Brexit - Data Protection
The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) is applicable as from 25 May 2018 in all EU Member States, including the UK. The UK has meanwhile adopted the Data Protection Act 2018, which, amongst others, further implements the GDPR into national law. The competent supervisory authority for data protection in the UK is the Information Commissioner’s Office (ICO).
Hence, until 29 May 2019 (Brexit Date), entities operating in the UK will have to comply with the GDPR and the Data Protection Act 2018, will be able to benefit from the one-stop-shop principle and will be subject to the consistency mechanism (including the competence of the European Data Protection Board (EPDB)).
On 15 November 2018, the UK Government and the EU Commission jointly published a draft agreement on the terms of the Brexit (the Withdrawal Agreement).
The Withdrawal Agreement provides for a transition period from 30 March 2019 until 31 December 2020 (the Transition Period), during which the UK will remain subject to all EU laws (other than those expressly excluded by the Withdrawal Agreement). The UK can extend the Transition Period once by notice before 1 July 2020.
During the Transition Period:
- the GDPR and related EU privacy laws will continue to apply to the UK;
- the UK must continue to interpret and apply the GDPR and related EU privacy laws consistent with wider EU legal principles; EU Member States must continue to apply the GDPR and related EU privacy laws in a way which does not discriminate against the UK;
- the CJEU will continue to have jurisdiction to settle questions of interpretation raised by the UK courts regarding data protection law and the UK must abide by CJEU decisions;
- transfers of personal data from the EU to the UK will not be restricted under Chapter V (Transfers of personal data to third countries or international organisations) of the GDPR; and
- the UK will be restricted from participation in EU decision-making and governance bodies/offices, but may be invited to attend on a non-participatory basis; hence, it is to be expected that the ICO’s role in the EDPB will be limited to attendance in an observer capacity.
The EU and UK have also published a high level non-binding joint declaration of the potential form of the long-term relationship between the UK and the EU after the Transition Period.
The joint declaration establishes a willingness by the European Commission to commence an assessment of the UK’s adequacy, with an ambition to adopt an adequacy decision by the end of the Transition Period. Securing an adequacy decision will be vital to supporting a free flow of personal data between the EU and the UK once the Transition Period comes to an end.
Finally, the joint declaration contains some high level principles to (i) secure co-operation between data protection regulators; (ii) develop reciprocal arrangements for PNR, DNA, fingerprint and vehicle registration data processing, and (iii) facilitate electronic commerce and cross-border data flows.
On 15 January 2019, the House of Commons rejected the Withdrawal Agreement by a vote of 432 to 202. Unless an amended version of the Withdrawal Agreement would be approved by the House of Commons in the coming weeks, chances are high that the UK will leave the EU on the Brexit Date without an agreement.
In the event the UK would leave the EU without a transitional arrangement, the implications for international data flows and privacy compliance in general will be severe. The ICO has already published extensive guidance on the consequences of a ‘hard’ Brexit for data protection (see here).
When the UK exits the EU without a deal, the EU GDPR will no longer be law in the UK. The UK government however intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK.
The GPDR applies also to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU (e.g., in the UK after the Brexit Date), where the processing activities are related to (i) the offering of goods or services to such data subjects in the EU; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU. Hence, even after the Brexit Date, UK entities may have to comply with the GDPR, given the latter’s extra-territorial effect. UK entities subject to the GDPR will need to appoint a local representative in the EU (Article 27 GDPR).
EU to UK Data Transfers
When the UK exits the EU without a deal, the UK will automatically be regarded as a country that does not provide adequate protection of personal data originating from the EU. In practice, this means that EU entities transferring personal data to the UK must ensure that, prior to the Brexit Date, appropriate safeguards are put in place (e.g., Standard Contractual Clauses or Binding Corporate Rules).
