11pm on 31 October 2019 is defined as “exit day” under the European Union Withdrawal Act 2018 (“EUWA”). The main focus of this briefing is on cross-border personal data transfers, both transfers from the EU27 countries to the UK and transfers from the UK to the EU27 and to other jurisdictions. This briefing analyses different scenarios and considers what arrangements may be required to ensure data flows can continue post exit day in a “no deal” scenario. UK data controllers and processors may need to work with their suppliers and customers based in other jurisdictions to ensure that appropriate arrangements are in place. Refer to our risk register for a summary of the potential action points.
The situation may change if a withdrawal agreement is implemented before exit day and/or if further legislation is passed by the UK or EU.
Whilst the UK is a member state of the EU, its data protection regime is principally derived from the EU General Data Protection Regulation (“GDPR”), supplemented by the UK’s Data Protection Act 2018. When the UK leaves the EU it will become a “third country” under the GDPR. This means that after exit day EU data controllers and processors wanting to transfer personal data to the UK will be subject to the GDPR requirements for transferring data to third countries.
Under Theresa May, the Government’s stated position for a negotiated solution was to use the “adequacy decision” framework as a starting point for transfers from the EU to the UK, coupled with other measures to minimise the risk of disruption to cross-border data flows, including a mechanism for cooperation between the UK Information Commissioner’s Office (ICO) and EU data protection regulators on matters such as enforcement action. Under Boris Johnson, as yet there have been no indications that the Government would adopt a different approach if a deal is negotiated before exit day.
However an “adequacy” arrangement will not be available on exit day in a “no deal” scenario, as the EU Commission’s assessment of whether the UK’s data protection regime is “adequate” under GDPR would only commence when the UK has left the EU, and this might take months or years.
The adequacy process requires the Commission to review various aspects of UK data protection law, including UK national security legislation. While the UK remains a member state, EU law permits data to be transferred between member states without scrutiny of such legislation.
Will there be significant changes to data protection law in the UK on exit day if there is no withdrawal agreement in place on exit day?
No. The Theresa May Government passed regulations (“the UK Regulations”) which mean that even in a “no deal” scenario the UK will continue with broadly the same legal framework for data protection.
In a “no deal” scenario, what restrictions apply to UK data controllers and processors transferring personal data to EU/EEA entities after exit day?
The UK Regulations mean that in a no deal scenario EU countries and the other countries of the European Economic Area (Iceland, Liechtenstein and Norway) will be treated as “adequate” for the purposes of data transfer from the UK. Data can therefore still be transferred to entities in those countries, provided it is in compliance with other aspects of UK data protection law.
In a “no deal” scenario, what restrictions apply to EU/EEA data controllers and processors transferring personal data to UK entities after exit day?
Data controllers and processors in the EU will need to consider any guidance that their own national regulators and/or the European Data Protection Board have issued in relation to Brexit.
As the Commission will not make a decision on whether the UK’s data protection regime is “adequate” until some months or perhaps years after a “no deal” exit, controllers and processors in the EU will need to identify an alternative legal basis for transferring data to the UK under GDPR.
In most cases the relevant legal basis is likely to be by using standard contractual clauses. However, whilst such clauses exist for EEA/EU controller to UK controller transfers and for EEA/EU controller to UK processor transfers, at present there is no standard contractual clause for a cross-border transfer by an EEA/EU processor to a UK controller.
Aside from identifying an appropriate legal basis for the data transfer, data controllers and processors will still need to comply with other aspects of data protection law when processing data, for example the various GDPR data protection principles.
We can assist our clients in deciding whether such standard contractual clauses are an appropriate solution where they want to receive personal data from EU data controllers or processors. We can also assist in drafting or advising on appropriate agreements and on other potential transfer mechanisms, for example the use of binding corporate rules by groups of undertakings or enterprises engaged in a joint economic activity.
In a “no deal” scenario, what restrictions apply to UK data controllers and processors transferring personal data to entities in non-EU/EEA countries after exit day?
