Update: 14th February 2019. The European Data Protection Board (EDPB) has adopted on 12th February an information note on data transfers in the event of a no-deal Brexit. The note can be found here. The EDPB confirms that steps will be needed to legitimise transfers of personal data from Europe to the UK in the event of a no-deal Brexit. The EDPB reiterates that Standard Contractual Clauses are one available mechanism to lawfully make data transfers but warns against modifying the clauses since otherwise they will need authorisation from a data protection authority. Unsurprisingly the EDPB also emphasises that, although derogations (such as explicit consent) can be relied upon, the use of derogations is interpreted restrictively and so will only really be relevant where processing is occasional and non-repetitive.
We are within 60 days of ‘Exit Day’. We are all very concerned about (the Speaker of the House of Commons) John Bercow’s larynx, and Barclays Bank is triggering its no-deal Brexit plan at a reported cost of £160bn. What would a ‘no-deal Brexit’ look like for your organisation? What, if anything, can you be doing to prepare?
Well, at least in terms of data privacy, there are some known unknowns and, whisper it quietly, maybe even some known knowns in the event of a no-deal Brexit:
GDPR is not going anywhere
The ‘EU GDPR’ will become UK law on exit, and become the ‘UK GDPR’ following tweaks made by Exit Regulations. Those tweaks are needed so that it makes sense as UK law – for example, references to “European Union” become references to “United Kingdom”. This is largely a superficial make-over. There will be no major changes to the substance. So for now at least organisations should continue to comply with the same GDPR principles. In particular, UK organisations shouldn’t forget that, even when the UK leaves the EU, you are still required to comply with the EU GDPR if you offer goods or services to, or monitor, individuals in one or more of the remaining 27 EU countries.
Additionally, work done by UK organisations so far on GDPR implementation will not be in vain. But those tweaks will have some practical consequences, and this is where borders come in…
Same but different
The EU GDPR restricts transfers of personal data from the EU to third countries, except where those countries have formally been deemed to have ‘adequate’ data protection regimes. On exit, the UK will become a third country. Despite the existence of the ‘UK GDPR’, the UK will have to go through the process of applying for an adequacy ruling from the EU.
Will the UK be deemed adequate?
This is not guaranteed. One thing that is clear (at least relatively to everything else) is that this process can take months or years – so, at least initially, transfers of personal data from the EU to the UK will be restricted under the EU GDPR.
What this means for data transfers
EU to UK
UK organisations which ‘import’ personal data from the EU should liaise with their EU exporter organisation(s) about putting in place additional safeguards. Practically, this is likely to mean identifying such transfers, and then executing Standard Contractual Clauses (model agreements approved by the EU as legitimising restricted transfers) between the UK importer and the EU exporter. Not all such transfers will require the Standard Contractual Clauses, and the ICO has published a tool to help organisations consider how to continue to make lawful data transfers which you can find here.
UK to EU
The ‘UK GDPR’ will in turn restrict transfers of personal data from the UK to any other country in the world. In principle, this includes countries in the EU. But the UK Government has said it does not intend to impose additional requirements on transfers from the UK into the EEA (which includes the EU), so these can continue unrestricted.
UK to the rest of the world
On exit, transfers of personal data from the UK to other non-EU countries can continue on the same basis as they did before. The UK will be adopting the EU’s current adequacy decisions (e.g. transfers to New Zealand, Argentina, Switzerland etc.). Transfers from the UK to US organisations under the Privacy Shield can continue (provided the recipient has updated their certification – see the FAQ on the Privacy Shield website here for more information), and transfers to other countries can continue through the use of Binding Corporate Rules or the Standard Contractual Clauses. The Secretary of State will determine future UK adequacy decisions (such as any from the UK to the EU in the longer term).
After the split, some organisations could enjoy a double-whammy and be required to comply with both the EU GDPR and the UK GDPR. The EU GDPR has extra-territorial effect meaning, broadly, that even if an organisation is not in the EU it must comply with the EU GDPR if it targets individuals in the EU with commercial activities or profiles them. For the most part, this should not cause any issues, as the requirements will be generally the same as they are under the UK GDPR. However, one practical issue that could arise for UK organisations caught by the ‘targeting’ test is a requirement for them to appoint a representative in the EU.
This will work both ways – the position under the UK GDPR will mean that it has extra-territorial effect too (because of those tweaks). So EU organisations with no establishment in the UK but targeting UK individuals could have to appoint a representative in the UK. And international organisations targeting individuals in both the UK and the EU could be required to appoint two representatives (one in each).
These requirements are legally complex. UK organisations should consider the extent of their operations in the EU and take advice if concerned.
Further divergence in the future
Whilst it is possible that the UK GDPR could ‘diverge’ from the EU GDPR over time, in the short to medium term at least there is likely to be ‘regulatory alignment’. GDPR is on its way to becoming a global standard, and that does not look likely to change anytime soon.
The ICO and the UK Government have indicated that they will expect organisations to be considering the above issues now and identifying where there are risks that need to be mitigated. But regulators are expected to act proportionately. Given the exceptional circumstances surrounding Brexit and the continued uncertainty, there are good grounds for expecting a reasoned and pragmatic approach from the ICO and the UK Government. Ultimately, if your organisation is non-compliant with the main principles of the GDPR (for example, you don’t have a compliant privacy notice, or you keep personal data indefinitely) then these, in our view, indicate greater risks.
And if there is a deal?
If the currently proposed Withdrawal Agreement is passed and comes into effect, then EU law will continue to apply in the UK as normal during the transition period and at least until December 2020. Of course, at that point, there is no guarantee that the issues above will have been resolved. So maybe bookmark this page.
The ICO has a number of Brexit resources, all of which you can find here.
Disclaimer: The above reflects what we (think) we know as of 1st February 2019. Reality is in a state of flux and tomorrow everything could change.
Posted on 14/02/2019 in Brexit BriefcaseBack to Knowledge