As everyone knows, the Brexit process is in turmoil and we are facing a real possibility of a no deal Brexit. This was not the UK government's plan. In fact, it still isn't; there is talk of Parliament moving to prevent a no deal while Theresa May appears to continue to pursue some version of her deal, but with 29 March looming, businesses must do their best to prepare for all eventualities.
While cross-border data flows are a big issue for many, the good news is businesses can take their own steps to minimise disruption and the government has done what it can to ease the process more successfully in the area of data protection than in many other areas.
Even if a cliff edge is avoided (or postponed) in March, the situation with Brexit is likely to remain extremely unclear. Some comfort can be drawn from the high profile given to maintaining the free flow of personal data between the EU and the UK after Brexit in the Political Declaration on the future relationship. Although the declaration is unlikely to survive in its current form, the data protection aspects are uncontentious and likely to be replicated in any future declaration.
The Political Declaration stresses the UK's commitment to a high level of personal data protection. The EU will aim to adopt an Adequacy Decision by the end of 2020 and in the same time frame, the UK will take comparable steps to facilitate personal data flows to the EU. We have known for some time that the EU would not begin adequacy discussions until after exit, but it is reassuring to learn the UK is unlikely to go to the back of the adequacy queue if and when negotiations do begin, and whether or not we exit with a deal and a transition period.
The UK data protection regime after Brexit
The UK has made preparations to adapt the GDPR to work as a piece of UK legislation in conjunction with the Data Protection Act 2018 (DPA18). The draft Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019, will come into force on exit day although if there is a transition period, application of all except the part relating to PECR will be delayed.
The Regulations consolidate and amend the EU GDPR and UK DPA18 to create a new UK GDPR. The responsibilities of data controllers in the UK will not change. GDPR standards will continue to apply. The ICO will, however, no longer sit on the EDPB and will not participate in the GDPR consistency mechanism.
The extraterritoriality of the UK's data protection framework will continue to apply. This means controllers or processors based outside the UK processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour, will be caught. Crucially, this includes controllers and processors based in the EU.
The impact of the UK sitting outside the EEA without a transitional deal on exit (which would preserve the current position) or an adequacy arrangement will be felt in a number of areas.
The default position when the UK leaves the EU without a deal or at the end of a transition period, is that it becomes a 'third country' for the purposes of transfers of personal data from the EU. The EEA countries will similarly become third countries with regard to the UK.
That means the UK will either need an Adequacy Decision or that organisations will need to use one of the data transfer mechanisms to export EEA data to the UK.
Under the GDPR, personal data may not be transferred outside the EEA unless there are protections in place to guarantee individuals equivalent rights and protections to those they enjoy in the EU. Those countries which are considered to have a data protection regime which provides an adequate level of protection equivalent to that in the EU, may benefit from a Commission Adequacy Decision which allows the free flow of personal data from the EU. Currently, 12 jurisdictions (including the Channel Islands), have full Adequacy Decisions. South Korea is currently being assessed and the US has a partial (and controversial) Adequacy Decision in relation to transfers under the EU-US Privacy Shield.
In the absence of an Adequacy Decision, a number of other data transfer mechanisms can be used, principally, the EC's standard contractual clauses (SCCs), or Binding Corporate Rules (BCRs). There are other limited options available.
Data exports from the UK to the EEA
Under the Regulations, the UK government has done what it can to preserve the free flow of personal data from the UK to the EEA. The UK will transitionally recognise all EEA States, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data, allowing personal data to flow freely to them from the UK.
Data exports from the UK to third countries outside the EEA
Again, the Regulations provide reassurance in this area by essentially preserving the effect of existing mechanisms:
- The effect of existing EU Adequacy Decisions on a transitional basis (including the EU-US Privacy Shield) will be preserved.
- SCCs previously issued by the Commission will continue to be an effective basis for international data transfers from the UK in a no deal scenario, so organisations which transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. The ICO will have the power to issue new SCCs after exit day.
- Existing authorisations of Binding Corporate Rules (BCRs) made by the ICO will continue to be recognised in domestic law (although it is unclear how the EU will view BCRs authorised by the ICO). The ICO will have the power to authorise new BCRs after exit day.
Onward transfers of data originating in the EEA could be more problematic as flow-down of EEA protections will be required.
EEA to UK data transfers
The UK cannot provide for free flow of personal data into the UK so these are the data flows most at risk in the event of a no deal/no adequacy Brexit. Those relying on such transfers will need to make suitable provision, such as entering into standard contractual clauses (SCCs). Businesses should have these in place by 29 March 2019. Read more about the pros and cons of various data transfer mechanisms here.
Data transfers from the UK to the US under the Privacy Shield
The Regulations provide for the effect of the EU-US Privacy Shield to be preserved with respect to UK personal data flowing to the US. The Department of Commerce has said that US businesses importing personal data from the UK will need to state that explicitly in their Privacy Shield statements and may also need to make the same point clear in HR privacy policies if importing HR data from the UK.
It's not just data exports/imports which are an issue though. Businesses will also need to consider whether they have to appoint a representative in a third country jurisdiction. Under Article 27 GDPR, controllers and processors not established in the EU are required to appoint a representative unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale. With the UK outside the EU, businesses with establishments in the UK but not in the EU may be caught by Article 27.
Similarly, the Regulations replicate Article 27 so that controllers and processors not established in the UK (including those in the EU) will be required to appoint a representative unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale. Read more about the role of the representative here.
The location of your Lead SA and DPO
One of the long-heralded advantages of the GDPR compared with the outgoing EU data protection regime is the 'one stop shop' regulatory regime for organisations processing personal data across the EU. The UK will no longer be able to participate in this after Brexit (except during any transition period) which means that businesses which currently have their Lead SA in the UK, will need to consider the location of a Lead SA in the EU. They may also want to consider whether they need a DPO based in the EU. See our article for more.
Check your contracts
However you decide to handle the issue of Brexit, it is important to check that any existing contracts and terms and conditions match your intentions. This is particularly the case for data transfer agreements or data processing agreements.
Don't forget that whatever lawful basis you rely on to export and/or import personal data, you may also need a data transfer agreement or data processing agreement. For example, for data exports to a processor or sub-processor, the GDPR sets out detailed requirements that an agreement must include in addition to addressing the transfer (see here for more).
Existing agreements, policies and terms and conditions may need to be amended or replaced, if for example, you decide to change the location of your DPO or your Lead SA, or, perhaps the law under which the contract is governed (to a jurisdiction in the EU). You will also need to ensure that there is appropriate provision made for the initial and onward transfers in accordance with GDPR requirements, especially as the first transfer may no longer be one envisaged by the relevant contract or terms and conditions. See our checklist of more information.
The UK's ICO has published guidance for businesses and SMEs on preparing for a no deal Brexit. This includes a 'six step' plan, broader guidance, FAQs, and an interactive tool to help assess whether SCCs are an appropriate data transfer solution. Further guidance will be provided to organisations currently relying on BCRs.