Regardless of a deal or no-deal scenario after the UK leaves the EU, Brexit is going to have a significant impact on data protection and the flow of data between the two blocs. Organisations should be preparing for these potential changes now.
Currently, organisations can rely on the one stop shop mechanism under the GDPR where they are engaged in the cross-border processing of data. This mechanism permits those organisations to identify one regulator within the Union as their lead regulator. The lead regulator can be established where the organisation has its main establishment or place of central administration within the jurisdiction of that main regulator. This is very useful for many data controllers and processors, allowing them to streamline their regulatory interactions with one single supervisory authority in the Union. This tool will soon become unavailable in the UK, where organisations seek to identify the ICO as their lead regulatory authority.
The unavailability of the one stop shop in the UK will cause many organisations who previously used the ICO as their lead supervisory authority to seek a new lead authority in a different jurisdiction. Alternatively, in the absence of a lead supervisory authority, where an organisation has a number of establishments across Europe it will have to interact with all of the data protection regulators in the states in which it operates resulting in a potentially costly and confusing regulatory engagement.
The effect of all this is that organisations may be required to increase their presence and decision-making in another Member State so as to demonstrate that their main establishment and/or central administration is now present in that Member State. Organisations will not only need to consider that they have a sufficient presence in the jurisdiction where they are seeking to re-establish a lead supervisory authority, but should also be conscious of the suitability of that particular regulatory regime to the organisation’s needs. Organisations should be considering which Member State might be the best regulatory environment for them, having particular regard to the activities of the regulator and the sufficiency of an organisation’s own presence in the jurisdiction.
A further consideration for large multinationals arises in respect of where they utilise binding corporate rules (BCRs), which allow for the maintenance of the free flow of data across group companies. BCRs must go through a lengthy approval process and are subject to the supervision of a lead supervisory authority. In many instances, the ICO acted as the lead supervisory authority for BCRs. It is an area of uncertainty as to how these BCRs might move across to alternative supervisory authorities following the UK’s departure and whether this might be a straightforward or cumbersome process for organisations.
Adequacy decisions are issued by the European Commission in respect of countries outside the Union where those countries offer an adequate level of data protection. This permits the transfer of personal data to those approved jurisdictions without having to meet additional data transfer requirements. All the indications are that once the UK leave the Union - irrespective of a withdrawal agreement or not - they will become a third country and will not be blessed with an automatic adequacy decision – despite the fact that they have incorporated GDPR into their own recent Data Protection Act. Further, the European Commission has indicated that they can only consider the determination of an adequacy decision once the UK has become a third country. It is worth noting that such decisions have often been preceded by lengthy discussions and analysis so it is unclear if an adequacy decision would be issued quickly, despite the UK’s obvious close alignment with European data protection law.
In the absence of an adequacy decision, organisations who wish to transfer data into the UK will need to take measures to legitimise transfers. Organisations will have to consider existing data flows and data sharing agreements, to determine whether they will require changes in advance of Brexit. The most obvious method for legitimisation is via the deployment of standard contractual clauses.
The UK is going to become a third country post-Brexit irrespective of any on-going negotiations. The maintenance of the free-flow of data and other regulatory concerns need to be considered now so as to ensure that the Brexit transition is as seamless as possible from a data protection perspective at least.