11pm on 29 March 2019 is defined as “exit day” under the European Union Withdrawal Act 2019 (“EUWA”). The main focus is on cross border personal data transfers, both transfers from the EU27 to the UK and transfers from the UK to the EU27 and to other jurisdictions.
The situation may change if a withdrawal agreement is implemented before exit day and/or if further legislation is passed by the UK or EU.
Whilst the UK is a member state of the EU, its data protection regime is principally derived from the EU General Data Protection Regulation (“GDPR”), supplemented by the UK’s Data Protection Act 2018. When the UK leaves the EU it will become a “third country” under the GDPR. This means that EU data controllers and processors wanting to transfer personal data to the UK would be subject to the GDPR requirements for transferring data to third countries.
The Government’s stated current position for a negotiated solution is to use the “adequacy decision” framework as a starting point for transfers from the EU to the UK. In addition it says it will seek a “clear, transparent framework to facilitate dialogue, minimise the risk of disruption to data flows and support a stable relationship between the UK and the EU to protect the personal data of UK and EU citizens across Europe”. Further the Government is seeking “close cooperation and joined up enforcement action between the UK's Information Commissioner's Office (ICO) and EU Data Protection Authorities”. This arrangement is unlikely to be available on exit day in a “no deal” scenario, as the EU Commission’s assessment of whether the UK’s data protection regime is “adequate” under GDPR would only commence when the UK has left the EU, and this might take months or years.
Will there be significant changes to data protection law in the UK on exit day if there is no withdrawal agreement in place on exit day?
No. The UK Government guidance confirms that “Before and after leaving the EU, we are committed to the highest standards of data protection and all organisations should continue to comply with their broader obligations under data protection law, including the GDPR (as incorporated into UK law). The Information Commissioner’s Office would produce additional guidance outlining the steps organisations would need to take to continue to meet their obligations”.
What impact will a “no deal” Brexit have on data protection for UK data controllers?
The main area where Brexit has a potential impact is on the mechanisms for transferring data across borders. Whilst the UK remains a member of the EU, transfers of data between the UK and other member states do not have to meet the provisions of the GDPR that apply to transfers of personal data to “third countries”.
In a no deal scenario, the UK will become a third country on exit day and a data controller or processor in the EU wanting to transfer personal data to the UK will be subject to the GDPR provisions controlling the transfer of personal data to third countries.
A further consequence of a “no deal” Brexit is that the UK would potentially no longer benefit from “adequacy decisions” which the EU Commission has made in respect of certain third countries. The Commission has made full findings of adequacy in respect of Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The Commission has also made partial findings of adequacy about Canada and the USA.
We outline the practical consequences below. This note focuses on the aspects of data protection law that apply to transfers of data into and out of the UK. Data controllers and processors will still need to comply with other aspects of data protection law when processing data, for example the various GDPR data protection principles.
In a “no deal” scenario, what happens to personal data that we want to send from the UK to the EU after exit day?
The UK Government confirms in its guidance that: “You would continue to be able to send personal data from the UK to the EU. In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU. The UK would keep this under review.”
We expect that the UK Government will make amendments to the Data Protection Act 2018 in order to implement this post-Brexit regime. The implication of allowing the continued free flow of data would suggest the Government is intending to treat post-Brexit personal data transfers to the EU as “adequate” for UK data protection purposes. This is presumably intended to avoid the need for UK data controllers to implement other mechanisms to allow the transfer of personal data from the UK to the EU, such as standard contractual clauses.
Data controllers and processors will however need to keep their arrangements under review, particularly when the UK government publishes any proposed amendments to the Data Protection Act and when the Information Commissioner’s Office issues further guidance.
In a “no deal” scenario, what happens to personal data that we want to receive from the EU after exit day?
Data controllers and processors in the EU will need to consider any guidance that their own national regulators or the European Data Protection Board issues in relation to Brexit.
The UK Government guidance confirms that:
“If the European Commission does not make an adequacy decision regarding the UK at the point of exit and you want to receive personal data from organisations established in the EU (including data centres) then you should consider assisting your EU partners in identifying a legal basis for those transfers.
