It has been more than two years since Theresa May formally announced the UK’s scheduled withdrawal from the EU. As the event looms ever closer, there is no certainty as to whether or not the UK’s departure from the EU will be accompanied by a successfully-agreed withdrawal agreement – or even, when it will happen.
We take a look at some of the most pressing data protection issues facing EU and UK businesses, whether an orderly or disorderly Brexit takes place.
The UK and GDPR
The vote for Brexit came hot on the heels of the GDPR, having been announced just under a month after the new EU regulatory landscape on privacy took shape. Since then, the GDPR has come into force and the UK has implemented national legislation by way of the Data Protection Act 2018. UK residents are currently subject to the same level of data protection as the rest the EU and there is a free flow of personal data between the UK and other countries in the European Economic Area (EEA).
This is set to remain the state of play until such a time as the UK exits the EU, whether in an orderly or disorderly fashion. If a withdrawal agreement is reached, the UK will enter into a transitionary leaving period, which is expected to last until at least December 2020 and during which EU rules, including data protection, will apply.
International data transfers
Although the flow of personal data between EEA member states is unrestricted, the GDPR imposes restrictions on international data transfers to so-called ‘third countries', or non-EEA countries.
In general, personal data cannot be transferred to a third country unless certain safeguards or exemptions are relied upon to make that data transfer lawful. For example, the transfer might be based upon the safeguard of the European Commission’s standard contractual clauses (SCCs) or be subject to an exemption where that transfer is necessary to perform a contract.
In certain cases, the recipient third country might possess an equivalent level of personal data protection to that of the EU and be formally deemed ‘adequate’ by the European Commission. These decisions allow for the free flow of data between the EU and select third countries, such as Japan.
For the UK, it is by no means certain that, having already been subject to GDPR, the UK will be automatically granted adequacy status post-Brexit. Instead, the UK will likely have to undergo the same assessment of its laws by the Commission as with any other third country. In doing so, the Commission is expected to consider some contentious aspects of UK law, such as the controversial access powers of security and intelligence services to personal data granted by the Investigatory Powers Act 2016.
Should the UK leave the EU in a no-deal scenario, the Commission’s ‘adequacy’ assessment of the UK will likely take longer than if a deal had been reached. Equally, however, if a withdrawal agreement is concluded, the Commission will likely use the time during the transition period to conduct such an assessment. In any event, businesses and organisations who are engaged in data transfers between the UK and EEA should – in anticipation of the changes – be prepared for either scenario.
Scenario 1: UK to EU/EEA data transfers
For UK organisations, the UK government has stipulated that it does not intend impose post-Brexit restrictions on data transfers from the UK to the EEA. Given this, UK organisations can expect to continue being able to freely transfer personal data to organisations in the EEA whether or not a deal is reached.
UK organisations will also be able to continue to rely on Privacy Shield to send personal data to registered US entities, but only where these entities have updated their privacy documentation to expressly extend protection to UK-sourced data transfers.
Scenario 2: EU/EEA to UK data transfers
In circumstances where a deal is reached, the GDPR and other EU laws should continue to apply in the UK during the transition period. In that scenario, therefore, the existing free flow of personal data between the UK and EU will continue to apply until the end of the transition period.
Unlike the UK, however, the EU has not expressed an intention to lift restrictions on data transfers to the UK in the wake of a no-deal Brexit. On that basis, EEA organisations, which transfer data to the UK, will need to prepare for the consequences of a no-deal Brexit.
As is the case when transferring personal data to any ‘third country’, for UK transfers in a no-deal scenario, a transfer safeguard – such as the SCCs – or a specified exemption – such as contractual necessity – must be relied upon.
The conventional option is the SCCs, which set down the contractual obligations between transferring parties in order to protect the rights of individuals whose data is being transferred. The SCCs must be completed and executed between the ‘data exporter’ (located in the EEA) and the data importer (here, located in the UK). The SCCs can be executed in a standalone manner or integrated into other contracts.
EEA organisations should have already considered putting contingency SCCs in place with UK organisations to address data transfers in the event of no-deal. To the extent that this isn’t feasible or practical at this stage, EEA organisations should aim to prepare ready-to-go SCCs for circulation to key UK recipients of data in a no-deal scenario.
Doubling up: dual regulatory exposure
The GDPR has extraterritorial effect, meaning that, in certain cases, the GDPR will apply to UK organisations with no offices or operations in the EEA. Given this, certain organisations, which are subject to the GDPR’s extraterritorial reach or otherwise have operations in both the EEA and UK, could be subject to dual regulatory exposure.
In particular, UK organisations with no EEA offices or operations may have to nominate a representative in the EEA if the organisation offers goods and services to EEA residents, or otherwise monitors their behaviour. Those organisations will be obliged to comply with GDPR. Similarly, certain UK organisations will need to consider identifying a new lead supervisory authority in the EU if the organisation’s ‘main establishment’ is currently located in the UK. Most importantly, organisations should be prepared for the potential for parallel fines or regulatory action by UK and EU regulators.
In essence, organisations in both the UK and EEA should consider the possibility of an orderly or disorderly Brexit, and be prepared for the data protection fallout from either scenario. While, for now, the free flow of personal data between the UK and EEA remains unrestricted, the outcome of a withdrawal agreement, or lack thereof, may soon indicate the new legal and regulatory landscape for EEA companies’ data transferring capabilities to UK companies, and vice versa.
In whichever case, these organisations should pay careful attention to the outcome, and be in a position to adopt the relevant and necessary safeguards when the UK and EU finally decide among themselves: deal or no-deal.
For more information on the likely impact of a no-deal Brexit, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.