Regardless of a deal or no deal scenario, Brexit will have a significant impact on data protection. The sharing of personal data between EU member states and the UK will likely become more complicated and there will be other practical repercussions. In the run up to the end of the Brexit transition period, organisations need to understand the impact of Brexit on data protection and implement an action plan to address its potential effects.
The UK implemented the General Data Protection Regulation (GDPR) into its national legislation through the Data Protection Act 2018. The UK left the EU on 31 January 2020. Under the Brexit Withdrawal Agreement, the UK is currently in a transitionary period while it negotiates an agreement on its future relationship with the EU. This transition period will end on 31 December 2020, unless both parties agree to extend it. During the transition period, EU rules, including data protection, continue to apply in the UK. This means that UK residents are subject to the GDPR and there is a free flow of personal data between the UK and the EU (and Norway, Liechtenstein and Iceland), known as the European Economic Area (EEA).
The UK’s future relationship with the EU is not clear. If the transition period ends and the EU and the UK have not struck a deal, EU-based organisations will need to have implemented some changes if they want the flow of personal data with the UK (including Northern Ireland) to continue.
DP action plan for Brexit
We recommend that organisations be prepared for the data protection fallout from Brexit, including the worst case-scenario of a ‘no deal’ Brexit by:
- Evaluating their existing internal and external data flows and data sharing arrangements between the EEA and the UK.
- Ensuring transfers to the UK implement appropriate rules and safeguards to the extent there is no adequacy decision for the UK.
- If they are based in the UK, considering if they will need to nominate an EEA based representative or identify a new lead regulator from a jurisdiction other than the UK.
- Reading the European Commission’s Brexit Readiness Notice on Data Protection.
International data transfers
Although the flow of personal data between EEA countries is unrestricted, the GDPR imposes restrictions on international data transfers to countries outside the EU, known as ‘third countries'.
The European Commission can issue an adequacy decision in respect of a third country that possesses an equivalent level of personal data protection to that of the EU. An adequacy decision allows the transfer of personal data to that approved jurisdiction without additional data transfer requirements.
Even though the UK has incorporated the GDPR into its own Data Protection Act, it is not entitled to an automatic post-Brexit adequacy decision. The European Commission is currently undertaking its assessment on the adequacy of the UK’s laws. Despite the UK’s current close alignment with European data protection law, it is unclear if the European Commission will issue a decision quickly; such decisions have often been preceded by lengthy discussions and analysis. In light of the CJEU’s Schrems II decision (see below), the European Commission is expected to consider some contentious aspects of UK law, such as the access powers of security and intelligence services to personal data.
No adequacy decision forthcoming
In the absence of an adequacy decision, organisations that wish to transfer data from the EEA to the UK will need to take measures to legitimise transfers. They will have to consider existing data flows and data sharing agreements to determine if they need to make changes before the end of the transition period.
The typical method for legitimisation has been through the deployment of standard contractual clauses (SCCs) that set out the contractual obligations between transferring parties in order to protect the rights of individuals whose data is being transferred.
However, international data transfers are a fraught area at present. If an organisation relies on SCCs or another transfer mechanism to export data to a third country that has no adequacy decision in place, it will need to assess the implications of the CJEU’s recent judgement in the Schrems II case. In broad terms, the CJEU’s decision puts an onus on data exporters to be satisfied that, if using SCCs, the destination jurisdiction offers a level of data protection equivalent to the level offered in the EU. In practice, this may mean assessing and putting in place additional measures to ensure that there are adequate safeguards to protect the personal data being transferred to the third country.
Binding corporate rules (BCRs)
On foot of Brexit, multinational organisations may consider relying on binding corporate rules (BCRs) to allow of the transfer of personal data across group companies.
BCRs must go through a lengthy approval process and are subject to the supervision of a lead supervisory authority. In many cases, the UK’s ICO acted as the lead supervisory authority for BCRs. It is not clear how these BCRs may move to alternative supervisory authorities following the end of the transition period. Moreover, in light of the Schrems II case, BCRs will likely require a case-by-case assessment to assess the adequacy of the protections in the third countries, similar to what the CJEU said is required when using the SCCs.
GDPR extraterritorial effect
The GDPR has extraterritorial effect, meaning that, in certain cases, the GDPR will apply to UK organisations with no offices or operations in the EEA. In particular, UK organisations with no EEA offices or operations but that offer goods and services to EEA residents, or otherwise monitor their behaviour will have to comply with the GDPR and may have to nominate a representative in the EEA. Accordingly, certain organisations that are subject to the GDPR’s extraterritorial reach or that otherwise operate in both the EEA and UK, could be subject to dual regulatory exposure and parallel regulatory action by UK and EU regulators.
One stop shop (OSS)
Organisations that engage in the cross-border processing of personal data may be able to rely on the one stop shop mechanism under the GDPR that allows them to identify one regulator within the EU as their lead regulator.
In the absence of a post-Brexit deal, organisations that previously used the UK’s ICO as their lead supervisory authority may need to seek a new lead authority in an EU member state. In such cases, UK organisations whose ‘main establishment’ is currently located in the UK would need to consider increasing their presence and decision-making in an EU member state to demonstrate that their main establishment is present in that member state. Organisations should also be conscious of the suitability of that particular regulatory regime to the organisation’s needs. They should reflect on which EU member state may be the best regulatory environment for them, having particular regard to the activities of the regulator and the sufficiency of an organisation’s own presence in the jurisdiction
Where to from here?
Brexit presents a new and uncertain legal and regulatory landscape in terms of data protection. Since its withdrawal from the EU, the UK is a third country irrespective of any on-going negotiations for a post-Brexit deal. While there is likely to be a push from the UK business community to obtain a prompt adequacy decision from the European Commission, there is no guarantee that this will happen quickly or at all.
In any event, organisations that share personal data between the EEA and the UK should be prepared for the data protection fallout from Brexit and the possibility of no UK adequacy decision. They need to evaluate their existing data sharing arrangements between the EEA and the UK and implement an action plan to help maintain the flow of data. This may mean adopting new rules and safeguards and increasing their presence and decision-making in another EU member state.
With just over three months to go, following the steps in a practical Brexit action plan is one of the best ways to ensure that the end of the transition period is as seamless as possible from a data protection perspective.
You can read the European Commission’s Readiness Notice on Data Protection here.