Menu

<<Go back to the homepage 'Brexit & Belgium: are you ready?'

Brexit

Data Protection

Major implications

 

Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)

The GDPR will be applicable as from 25 May 2018 in all EU Member States, which means that the UK will have to comply with GPDR until the effective date of Brexit.

After the effective date of Brexit, the UK will become a 'third country', i.e. it will no longer be a member of the EU or the EEA.

What does this mean?

Territorial scope – UK companies may still have to comply with the GPDR

The GPDR applies not only to the processing of personal data in the context of the activities of a controller or processor established in the EU, but also to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU (e.g., in the UK after the effective date of Brexit), where the processing activities are related to:

  • the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the EU; or
  • the monitoring of their behavior as far as their behavior takes place within the EU.

Hence, even after the effective date of Brexit, UK companies may have to comply with the GDPR, given the latter’s extra-territorial effect.

Lead supervisory authority – One-stop-shop mechanism – Move to Brussels?

UK headquartered multinationals operating throughout the EU will be accountable to a variety of EU data protection supervisory authorities instead of only to the UK Information Commissioner's Office. Therefore, some of them may consider moving their headquarters to other EU Member States in order to secure the lead supervisory authority benefit.

International data transfers – Adequacy decision in the Brexit package?

Personal data can only be transferred to countries outside the EU and the EEA (a so-called ‘third country’) when an adequate level of protection of personal data is guaranteed by the third country.

The EU Commission has the power to determine whether a third country ensures an adequate level of protection of personal data by reason of its domestic law or of the international commitments it has entered into (the EU Commission then adopts an adequacy decision similar to the one adopted in respect of the EU-US Privacy Shield).

In theory, after the effective date of Brexit, the UK may want to adopt its own data protection rules deviating from the GDPR. In practice, however, it is likely that the UK will want to ensure that the transfer of data to and from the UK is not restricted. The UK government has already stated that it intends “to make sure that we achieve a coherent data protection regime and that data flows within the EU are not interrupted after we leave”. It is therefore likely that the UK government will seek recognition of the UK as an ‘adequate country’ for data transfers from the EU. Given the length of the procedure to adopt an adequacy decision, the UK may even try to avoid it and include it as part of the Brexit package that is currently being negotiated.

In the absence of an adequacy decision, transfers of personal data outside the EU or EEA, and in the present case to the UK, may also be allowed if the transfer is based on Standard Contractual Clauses (approved by the EU Commission) or on Binding Corporate Rules (approved by the relevant supervisory authorities).

Finally, the GDPR also provides derogations from the general prohibition on transfers of personal data outside the EU or EEA for certain specific situations. A transfer, or set of transfers, may be made where the transfer is notably:

  • made with the individual’s informed consent;
  • necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request; or
  • necessary for the establishment, exercise or defence of legal claims.

Contracts

Due specifically to the new obligations for data processors, the GDPR provides for changes in standard data processing agreements. If in the future the contract is to be governed by UK data protection legislation, some further modifications may be expected.

Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)

The activities which fall within the scope of the proposed Regulation on Privacy and Electronic Communications are quite sensitive, involving, inter alia, interference with confidential communications and terminal equipment, which are not addressed by the GDPR.

The text is currently under discussion, and the Article 29 Working Party recently issued an opinion. It welcomes the text but has some specific concerns regarding the tracking of the location of terminal equipment, WiFi-tracking, analysis of content and metadata. The proposed regulation also deals with questions related to direct marketing and cookies.

It is unclear whether the proposed regulation will be adopted before or after the effective date of Brexit. In any case, its content will have an impact on UK data protection law and UK companies.

To do

 

Before the effective date of Brexit

  • Continue to comply with the current data protection rules (Directive 95/46 and implementing national legislation): before its effective date, Brexit will not raise any barriers to personal data flows between the UK and other EU Member States
  • Continue efforts to become compliant with GPDR as from 25 May 2018
  • Identify transfers of personal data from the EU to the UK, which may be impacted by future changes to the applicable data protection rules as a result of Brexit

After the effective date of Brexit

  • Be prepared for transfer of data to a third country, i.e. the UK
  • Review your contracts with UK third-party providers regarding EU data protection compliance

 

If you have any questions, send us an e-mail (brexit@lydian.be)
or contact Bastiaan Bruyndonckx, + 32 2 787 90 93 or bastiaan.bruyndonckx@lydian.be.

 

<<Go back to the homepage 'Brexit & Belgium: are you ready?'