Brexit: The data protection implications for your business
December’s General Election, followed by the Christmas holidays (involving a different, but to many equally unpalatable, type of Brussels) brought a welcome distraction from the interminable Brexit debate. However, with the date of exit from the EU scheduled for 31 January 2020 (Exit Day), UK businesses should take time to consider the implications that leaving the EU will have on their day-to-day operations that concern the flow of data.
On 25 May 2018 in the UK, the General Data Protection Regulation (GDPR) was incorporated into domestic law and the Data Protection Act 2018 (DPA 2018) came into force (replacing the Data Protection Act 1998 and supplementing the GDPR). The stakes have never been higher: the EU’s supervisory authorities can levy fines of up to €10 million or two percent of a company’s global revenues for a first offense, and double that for a second offense. As of September 2019, the supervising authorities of the EU have announced that they intend to issue, or have issued, fines totalling approximately €372 million.
Data has never been more essential to trade and wealth creation around the World. In 2016 alone, the EU exported to the UK €36 billion of data-dependent services across a number of sectors.
Whilst there remains considerable uncertainty regarding the future relationship between the UK and the EU in relation to data protection, this article seeks to provide an overview of the effects of Brexit for data protection law in the UK should Big Ben bong at the end of this month.
What stage have we reached?
The Draft Withdrawal Agreement (DWA) was published by the UK and European Commission on 14 November 2018. The DWA was endorsed by the EU27 leaders on 25 November 2018 and the House of Commons on 9 January 2020. However, it comes as no surprise to anyone that all outcomes of the Brexit negotiations are still theoretically possible, thus resulting in a huge number of permutations with respect to data protection. Nevertheless, for the sake of the sanity of the author and readers alike, this article assumes that the most likely scenario will play out, namely that:
- A withdrawal agreement based on the DWA (WA) is approved by both the EU27 and the UK.
- The UK will leave the EU on Exit Day; and
- The UK will not join the European Economic Area (EEA) on Exit Day.
What happens on Exit Day?
From Exit Day, the following will happen:
- The GDPR will become domestic legislation in the UK by virtue of the European Union (Withdrawal) Act 2018.
- A “transition or implementation period” envisaged by the DWA (Transition Period) shall commence. The purpose of the Transition Period is to allow time for the UK and EU to negotiate their future relationship, including a trade deal. Unless extended, the Transition Period shall end on 31 December 2020.
- During such Transition Period, EU law shall continue to apply to the UK (with limited exceptions).
- The EU and the UK will each maintain autonomy over their respective data protection rules following Exit Day, but that “arrangements for appropriate cooperation” between regulators will be made (because the UK and the EU27 have demonstrated harmonious collaboration thus far…).
- The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (DP Regulations) will come into force. Amongst other things, the DP Regulations shall: i) Dim the lights and put on some Barry White to allow the GDPR and the DPA 2018 to spawn a hybrid lovechild (UK GDPR); and ii) ensure that the Secretary of State has the power to designate other countries as being adequate in terms of data protection and recognise existing adequacy decisions (see ‘What is an Adequacy Decision?’ section below). This will mean that data transfers from UK companies to those adequate countries can continue uninterrupted during the Transitional Period.
In summary, the good news is that on Exit Day there will be no immediate change in the UK’s data protection standards.
What happens on the expiry of the Transition Period?
Following expiry of the Transition Period, two separate legal regimes will exist in the UK and the EU. Businesses based in the:
- EU without an establishment in the UK will be subject to the UK GDPR if their personal data processing operations involve the “offering of goods or services” or “monitoring of the behaviour of” individuals in the UK; and
- UK without an establishment in the EU will be subject to the GDPR where their personal data processing operations involve the “offering of goods or services” or “monitoring of the behaviour of” individuals in the EU.
Whilst the UK’s Information Commissioner’s Office (ICO) will cease to be a “supervisory authority” for the purposes of the GDPR, there is the real potential for overlapping jurisdiction (e.g. where a business in the UK is processing personal data for a controller based in the EU). Indeed, in terms of enforcement, the UK government has confirmed that businesses may “face investigation by the EU and UK regulator as well as two sets of large fines – up to EUR 20 million or 4% of global turnover – for the same breach.”
Considerable uncertainty remains as to how this will develop, and we will have to take a watching brief on this issue.
Ultimately, it will be for individual countries to determine how they evaluate the UK data protection regime post-Brexit and what impact that may have for data flows to the UK.
What is an Adequacy Decision?
The GDPR provides that the European Commission (EC) can officially recognise another country’s laws as adequate with respect to data protection (Adequacy Decision), in which case they are placed on an adequacy list (White List).