For the majority of organisations the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner, and rights for the individuals whose personal data is transferred. In certain circumstances, your EU partners may alternatively be able to rely on a derogation to transfer personal data. We recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners. Further detail on the availability of each legal basis, and the processes associated with making use of them, is available from the Information Commissioner’s website.”
We can assist our clients in deciding whether such standard contractual clauses are an appropriate solution where they want to receive personal data from EU data controllers or processors. We can also assist in drafting or advising on appropriate agreements and on other potential transfer mechanisms, for example the use of binding corporate rules by groups of undertakings or enterprises engaged in a joint economic activity.
In a “no deal” scenario, what happens to personal data that we want to send to countries outside the EU after exit day?
As mentioned above, certain countries are subject to full or partial “adequacy decisions” by the EU Commission, meaning it considers they have adequate levels of protection that meet GDPR requirements.
Government guidance has not expressly stated whether the UK will seek to adopt these decisions post-Brexit. The EU-US Privacy Shield arrangements are supported by an agreement between the EU and US, and the UK would need to negotiate its own agreement with the US if it wished to adopt the Privacy Shield arrangements .
Data controllers and processors will need to keep their arrangements under review, particularly when the UK government publishes any proposed amendments to the Data Protection Act and when the Information Commissioner’s Office issues further guidance.
In a “no deal” scenario, what happens to personal data that we want to receive from countries outside the EU after exit day?
These transfers should not be affected by Brexit, but if data controllers or processors have critical data flows, they may want to check the legal position of the country where the data is being sent from. We have links with a range of lawyers in other jurisdictions if advice on a particular point is required.
Are there any other implications for personal data in a “no deal” scenario?
It is unclear what appetite regulators would have for strictly enforcing GDPR requirements immediately following exit day in the event of a “no deal”, given the close alignment of the UK and EU regimes. Depending on the practicality of implementing safeguards such as standard contractual clauses, controllers and processors may find themselves having to take risk based decisions depending on the nature and sensitivity of the data involved and the importance of the data flows to their operations. To prepare for this scenario, data controllers and processors may want to check now that they have sufficient details of their existing and planned cross-border data flows in an accessible place. They may already have such information as part of their GDPR compliance and record of processing activity. The position may become clearer as and when UK and EU regulators issue guidance on Brexit.
Some other provisions of the GDPR require records and documentation to include requirements relating to transfers of data to third countries, for example as part of the information to be given to data subjects under GDPR Articles 13 and 14, and the record of processing activities under Article 30. These records should be updated to reflect the post-Brexit regime.
Where a data controller or processor is not established in the EU, the GDPR still applies to their processing activities which are related to either:
- The offering of goods or services to data subjects in the EU, irrespective of whether a payment by the data subject is required; or
- The monitoring of the behaviour of data subjects in the EU, so far as such behaviour takes place in the EU.
These are known as the GDPR’s “extra-territorial provisions”. In such circumstances the controller or processor is required under GDPR to appoint in writing a “representative” established in one of the EU member states where the relevant data subjects are located. There are limited exceptions to this requirement for public authorities and for “occasional” processing which are beyond the scope of this note. The representative’s identity and contact details must be provided in the information given to data subjects under GDPR Articles 13 and 14. The GDPR places direct obligations on the representative in addition to those on the controller (for example, to maintain a record of processing activities, to cooperate with supervisory authorities in the exercise of their functions). A failure by a UK data controller or processor to appoint a representative where this is required under GDPR could lead to a fine or other enforcement action by an EU regulator.
It is also unclear at present whether the UK will implement equivalent extra-territorial provisions into its post-Brexit data protection regime. The position should become clearer once draft legislation to amend the Data Protection Act 2018 has been published.
Another consequence of a no deal Brexit would be to remove the UK from the “one stop shop” mechanism, so that the ICO could no longer act as a “lead supervisory authority”. A ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. “Cross-border” in this context means
- processing of personal data which takes place in the context of the activities of establishments in more than one [EU] Member State of a controller or processor in the [EU] where the controller or processor is established in more than one [EU] Member State; or
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the [EU] but which substantially affects or is likely to substantially affect data subjects in more than one [EU] Member State.”
Guidance published by the EU regulators states that if a controller “does not have an establishment in the EU, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. This means that controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.”
There may also be practical questions for regulators or data subjects seeking to enforce different aspects of UK data protection law in the EU and vice versa.