What do I need to know?
- The UK is holding a referendum on 23 June 2016 to decide whether or not to remain in the European Union.
- If there is a UK vote to leave the EU, a British exit or ‘Brexit’, there will then be an intense period of negotiation between the UK and EU to agree the terms of withdrawal and for their future relationship. The terms agreed will affect the extent to which the UK continues to comply with and/or keep up with EU laws and requirements.
- Following Brexit, the UK would probably give notice to leave the EU and would then leave on the sooner of withdrawal terms being agreed and the expiry of two years from giving notice, expected to be late summer 2018 at the earliest but quite likely later.
- GDPR will come into force on 25 May 2018 before the UK will have been able to leave the EU.
- GDPR is an EU regulation applicable in the UK without the need for domestic UK legislation but will therefore automatically fall away in the event that the UK leaves the EU – unless and to the extent the UK adopts domestic legislation to retain it in whole or part, which it is likely to do for practical reasons.
What do I need to do?
- Start to consider which parts of your operations are established in the UK and may be affected by proposed changes.
- Identify personal data flows from the EU to the UK as new adequate safeguard measures will be required for them if the UK leaves the EU and so falls outside the European Economic Area.
- Identify UK establishments which monitor the behaviour of, or offer goods and services to, citizens in the EU as these may be subject to GDPR despite Brexit due to the new territorial scope of GDPR which extends beyond the EU.
- Monitor the UK data protection authority’s statements on Brexit, GDPR and how to remain compliant – current ICO guidance is to continue to prepare for GDPR.
- If your main EU establishment is currently in the UK, consider where your No. 2 establishment in the EU is based, as that is likely to become your GDPR base and where your lead data protection supervisory authority will be located.
- Keep this area and UK developments under regular review and keep your plans up to date accordingly.
What is the current position?
A referendum on whether the UK should leave or remain within the EU will take place on 23 June 2016. UK and EU law are so closely entwined that Brexit would have a significant impact on almost all areas of the law but data protection law is particularly grounded in EU law.
In the event of a UK vote to leave the EU, it not absolutely clear what will happen and when. The most likely reaction will be that the UK will give notice to leave the UK, using the procedure set out in article 50 of the Treaty on European Union. This then triggers the need to agree withdrawal terms with the EU and hopefully future relationship terms as well. The UK would leave the EU on the sooner of agreeing terms and the expiry of two years from giving notice to leave. Agreeing terms will probably take more than two years, so at the earliest, the UK would probably leave the EU in late summer 2018 but if giving notice to leave is delayed, departure may be in 2019 or 2020.
What will stay the same?
There are different types of EU law. Indirect EU laws, such as the Directive, need to be implemented by domestic UK legislation – the DPA - to become applicable and enforceable in the UK. Those domestic UK laws will be unaffected by Brexit and so the DPA will continue unless and to the extent the UK Parliament repeals or amends the DPA, whether to deal with GDPR and / or Brexit.
Other EU laws, such as EU regulations, are direct and so apply directly in the UK without the need for UK domestic legislation. This applies to the GDPR. GDPR comes into force in the UK on 25 May 2018 before the UK will have been able to leave the EU. UK businesses will therefore need to prepare for and start to comply with GDPR notwithstanding Brexit.
Other EU member states must also comply with GDPR from 25 May 2018 whether or not the UK leaves the EU. As now under the Directive, under the GDPR, transfers of personal data to outside the EEA can only be made lawfully in certain limited circumstances due to the need to ensure adequate safeguard for the relevant personal data.
What is changing?
GDPR as a direct EU law in the UK is not implemented by domestic UK legislation. Therefore, GDPR, like all EU regulations, would overnight cease to apply in the UK in the event of the UK leaving the EU. Businesses processing personal data in the context of establishments in the UK would also no longer automatically be within jurisdiction of GDPR if the UK were no longer an EU member state. Against that and even though the UK would be outside the EU, UK businesses may still be subject to GDPR ‘as is’ where, from 25 May 2018, they monitor the behaviour of, or offer goods and services to, citizens in the EU from the UK. Exactly how those new provisions extending the EU’s jurisdiction into non-EU territories will work in practice and be enforced remains to be seen. [See our GDPR briefing on territorial scope and application].
