The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) is applicable as from 25 May 2018 in all EU Member States, including the UK. The UK has meanwhile adopted the Data Protection Act 2018, which, amongst others, further implements the GDPR into national law. The competent supervisory authority for data protection in the UK is the Information Commissioner’s Office (ICO).
Hence, until 29 May 2019 (Brexit Date), entities operating in the UK will have to comply with the GDPR and the Data Protection Act 2018, will be able to benefit from the one-stop-shop principle and will be subject to the consistency mechanism (including the competence of the European Data Protection Board (EPDB)).
On 15 November 2018, the UK Government and the EU Commission jointly published a draft agreement on the terms of the Brexit (the Withdrawal Agreement).
The Withdrawal Agreement provides for a transition period from 30 March 2019 until 31 December 2020 (the Transition Period), during which the UK will remain subject to all EU laws (other than those expressly excluded by the Withdrawal Agreement). The UK can extend the Transition Period once by notice before 1 July 2020.
During the Transition Period:
The EU and UK have also published a high level non-binding joint declaration of the potential form of the long-term relationship between the UK and the EU after the Transition Period.
The joint declaration establishes a willingness by the European Commission to commence an assessment of the UK’s adequacy, with an ambition to adopt an adequacy decision by the end of the Transition Period. Securing an adequacy decision will be vital to supporting a free flow of personal data between the EU and the UK once the Transition Period comes to an end.
Finally, the joint declaration contains some high level principles to (i) secure co-operation between data protection regulators; (ii) develop reciprocal arrangements for PNR, DNA, fingerprint and vehicle registration data processing, and (iii) facilitate electronic commerce and cross-border data flows.
On 15 January 2019, the House of Commons rejected the Withdrawal Agreement by a vote of 432 to 202. Unless an amended version of the Withdrawal Agreement would be approved by the House of Commons in the coming weeks, chances are high that the UK will leave the EU on the Brexit Date without an agreement.
In the event the UK would leave the EU without a transitional arrangement, the implications for international data flows and privacy compliance in general will be severe. The ICO has already published extensive guidance on the consequences of a ‘hard’ Brexit for data protection (see here).
When the UK exits the EU without a deal, the EU GDPR will no longer be law in the UK. The UK government however intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK.
The GPDR applies also to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU (e.g., in the UK after the Brexit Date), where the processing activities are related to (i) the offering of goods or services to such data subjects in the EU; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU. Hence, even after the Brexit Date, UK entities may have to comply with the GDPR, given the latter’s extra-territorial effect. UK entities subject to the GDPR will need to appoint a local representative in the EU (Article 27 GDPR).
EU to UK Data Transfers
When the UK exits the EU without a deal, the UK will automatically be regarded as a country that does not provide adequate protection of personal data originating from the EU. In practice, this means that EU entities transferring personal data to the UK must ensure that, prior to the Brexit Date, appropriate safeguards are put in place (e.g., Standard Contractual Clauses or Binding Corporate Rules).
Use of UK (Sub-)Processors
EU controllers using UK processors or sub-processors will need to ensure that, aside from a data processing agreement in accordance with Article 28 GDPR, express contractual safeguards to ensure adequate protection of personal data (e.g., Controller-Processor Standard Contractual Clauses) are put in place.
UK to EU or Adequate Countries Data Transfers
Transfers from the UK to the EU or other adequate countries (including organisations adhering to the Privacy Shield) are unlikely to be affected. However, onward transfers of personal data originating from the EU by UK entities may become an issue. Indeed, contractual arrangements imposed upon UK entities to legitimise data transfers from the EU to the UK (e.g., Standard Contractual Clauses) generally require the same obligations to be passed on to any third parties that will be processing the data. As a result, existing arrangements between UK entities and entities located elsewhere and that are processing personal data originating from the EU may need to be reviewed and updated. New arrangements between UK entities and entities located elsewhere and that are processing personal data originating from the EU will also require specific attention in order to ensure compliance with the UK entity’s obligations under contractual arrangements to legitimise data transfers from the EU to the UK.
Lead Supervisory Authority
Due to the fact that their main EU establishment is located in the UK, many multinationals operating across the EU are currently subject to the competence of the ICO as lead supervisory authority under the one-stop-shop mechanism foreseen by the GDPR. In the event the UK ceases to be an EU Member State, the ICO will no longer be considered as a supervisory authority for the purposes of the GDPR, will no longer be a member of the EPDB and will no longer be able to act as lead supervisory authority. As a result, UK headquartered multinationals may need to select an alternative lead supervisory authority (within the EU) or an additional one in parallel with the ICO. UK headquartered multinationals operating across the EU will be accountable to a variety of EU data protection supervisory authorities instead of only to the ICO. Therefore, some of them may even consider moving their headquarters to an EU Member State in order to secure the lead supervisory authority benefit.
In the event the UK and the EU would still agree on a Withdrawal Agreement (albeit in a modified form), the immediate impact of Brexit on data protection will be rather limited.
During the Transition Period
After the Transition Period