Data Privacy and a No-Deal Brexit: what are the implications?

With Boris Johnson’s mantra that the UK is leaving the EU on 31 October 2019 “come what may”, we’re left with the very real prospect of a ‘no-deal Brexit’.  What would a ‘no-deal Brexit’ look like for your organisation?  What, if anything, can you be doing to prepare?

Services
Data Privacy
Key themes
Brexit
Type
Update

Well, at least in terms of data privacy, there are some known unknowns and, whisper it quietly, maybe even some known knowns in the event of a no-deal Brexit:

GDPR is not going anywhere

The ‘EU GDPR’ will become UK law on exit, and become the ‘UK GDPR’ following tweaks made by Exit Regulations.  Those tweaks are needed so that it makes sense as UK law – for example, references to “European Union” become references to “United Kingdom”.  This is largely a superficial make-over.  There will be no major changes to the substance. So for now at least organisations should continue to comply with the same GDPR principles.  In particular, UK organisations shouldn’t forget that, even when the UK leaves the EU, you are still required to comply with the EU GDPR if you offer goods or services to, or monitor, individuals in one or more of the remaining 27 EU countries.

Additionally, work done by UK organisations so far on GDPR implementation will not be in vain.  But those tweaks will have some practical consequences, and this is where borders come in…

Same but different

The EU GDPR restricts transfers of personal data from the EU to third countries, except where those countries have formally been deemed to have ‘adequate’ data protection regimes.  On exit, the UK will become a third country.  Despite the existence of the ‘UK GDPR’, the UK will have to go through the process of applying for an adequacy ruling from the EU.

Will the UK be deemed adequate?

This is not guaranteed.  One thing that is clear (at least relatively to everything else) is that this process can take months or years – so, at least initially, transfers of personal data from the EU to the UK will be restricted under the EU GDPR.

What this means for data transfers

EU to UK

Both the UK ICO (here) and the European Data Protection Board (here) have reiterated that steps will be needed to legitimise transfers of personal data from the EU to the UK.

UK organisations which ‘import’ personal data from the EU should liaise with their EU exporter organisation(s) about putting in place additional safeguards.  Practically, this is likely to mean identifying such regular transfers, and then executing Standard Contractual Clauses (model agreements approved by the EU as legitimising restricted transfers) between the UK importer and the EU exporter.  Not all such transfers will require the Standard Contractual Clauses, and the ICO has published a tool to help organisations consider how to continue to make lawful data transfers which you can find here.  The Standard Contractual Clauses also have their short comings – they shouldn’t really be modified, and they do not currently apply to the export of personal data from a processor in the EU (say, your cloud storage provider in Ireland) to a controller in the UK.  Whilst there is no clear route for these transfers, there are a few options available to you to mitigate the risk – and Bates Wells can help if you are particularly concerned.

UK to EU

The ‘UK GDPR’ will in turn restrict transfers of personal data from the UK to any other country in the world.  In principle, this includes countries in the EU.  But the UK Government has said it does not intend to impose additional requirements on transfers from the UK into the EEA (which includes the EU), so these can continue unrestricted.

UK to the rest of the world

On exit, transfers of personal data from the UK to other non-EU countries can continue on the same basis as they did before.  The UK will be adopting the EU’s current adequacy decisions (e.g. transfers to New Zealand, Argentina, Switzerland etc.).  Transfers from the UK to US organisations under the Privacy Shield can continue (provided the recipient has updated their certification – see the FAQ on the Privacy Shield website here for more information), and transfers to other countries can continue through the use of Binding Corporate Rules or the Standard Contractual Clauses.  The Secretary of State will determine future UK adequacy decisions (such as any from the UK to the EU in the longer term).

Representatives

After the split, some organisations could enjoy a double-whammy and be required to comply with both the EU GDPR and the UK GDPR.  The EU GDPR has extra-territorial effect meaning, broadly, that even if an organisation is not in the EU it must comply with the EU GDPR if it targets individuals in the EU with commercial activities or profiles them.  For the most part, this should not cause any issues, as the requirements will be generally the same as they are under the UK GDPR. However, one practical issue that could arise for UK organisations caught by the ‘targeting’ test is a requirement for them to appoint a representative in the EU.

This will work both ways – the position under the UK GDPR will mean that it has extra-territorial effect too (because of those tweaks).  So EU organisations with no establishment in the UK but targeting UK individuals could have to appoint a representative in the UK.  And international organisations targeting individuals in both the UK and the EU could be required to appoint two representatives (one in each).

These requirements are legally complex. UK organisations should consider the extent of their operations in the EU and take advice if concerned.

Further divergence in the future

Whilst it is possible that the UK GDPR could ‘diverge’ from the EU GDPR over time, in the short to medium term at least there is likely to be ‘regulatory alignment’.  GDPR is on its way to becoming a global standard, and that does not look likely to change anytime soon.

Worried?

The ICO and the UK Government have indicated that they will expect organisations to be considering the above issues now and identifying where there are risks that need to be mitigated (you will no doubt have seen the TV ads by now).  But regulators are expected to act proportionately.  Given the exceptional circumstances surrounding Brexit and the continued uncertainty, there are good grounds for expecting a reasoned and pragmatic approach from the ICO and the UK Government.  Ultimately, if your organisation is non-compliant with the key principles of the GDPR such as transparency and lawfulness etc. (for example, you don’t have a compliant privacy notice, or you keep personal data indefinitely) then these, in our view, indicate greater risks.

And if there is a deal?

If Boris Johnson is able to enter the “tunnel” with EU negotiators and pass a deal, then it is likely that EU law will continue to apply in the UK as normal during a transition period and at least until December 2020.  Of course, at that point, there is no guarantee that the issues above will have been resolved.  So maybe bookmark this page.

The ICO has a number of Brexit resources, all of which you can find here.

Disclaimer: The above reflected what we (thought) we knew as of 1st February 2019.  It was updated on 3rd October 2019 to reflect what we think we know now.  Tomorrow everything could change.


All content on this page is correct as of October 8, 2019.