For information about Brexit generally, see Understanding Brexit on our website.
The UK has finally left the European Union. However, that is by no means the end of the story. Brexit "Phase Two" involves the detailed task of agreeing the future relationship between the two sides something which Boris Johnson promised voters would be signed, sealed and delivered by the end of 2020. While there are significant challenges in agreeing a comprehensive trade deal in such a short period, from a data protection perspective the key will be whether the European Commission determines the UK's regime "adequate" (ie equivalent) to the EU's so as to permit free movement of data to (and from) the remaining EEA countries following the expiry of the transition period. Such adequacy decisions typically take some time and there are elements of the UK's data processing regime which cause the EC concern (for example, regarding national security processing); however, given the UK's Data Protection Act will continue to be based on the GDPR post-Brexit, there is reason to hope that an adequacy decision may be achievable before or close to the withdrawal date of 31 December 2020.
Data Protection: what will (and will not) change, and what areas of uncertainty are there?
The European Union (Withdrawal) Act 2018 (2018 Act) incorporates the body of EU law, as it exists on "exit day" 31 January 2020 - into UK law, irrespective of whether a deal has been signed or not. In addition, on "IP Completion Day" or the end of the implementation period, currently scheduled to be 31 December 2020 - the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Exit Regulations) will come into force. (Note that references to "exit day" in the Exit Regulations are now to be read as "IP Completion Day", following changes made by the European Union (Withdrawal Agreement) Act 2020.) The Exit Regulations amend the General Data Protection Regulation (GDPR), incorporated into UK law by the 2018 Act, to ensure that it operates in a UK-specific context from the end of the implementation period (although certain elements came into force with the first proposed exit day of 29 March 2019). The amended version is aptly titled the "UK GDPR". The Data Protection Act 2018 (DPA 2018) will continue to apply from exit day, but minor changes will be made by the Exit Regulations to implement the UK GDPR from IP Completion Day.
In practice, this means that, during the implementation period, EU data protection law continues to apply in the UK in the same way as before exit day. Even after the implementation period (IP Completion Day), there are few substantive changes to the obligations that most organisations must comply with in relation to data protection issues. Three areas of change are nevertheless worth highlighting, which will apply from IP Completion Day: (1) data transfers; (2) appointment of EU/UK representatives; and (3) the role of the ICO and the one-stop-shop mechanism.
1 For further information on the current position in relation to the negotiation of a Free Trade Agreement between the UK and EU, refer to our client briefing "Brexit: where do we go from here?" (February 2020).
BREXIT SNAPSHOT: DATA PROTECTION ISSUES
Currently, personal data can be freely transferred between the UK and the rest of the European Economic Area (EEA), with no requirement to enter into transfer mechanisms. The extent to which this position changes following IP Completion Day depends on which direction the personal data is flowing, and whether there is a deal in place or not.
For transfers from the UK to the EEA, nothing should change, whether or not a comprehensive trade deal is agreed before the end of the implementation period. Existing adequacy decisions will, under amendments made to the DPA 2018 by the Exit Regulations, be preserved. Data transfers from the UK to the EEA and those countries with existing adequacy decisions will therefore be able to continue without any necessary additional safeguards.
For transfers from the EEA to the UK, following IP Completion Day pursuant to the 2018 and 2020 Acts, the EU GDPR will continue to apply until the end of the implementation period and there should be no changes up to this point. Following expiry of the implementation period, unless a so-called "adequacy decision" is made in respect of the UK, under the withdrawal agreement the EU GDPR will continue to apply to data transfers from the EEA to the UK, so long as the processing occurred before the end of the implementation period2. No changes will accordingly need to be made.
Following the expiry of the implementation period on 31 December 2020, if no adequacy decision has yet been made in respect of the UK, such transfers of EU data will need to be based on derogations such as standard contractual clauses or binding corporate rules.
Appointment of EU/UK representatives
UK-based controllers or processors who do not have a branch, office or other establishment in any EU or EEA state but remain subject to the EU GDPR as they either (i) offer goods or services to; or (ii) monitor the behaviour of individuals in the EEA must, following IP Completion Day, appoint a representative within the EEA, as they will no longer be an EEA-based controller or processor. This is the case whether or not a deal is in place.
The UK GDPR, like its EU counterpart, has extra-territorial effect. Consequently, it will require that any non-UKbased controller or processor must appoint a UK representative if it processes personal data relating to the offering of goods and services to, or the monitoring of the behaviour of, individuals located in the UK. This will only apply when the UK GDPR comes into effect following the end of the implementation period.
The role of the ICO and the one-stop-shop mechanism
Controllers or processors who carry out "cross-border processing" that is, processing of personal data which substantially affects or is likely to substantially affect data subjects in more than one EU/EEA state currently in theory only need to deal with a single EEA data protection authority (albeit others may seek to get involved in enforcement in some circumstances). This lead supervisory authority will be the relevant authority in the state in which the organisation has its "main establishment". The benefits of this so-called "one-stop-shop" mechanism is that, subject to a few exceptions, organisations will only be investigated by one supervisory authority and will only receive one fine across the EEA.
Following IP Completion Day (i.e. 31 December 2020), the ICO will no longer participate in the "one-stop-shop" mechanism, as the UK will no longer be in the EU. Organisations that continue to be involved in processing across the EU will need to consider which other EU/EEA supervisory authority will become their lead authority on IP Completion day.