Use of UK (Sub-)Processors
EU controllers using UK processors or sub-processors will need to ensure that, aside from a data processing agreement in accordance with Article 28 GDPR, express contractual safeguards to ensure adequate protection of personal data (e.g., Controller-Processor Standard Contractual Clauses) are put in place.
UK to EU or Adequate Countries Data Transfers
Transfers from the UK to the EU or other adequate countries (including organisations adhering to the Privacy Shield) are unlikely to be affected. However, onward transfers of personal data originating from the EU by UK entities may become an issue. Indeed, contractual arrangements imposed upon UK entities to legitimise data transfers from the EU to the UK (e.g., Standard Contractual Clauses) generally require the same obligations to be passed on to any third parties that will be processing the data. As a result, existing arrangements between UK entities and entities located elsewhere and that are processing personal data originating from the EU may need to be reviewed and updated. New arrangements between UK entities and entities located elsewhere and that are processing personal data originating from the EU will also require specific attention in order to ensure compliance with the UK entity’s obligations under contractual arrangements to legitimise data transfers from the EU to the UK.
Lead Supervisory Authority
Due to the fact that their main EU establishment is located in the UK, many multinationals operating across the EU are currently subject to the competence of the ICO as lead supervisory authority under the one-stop-shop mechanism foreseen by the GDPR. In the event the UK ceases to be an EU Member State, the ICO will no longer be considered as a supervisory authority for the purposes of the GDPR, will no longer be a member of the EPDB and will no longer be able to act as lead supervisory authority. As a result, UK headquartered multinationals may need to select an alternative lead supervisory authority (within the EU) or an additional one in parallel with the ICO. UK headquartered multinationals operating across the EU will be accountable to a variety of EU data protection supervisory authorities instead of only to the ICO. Therefore, some of them may even consider moving their headquarters to an EU Member State in order to secure the lead supervisory authority benefit.
In the event the UK and the EU would still agree on a Withdrawal Agreement (albeit in a modified form), the immediate impact of Brexit on data protection will be rather limited.
During the Transition Period
- The Transition Period provides for a kind of ‘status quo’ in the field of data protection until 31 December 2020.
- Personal data will be able to continue to flow freely between the EU and the UK.
- EU controllers transferring personal data to the UK will however need to monitor whether the UK succeeds in securing an adequacy decision by the end of the Transition Period, allowing personal data to continue to flow freely between the EU and the UK (see below).
After the Transition Period
- Our recommendations in case of a ‘hard’ Brexit fully apply (see below).
- In the event the UK would succeed in securing an adequacy decision by the end of the Transition Period, personal data will however continue to be able to flow freely between the EU and the UK. Hence, EU controllers transferring personal data to UK controllers or processors would not have to ensure appropriate contractual safeguards are in place.
- EU controllers transferring (directly or indirectly) personal data to UK controllers or processors need to put in place contractual safeguards to ensure adequate protection of personal data.
- EU processors using UK sub-processors need to ensure contractual safeguards to ensure adequate protection of personal data are put in place.
- EU controllers need to review their current documentation (from records of processing activities under Article 30 GDPR to DPIAs under Article 35 GDPR) in order to reflect the fact that the UK does no longer form part of the EU.
- UK controllers and processors subject to the GDPR due to its extra-territorial effect will need to appoint a local representative in the EU.
- UK controllers and processors that are receiving personal data from the EU need to put in place contractual safeguards to ensure they become safe importers of personal data.
- UK controllers and processors need to review their arrangements with entities located outside the UK that are receiving personal data originating from the EU in order to ensure that contractual obligations imposed upon UK entities to legitimise data transfers from the EU to the UK (e.g., Standard Contractual Clauses) are passed on to any third parties that will be processing the data.
- UK headquartered multinationals may need to select an alternative lead supervisory authority (within the EU) or an additional one in parallel with the ICO or may consider moving their headquarters to an EU Member States in order to secure the lead supervisory authority benefit.
- UK controllers need to review their current documentation in order to reflect the fact that the UK does no longer form part of the EU.