Throughout 2019 we did our best to keep up with Brexit (Would it happen? When would it happen? What form might it take?).
You can read our attempts here.
Since the result of the UK general election on 12 December 2019, we have a much clearer idea of how Brexit will impact on data privacy, with Boris Johnson expected to use his majority of 80 to “Get Brexit Done” and pass the EU (Withdrawal Agreement) Bill imminently.
So, it seems, the UK will leave the EU at 11pm UK time on 31 January 2020. And there will then be a ‘transition period’ of 11 months, to 31 December 2020. The transition period can be extended by agreement with the EU and it’s is very possible an extension will be necessary.
What does this mean for the GDPR? Will we still need to comply?
The GDPR stays in its current form during the transition period and applies to all organisations processing personal data in the UK.
After the transition period, the GDPR will be incorporated into UK law, so there will be an ‘EU GDPR’ (the original law) and a ‘UK GDPR’ (the law passed by Parliament in the UK) – both of which will contain substantially the same rules (at least for the time being). This does mean that, for some organisations, there will be overlapping requirements such as:
- The need to appoint a ‘representative’ in the EU and/or in the UK for organisations based outside, but subject to, the two laws. For instance, if you are an organisation based in Ireland but targeting individuals online in the UK, you’d need to appoint a representative in the UK (under the UK GDPR). Likewise, if you are an organisation based in the UK but targeting individuals online in France, you’d need to appoint a representative in France (under the EU GDPR). Bear in mind that there are exceptions to the requirement to appoint a representative as well.
- Reporting data security breaches to both the UK ICO and one or more relevant EU regulators.
How do we lawfully transfer personal data from the EU to the UK?
During the transition period, these data transfers will be unaffected and can continue without you having to take any further steps.
The European Commission’s ‘Task Force’ for relations with the UK gave an encouraging update earlier this month. The Task Force indicated that it will endeavour to adopt an ‘adequacy decision’ for the UK by the end of 2020. If the Commission decides that the UK is ‘adequate’, then data transfers from the EU to the UK can continue without further steps.
But if the UK is not awarded ‘adequacy’, then you would need to take additional steps to transfer personal data from the EU to the UK – most likely, by using the Standard Contractual Clauses (model data transfer agreements approved by the EU).
Will the UK be deemed ‘adequate’ by December 2020?
Hopefully. The Task Force notes that these will be ‘complex and politically sensitive negotiations’. The adequacy process is designed to ensure that personal data leaving the EU remains subject to essentially equivalent protections. A number of countries, most recently Japan, have been deemed ‘adequate’, but the quickest negotiation (Argentina) took 18 months. And the UK only has 11 months.
The UK is (currently) in an unprecedented state of alignment with the EU’s data privacy rules, which should help. But there are also concerns about the UK Government’s access to personal data under the Investigatory Powers Act 2016 (the ‘Snooper’s Charter’) which will need to be considered.
An Updates by an Advocate General of the European Court of Justice (CJEU) a few days ago made the likelihood of the UK receiving adequacy status harder. While not a decision by the court itself (which will follow and could deviate from the Updates), the Advocate General recommended that the UK’s requirement on telephone and internet companies to retain data for the surveillance purposes of intelligence agencies is unlawful. If the court agrees, the UK legal regime will have failed under EU law to properly protect individuals’ privacy. We will need to wait and see how critical this aspect is for the European Commission when it assesses the UK data privacy regime for adequacy.
How do we transfer personal data from the UK to the EU?
During the transition period, this will also be ‘business as usual’.
The UK Government has indicated that it is committed to granting reciprocal ‘adequacy’ status to the EU, so the aim will be for the free flow of data to continue after 2020.
How do we transfer personal data from the UK to the rest of the world?
Again, during the transition period, nothing will change. Transfers to countries declared ‘adequate’ by the European Commission can continue without steps being taken, and transfers to other third countries will require safeguards such as the Standard Contractual Clauses.
After the transition period, the UK has indicated it is committed to, at least initially, adopting existing EU adequacy decisions and safeguards such as the Standard Contractual Clauses. Over time, the UK will develop its own processes for reviewing these transfer mechanisms and for approving new adequacy decisions.
Is there anything we can be doing now?
Now might be a good time to review any standard data privacy wording in your contracts – references to the EU, to Member States, and to the EU GDPR could soon be out of date depending on whether the contract is only focussed on activities in the UK. Any precedent contracts that will be used in the future should be reviewed to see what changes should be made.
It is still too early to confirm whether Standard Contractual Clauses will be necessary for EU to UK data transfers (since the UK could still be declared adequate), but it would be sensible to identify whether your organisation in involved in such data flows, and what the contract says about them (for example, it might prohibit the transfer of personal data to countries outside of the EU – from February 2020, technically, that could include the UK).
A final word about the Standard Contractual Clauses
For some time the sword of Damocles has been hovering over the Standard Contractual Clauses due to a challenge to their legitimacy in the CJEU. Privacy activists had argued that the Standard Contractual Clauses fail to protect the privacy of individuals when relied upon for personal data transferred to third countries whose public authorities were involved in surveillance practices.
In an Updates in December 2019, an Advocate General recommended that the CJEU uphold the Standard Contractual Clauses as valid. Given how many organisations rely on the Standard Contractual Clauses for international data transfers, this Updates is highly significant and helpful. There’s no guarantee that the CJEU will follow the Advocate General’s Updates but, for the time being, organisations can confidently continue to rely on the Standard Contractual Clauses.
If you have any questions, our data privacy team would be happy to discuss the latest developments, and recommended approaches with you.