It is unclear to what extent the DPA would remain applicable in the UK at that point, as its impact will need to be adjusted to deal with the commencement of GDPR in any event. Although GDPR will repeal and replace the Directive, it will not repeal the DPA which is the UK domestic law used to implement the Directive in the UK. It is unlikely that the DPA will be completely swept away to make way for GDPR as its provisions also underpin the role of the UK’s data protection authority, the ICO, as well as UK public access to information legal regimes, which the ICO is also responsible for enforcing.
Practically, due to public expectations, media pressure and the need to ensure the UK continues to be seen as a safe zone for personal data for trading and investment purposes, the UK government is highly unlikely to sweep away UK data protection laws and it will be under pressure to increase standards from DPA levels towards GDPR expectations.
It is anticipated that the UK would enact domestic legislation to adopt relevant direct EU laws, like GDPR, into domestic UK law, counteracting the automatic falling away of GDPR which would otherwise result from UK departure from the EU. So, at least in the short to medium term, GDPR terms would probably continue to apply in the UK following Brexit. This may be subject to some adjustments decided to be essential due to the UK leaving the EU. For instance, GDPR provisions in relation to the EDPB, cooperation and enforcement between member states and the consistency mechanism would need careful consideration and would probably need amendment to continue to make sense and work effectively if the UK were outside the EU and the ICO ceased to be a “supervisory authority” recognised by GDPR and lost its membership of the EDPB. This approach would buy more time to review other GDPR details and, where thought necessary, to adjust GDPR provisions to reach an acceptable UK version of GDPR for the long term.
Any proposed tailoring of GDPR provisions for the UK, would have to take account of the extra territorial reach of GDPR to ensure UK businesses had a clear idea of the requirements with which they would need to comply and to minimise confusion.
Although the UK could decide to reject continuation of GDPR and instead try to remain with lower DPA levels of compliance, for the above reasons, that approach is less likely. This is especially the case because of data transfer rules. For so long as the UK remains a member of the EU, it remains within the EEA. In the event that the UK leaves the EU, the UK ceases to be within the EEA. At that point, the UK – regardless of its domestic legislation and whether or not it has adopted GDPR – is no longer part of the EU safe zone for personal data and personal data transfers to it no longer carry automatic adequate safeguard. Additional measures will need to be adopted to ensure adequate safeguard for all personal data flows to the UK once outside the EU and so EEA. [See our GDPR briefing on international data transfers].
It is highly likely that the UK would seek to become an EU Commission approved white listed country, deemed to provide adequate safeguard for personal data, without the need for additional measures being adopted by UK data importers. This would take time but the process would be quicker and easier if the UK kept pace with EU data protection standards and maintained GDPR-like compliance levels.
Many international businesses have UK operations and also operations in EU countries where they would continue to need to comply with GDPR regardless of the UK position. They are therefore likely to adopt and apply full GDPR compliance standards across all their operations, including in the UK. This would be done for expediency and even if not legally required to that extent in the UK, voluntarily raising UK standards to the higher EU standards in that case.
Difficulties may arise in the event that the UK decides to diverge from GDPR and create its own solution for updating its data protection laws from DPA levels, still meeting GDPR-like standards but with different requirements and approaches to achieve them. In that case, international businesses would not be able to simply imprint the same GDPR solution adopted across the EU to meet UK requirements and would need to tailor compliance in the UK to meet domestic requirements.
In any event, businesses cannot simply adopt the same GDPR solution across all European countries and, on that basis alone, expect to be data privacy compliant in each country. The member state variations and derogations permitted by GDPR, together with the need to continue to comply with other related laws, such as on privacy in electronic communications, telecommunications and monitoring and, in respect of staff related personal data, on works councils, means that despite GDPR harmonisation, local, tailored advice and approaches will remain important.
In addition, the EU Charter of Fundamental Rights would remain relevant in the UK despite any Brexit, whatever residual level of data protection legislation remained. Although the UK negotiated a carve out to the impact of the Charter in the UK under protocol 30, which made the fundamental rights non-enforceable in the UK, this has been completely ignored by the ICO and UK courts and tribunals. UK court and tribunal judgments and CJEU judgments, binding on the UK whilst an EU member, have taken account of such fundamental rights. As a result, those decisions have formed the basis of case law in the UK and have been taken in to the body of UK domestic law, even though not codified or otherwise legislated. That will remain the case post Brexit.