2 Article 71(1)(B) of the Withdrawal Agreement also allows for processing after the end of the transition period "on the basis of this [Withdrawal] Agreement". It is not quite clear as to the effect of this, so we would assume a derogation would need to be made.
BREXIT SNAPSHOT: DATA PROTECTION ISSUES
From exit day and throughout the implementation period, the Commission has stated that the ICO will continue to participate in the one-stop-shop, and act as an EU lead supervisory authority, since the UK still will be treated as a member state for this period. In common with other UK regulators and government bodies, the ICO will not be able to participate in any Europe-wide decision-making during the implementation period, so it may attend meetings of, and refer issues to, the European Data Protection Board during implementation, but it will not have a vote.
The spectre of dual fines may also be on the horizon after IP Completion Day. Take, for instance, a supplier with one establishment in the UK (its headquarters) and one establishment in Spain (its distribution centre), both of which process personal data originating from across the EU. Before IP Completion Day, the UK will be treated as the "main establishment" and the UK ICO would be the lead authority in enforcing the GDPR across the EU. Following IP Completion Day, the supplier's only EU establishment will be in Spain, so the Spanish supervisory authority will be the lead authority for the purposes of the EU GDPR. In the event of a data breach affecting data processed by the supplier involving both UK and EU customers, the supplier will face investigations (and potentially fines) from both the ICO (under the UK GDPR) and the Spanish supervisory authority (under the EU GDPR).
What are the key issues arising from any changes or uncertainty, and what basic things should be done to address them?
Transfers from the EEA to the UK
In respect of transfers from the EEA to the UK, following expiry of the implementation period and if no adequacy decision has yet been made in respect of the UK, such transfers will need to be based to be based on one of the following safeguards:
EU standard contractual clauses. These data transfer agreements offer the additional adequate safeguards with respect to data protection that are needed when transferring personal data to a third country. The UK Government has confirmed that it will continue to recognise the European Commission-approved standard contractual clauses in the event of a no deal Brexit.
Binding corporate rules. These are internal policies and procedures authorised by relevant data protection authorities which legitimise intra-group transfers. Existing authorisations of binding corporate rules made by the Information Commissioner will continue to be recognised in domestic law. EEA binding corporate rules will need to be updated to list the UK as a third country outside the EEA.
You may also rely on one of the other derogations set out in the GDPR (consent, for example), however, these derogations should only be relied on in limited cases where the transfer in question is occasional and nonrepetitive.
Requirement to appoint an EU/UK representative
Organisations should consider whether they need to appoint an EU and/or UK representative.
If you (i) do not have branches, offices or other establishments in the EU or EEA but you remain subject to the EU GDPR as you (ii) offer goods or services to individuals in the EEA or monitor the behaviour of individuals located in the EEA, you must appoint an EEA representative. For example, an organisation which has to date only had a single EU/EEA outpost in the UK and has accordingly had no need for an EU representative will need to appoint one before IP Completion day.
The representative will need to be set up in an EU or EEA state where some of the individuals whose personal data is being processed are located.
The representative will need to be authorised in writing to act on behalf of the UK-based client regarding their GDPR compliance, and to deal with any supervisory authorities or data subjects on the client's behalf.
The representative may be an individual, or a company or organisation established in the EEA, and must be able to represent the client in respect of its obligations under the GDPR (e.g. a law firm, consultancy or private company).
3 of 5
BREXIT SNAPSHOT: DATA PROTECTION ISSUES
Following IP Completion Day, if you are a non-UK controller but you process personal data relating to the offering of goods and services to, or the monitoring of the behaviour of, individuals located in the UK, you should appoint a UK representative. This appointment should be made in line with the requirements of the UK GDPR (which closely follow the EU GDPR). Third country organisations may need both a UK and an EU representative, if the extra-territoritality provisions of the GDPR and the UK GDPR apply to them. The role of the ICO and the one-stop-shop mechanism If your current lead supervisory authority is the ICO, and you will continue to engage in EU data processing, you should consider whom your lead supervisory authority within the EU be following IP Completion Day. This will depend on the location of your "main establishment" in the EU/EEA, typically where your central administration a headquarters, for example exists. However, if decisions about the purposes and means of EU personal data processing take place separately from the place of central administration, then it will likely be this establishment which will be deemed the "main establishment" for the purposes of identifying a lead supervisory authority. "Forum shopping" is not permitted. How are other companies/ the market dealing with these issues? Companies are reviewing their data flows to understand whether any transfers are being carried out from the EEA to the UK, and are preparing EU standard contractual clauses to ensure that these data flows can continue after Brexit. Where companies already have agreements based on standard contractual clauses or binding corporate rules in place, they are considering whether any updates need to be made to take account of Brexit and ensure that intragroup cross-border transfers of personal data can carry on unimpeded after the UK's exit from the EU. In addition to the above, companies are considering whether it is necessary for them to appoint a representative in the EEA and/or the UK and taking steps to prepare for making such appointment. What relevant materials do we have on our website? Our Brexit page, Understanding Brexit, contains links to our monthly Data Protection bulletins which include Brexit related updates. Contact us
Partner T: +44 20 7809 2121 E: [email protected]
4 of 5
BREXIT SNAPSHOT: DATA PROTECTION ISSUES