The UK Regulations provide in effect for the UK to treat as “adequate” those jurisdictions that the EU has decided are “adequate”. This means that transfers to Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay come within the scope of “full” adequacy decisions. The UK Regulations also recognise Gibraltar as “adequate”.
So far as other jurisdictions are concerned, again it will be necessary to identify an appropriate lawful basis (such as standard contractual clauses) to allow the transfer to take place. Again, we can provide assistance with identifying and implementing appropriate transfer mechanisms.
In a “no deal” scenario, what restrictions apply to non-EU/EEA data controllers and processors transferring personal data to UK entities after exit day?
These transfers are unlikely to be affected by Brexit, but if UK data controllers or processors are concerned about critical data flows, they should check the legal position of the country where the data is being sent from. The UK Government has published information on some jurisdictions. We have links with a range of lawyers in many jurisdictions if advice on a particular point is required.
Are there any other implications for processing personal data in a “no deal” scenario?
Review existing and planned arrangements
It is unclear what appetite regulators will have for strictly enforcing GDPR requirements immediately following exit day in the event of a “no deal”, given the close alignment of the UK and EU regimes. However, organisations have been “on notice” of Brexit for some time now and fines under GDPR can be substantial, depending on the circumstances.
To prepare for a “no deal” scenario, data controllers and processors should therefore ensure they have reviewed details of their existing and planned cross-border data flows, and taken appropriate measures to mitigate the risk of any GDPR breach, for example by adopting standard contractual clauses.
Data sharing contracts that continue after Brexit may contain inappropriate provisions. For example, they may prohibit personal data transfers to entities based outside the European Economic Area or contain definitions that no longer work properly after Brexit. These contracts might become open to termination or uncertain in scope. Key contracts in particular should be reviewed and updated to ensure they continue to work effectively.
Some other provisions of the GDPR require records and documentation to include requirements relating to transfers of data to third countries, for example as part of the information to be given to data subjects under GDPR Articles 13 and 14, and the record of processing activities under Article 30. These records should be updated to reflect the post-Brexit regime.
Appoint EU and/or UK representatives where appropriate
Where a data controller or processor is not established in the EU, the GDPR still applies to their processing activities which are related to either:
- The offering of goods or services to data subjects in the EU, irrespective of whether a payment by the data subject is required; or
- The monitoring of the behaviour of data subjects in the EU, so far as such behaviour takes place in the EU.
These are known as the GDPR’s “extra-territorial provisions”. In such circumstances the controller or processor is required under GDPR to appoint in writing a “representative” established in one of the EU member states where the relevant data subjects are located. There are limited exceptions to this requirement for public authorities and for “occasional” processing which are beyond the scope of this note.
The UK Regulations contain equivalent extra-territorial provisions requiring data controllers and processors that are not established in the UK to appoint UK representatives in equivalent circumstances.
Under both the EU and UK regimes, the representative’s identity and contact details must be provided in the information given to data subjects under GDPR Articles 13 and 14. The GDPR places direct obligations on the representative in addition to those on the controller (for example, to maintain a record of processing activities and to cooperate with supervisory authorities in the exercise of their functions). A failure by a data controller or processor to appoint a representative where this is required could lead to a fine or other enforcement action by a regulator.
“One stop shop”
Another consequence of a no deal Brexit would be to remove the UK from the “one stop shop” mechanism, so that the ICO could no longer act as a “lead supervisory authority”. A “lead supervisory authority” is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. “Cross-border” in this context means either the:
- processing of personal data which takes place in the context of the activities of establishments in more than one [EU] Member State of a controller or processor in the [EU] where the controller or processor is established in more than one [EU] Member State; or
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the [EU] but which substantially affects or is likely to substantially affect data subjects in more than one [EU] Member State.”
Guidance published by the EU regulators states that if a controller “does not have an establishment in the EU, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. This means that controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.”
There may also be practical questions for regulators or data subjects seeking to enforce different aspects of UK data protection law in the EU and vice versa.
Future UK Governments may amend the UK data protection regime. However if the UK wants either an EU adequacy decision or a future trade deal with the EU, the scope for diverging below GDPR standards is likely to be limited.