Without an Adequacy Decision, a country is regarded as deficient in its data protection regime (Third Country). This status has a number of significant practical consequences, in particular for international data transfers, competent supervisory authorities and enforcement of the GDPR.
Should everything remain the same, after the Transition Period has expired the UK will automatically become a Third Country and the ICO’s membership of the European Data Protection Board (EDPB) will end. This will have important consequences for incoming data flows from the EU as the transfer of personal data to a recipient located in the UK (even to a member of the same corporate group) may only take place if specified conditions are met.
On a more positive note, the EC will start the adequacy assessment process for the UK as soon as possible after Exit Day and will endeavour to adopt decisions regarding the UK’s adequacy by the end of 2020 “if the applicable conditions are met.” Of huge concern, however, is the UK’s use of Orwellian mass surveillance techniques, which may ultimately jeopardise an Adequacy Decision. Big Brother is watching you.
Does an Adequacy Decision solve the issue?
Yes and no.
If the EC was to adopt an Adequacy Decision in respect of the UK, this would plainly make simpler the issue of international transfers after Exit Day. The UK would be placed on the White List and personal data can be transferred to a recipient in a White List country on the same terms as if the recipient was located in the EU.
However, Adequacy Decisions are subject to review and can be revoked by the EC or challenged before the European Court of Justice (ECJ). Thus, Adequacy Decisions do not provide the same degree of legal certainty in relation to the transfer of personal as would the ongoing membership of the EU.
What if the UK leaves without an Adequacy Decision?
If the UK is regarded as inadequate (we’ve all been there), the transfer of personal data can only occur if:
- Appropriate safeguards such as the EU’s standard contractual clauses (SCCs) that allow for the transfer of personal data to processors in Third Countries are in place (but note that significant uncertainty surrounds the use of SCCs, which are currently being challenged before the ECJ.
- Binding corporate rules (BCRs) are provided. BCRs are policies adhered to by a controller or processor established in an EU member state for the transfer of personal data within a group of undertakings engaged in a joint economic activity in one or more Third Countries; or
- The transfer falls within one of the derogations set out the GDPR for specific situations (these exceptions are outside of the scope of this article but it’s safe to say that they will be very narrowly construed and therefore extremely difficult to rely upon).
Thus, the UK failing to receive an Adequacy Decision by the end of the Transition Period would have immediate implications for both UK and EU businesses.
For businesses operating in an EU member state, the UK’s status as a Third Country would mean that under the GDPR appropriate safeguards would almost certainly need to be implemented for any inbound transfers of personal data from the EU to the UK (most likely involving entering into SCCs.
For businesses operating in the UK, outbound international transfers of personal data will be subject to the UK GDPR. As stated above, the DP Regulations transitionally recognise all EEA countries (including EU Member States) as adequate, thereby permitting data transfers to these countries to continue.
Under the GDPR, a representative is a natural or legal person established in the EU who, designated by the controller or processor, represents such controller or processor in respect of their data protection obligations (Representative).
Organisations based in the UK that are subject to the EU regime may be required to appoint a Representative in the region. Similarly, the DP Regulations retain this requirement for the purposes of the UK GDPR, so as to require controllers based outside of the UK to appoint a representative in the UK, if the corresponding conditions under the UK GDPR are met.
Unfortunately, appointing a Representative can cost a business thousands of pounds annually.
What should businesses do now?
Due to the fact that businesses will have had significant advance warning of Brexit, along with guidance from the EC, there is no indication that the EU will allow any grace period to put arrangements in place following expiry of the Transitional Period.
Turning one’s attention back to Brexit may not be a bad thing; the mind-numbing Megxit chatter is making the author long for the halcyon days of the backstop and prorogation. So, as we prepare to say ‘see EU later’ to our oft dysfunctional European family, businesses should:
- Conduct and log data mapping exercises: identification of existing relationships (e.g. suppliers and group companies) which involve the international transfer of personal data.
- Review any relevant international transfer provisions and/or mechanisms and assess whether any amendments may be needed.
- Review their privacy notices and documents, identify any references to EU law or terminology and consider whether any changes are necessary to reflect UK terminology.
- Review data protection impact assessments and notices referencing transfers between the UK and EEA.
- Assess their reliance on transfers to Privacy Shield signatories in the US.
- Identify their lead supervisory authority and consider whether their existing policies and procedures cover co-operation with, and notifications being made to, more than one supervisory authority where they have operations that concern both the UK and the EU.
- Consider whether they will be required to appoint a Representative in the UK and/or the EU.