross-border transfers of personal data have been a controversial issue in recent years. In some cases, the issue has resulted in landmark court cases (Schrems, Microsoft, Digital Rights Ireland’s challenge to the Privacy Shield) and new international arrangements (Privacy Shield). Unfortunately for Irish and other EU businesses with UK interests, Brexit has resulted in some uncertainty and potentially may increase the complexity involved in ensuring that data transfers across borders are done in a compliant fashion. We will continue to keep a close eye on developments.