Indeed, all ECJ and CJEU decisions on data protection and privacy laws in the EU prior to any Brexit will remain binding in the UK, even post Brexit (unless and to the extent the UK Parliament legislated to prevent that effect, which would be unlikely). Even decisions of the ECJ or CJEU following any Brexit may continue to impact the UK, having a persuasive value which may be taken into account by the ICO or UK courts and tribunals.
This, together with the fact that corporates and individuals will in many cases have acquired certain clear and unconditional EU rights pre Brexit, which will continue to be available to them post any Brexit, means that rights to protect privacy, personal data and to access information will continue to be very important in the UK even following any departure from the EU.
How will your business be affected?
GDPR will apply to your UK business in May 2018 notwithstanding any Brexit and will probably continue to apply (wholly or mainly) even following any UK departure from the EU. The ICO recommends businesses continue to prepare for GDPR noting that data protection laws will remain relevant. We agree.
It should be noted that some GDPR provisions are dependent on the “main establishment” of a business in the EU and, in the event of a UK Brexit, a UK based European HQ will no longer count as the main establishment for GDPR purposes. This will affect your lead data protection supervisory authority under GDPR. It may also have an impact for those already dealing with BCR applications or about to submit BCR applications through the UK’s ICO.
In the event of Brexit, an interesting possibility is that whilst maintaining appropriately high data protection standards to satisfy European and other demands, the ICO may have an improved ability to adopt a more flexible and risk based approach to policing and enforcing compliance in the UK, than may be adopted across the EU. This may make the UK an attractive base for businesses who would be able to meet the right data protection standards but potentially in a more business friendly way and with reduced risk of exposure to enforcement sanctions in practice. [See our GDPR briefing on enforcement, sanctions and liability].
That said, even if the UK remains in the EU, since the ICO was a driving force to apply risk based compliance as a key theme in GDPR negotiations, its enforcement is likely to follow that approach as much as possible, subject to any necessary adjustments for the consistency mechanism.
A real potential challenge will be the detail in GDPR and how that is unpicked following any exit from the EU to ensure compliance still makes sense and is workable. For instance, lawful processing of personal data may become more challenging for international businesses since under GDPR, lawful grounds for processing necessary to comply with a legal obligation, or to perform a task in the public interest or exercise of official authority must be as specified in EU or member state law. Compliance with UK public function obligations or UK legislative requirements post Brexit may not satisfy this test. Likewise, this will also be an issue in many other scenarios under GDPR, such as avoiding the prohibition on processing sensitive personal data without explicit data subject consent, where necessary to comply with rights and obligations under employment law authorised by EU or member state law. So without change or agreement, compliance with UK employment law as a non EU member would be unlikely to meet this criteria.
The same challenge faces non EU countries which will be obliged to comply with GDPR to meet their single market commitments, such as Norway. There will need to be a solution for countries like Norway in any event and the UK may be able to agree a similar approach, though how easy and timely that may be will be dependent on the UK’s approach to exit and subsequent negotiations.
If the UK leaves the EU and ceases to fall within the EEA, personal data transfers to the UK – even intra-group – will come under the spotlight. You need to identify which systems and servers are located in the UK; which entities and operations transfer personal data to the UK and where UK operations access personal data held elsewhere in the EEA. New adequate safeguard measures may need to be put in place for all these scenarios, such as European Model Clauses, if the UK leaves the EU. Do not forget to consider similar data transfers from other global regions to the UK which are compliant based on the UK being within the EU or EEA, as additional steps may also need to be taken in those cases following any Brexit.
Keep developments under close review. In particular, seek to identify your UK establishments which monitor the behaviour of, or offer goods and services to, citizens in the EU. These will be subject to GDPR despite any Brexit due to the new territorial scope of GDPR which extends beyond the EU, so assessing and planning their compliance should be prioritized.
Further information about Brexit can be obtained from our Brexit hub