Against a fluid legal and political landscape – which may well have overtaken the contents of this update by the time you read it – the publication of the signed Withdrawal Agreement and Political Declaration (together the “Proposed Deal”) does little to alleviate the profound business uncertainty that has surrounded data protection since the UK voted in favour of Brexit more than two years ago.
Yet, as the only plan on the table at this stage, the Proposed Deal serves as the most valuable indicator of how data protection will be treated should the EU and UK reach political agreement on the terms of Brexit. To this end, businesses within the scope of EU data protection law can take some comfort from a plan which conserves the data protection “status quo” for at least the next two years (except in relation to how the Lead Supervisory Authority regime under the GDPR operates in the UK).
Data protection FAQs
In this update, we frame the Proposed Deal in a practical context by using some data protection FAQs to compare what businesses can expect from a data protection perspective, as at 11pm UK time on Friday, 29 March 2019 (the “Exit Date”), under each of the following foreseeable Brexit scenarios:
- The deal scenario: the Proposed Deal is approved by relevant UK and EU institutions (read more on that process in our Brexit Business Brief);
- No deal scenario: the UK leaves the EU without the Proposed Deal having been approved, for example because the Proposed Deal is rejected by the UK House of Commons; and
- No Brexit scenario: the UK does not leave the EU on the Exit Date (for example, the two year period under Article 50 is extended or a second referendum overturns the earlier vote);
Against that uncertainty, our immediate takeaways for businesses are as follows:
- Continue with GDPR projects through to completion, as an organisation which is compliant pre-Brexit is likely to be compliant post-Brexit (irrespective of the shape that Brexit takes).
- Update agreements to ensure that the data protection provisions allow for the transfer and processing of personal data to the UK as a matter of contract. (Typical data protection clauses will impose restrictions on the transfer of data outside the EEA.)
- Continue to monitor the position concerning EEA-UK data transfers post-Brexit and consider updating agreements to include standard contractual clauses to legitimise data transfers (as a matter of regulatory law) until such time that the UK is granted adequacy (whether that is before or after the end of the transition period under the Proposed Deal).
- Businesses that currently benefit from the Lead Supervisory Authority regime under GDPR will need to carefully consider how the removal of the UK/ICO from this regime will impact them, and whether steps can be taken to mitigate that impact.
|Data protection FAQs: quick-reference table (click answer for more detail)|
|FAQ||Deal Scenario||No deal scenario||No Brexit Scenario|
|1 Will EU data protection law apply in the UK?||Yes||Yes, but subject to some important caveats from a data protection perspective||Yes|
|2 Will there be restrictions on the transfer of personal data from the EEA to the UK?||No||Yes||No|
|3 Will there be restrictions on the transfer of personal data from the UK to the EEA?||No||Unlikely||No|
|4 Is a UK adequacy decision from the Commission likely?||Yes||Yes, in principle, although the Commission has given no clarity around timings||Not required|
|5 Will the UK be within the scope of the co-operation and consistency mechanism under Chapter VII GDPR?||No||No||Yes|
|6 Where can you find further guidance?||See here||See here|
The deal scenario
During the transition / implementation period (which begins on the Exit Date and runs until 31 December 2020, with the option to extend), the UK commits to applying EU data protection law (i.e. the GDPR, e-privacy directive etc) where:
- personal data of data subjects outside of the UK is processed in the UK; and
- EU data protection law applied to the processing of such data before the end of the transition period.
(Article 71 (Draft Withdrawal Agreement))
This provision works to preserve the “status quo” data protection position for at least the next two years, save that:
- any subsequently agreed adequacy decision will take precedence over this principle (see below); and
- the co-operation and consistency mechanism under the GDPR is not applied in the UK (see below).
The Withdrawal Agreement works to ensure that during the transition period, any reference to “Member States” in EU data protection law (including the GDPR) should be understood as including the UK. (Article 127(6) of the Withdrawal Agreement)
For this reason, organisations looking to export data from the EEA to the UK during the transition period are not caught by the data transfer restrictions in Chapter V (Art 44-50) of the GDPR. Those restrictions only apply to transfers of personal data to a third country (one who is not a Member State or is outside of the EEA) or an international organisation.
For the reasons above, UK-EEA data transfers are treated like transfers between any other Member State.
The EU also makes an express commitment to avoiding treating data and information obtained from the UK differently from data obtained from any other Member State on the sole ground that the UK has withdrawn from the EU. (Article 73 (Withdrawal Agreement))
The expectation is that an adequacy decision will be put in place to legitimise data transfers from the EEA to the UK (without the need for any other transfer safeguards) by the end of the transition period.
In particular, paragraph 8 of the Political Declaration sets out that:
- the Commission will begin its assessment of the UK data protection standards as soon as possible after the Exit Date;
- the Commission commits to “endeavouring” to adopt decisions by the end of 2020; and
- the UK will take steps – in the course of establishing “its own international transfer regime” – to ensure comparable facilitation of personal data flows from the UK to the EU within the same period.
Once an adequacy decision is granted, the UK domestic rules on personal data protection will apply and will supersede the provisions outlined above.
If the UK subsequently lost its adequacy status, the UK would apply data protection standards which are essentially equivalent to those in the EU.
The EU wishes to retain its decision making autonomy and so this section of the GDPR is carved out from the scope of EU data protection law which applies in the UK as from the Exit Date. (Article 70(a) (Withdrawal Agreement)).
This means that from the Exit Date the UK will technically not have continued participation on the European Data Protection Board or the “One-Stop Shop”/Lead Supervisory Authority regime.
This could lead to potential additional costs and bureaucracy for UK controllers, including multiple breach reporting requirements, for example.
That said, it remains to be seen exactly how this will work in practice given the clear mutual benefits for the ICO and other EU supervisory authorities of ensuring close co-operation and joined-up enforcement action. In addition:
- paragraph 10 of the Political Declaration outlines a firm commitment from the UK and the EU to make arrangements for “appropriate” cooperation between data protection regulators; and
- the Withdrawal Agreement does appear to grant the UK data protection commissioner, the ICO, the right to attend (by invitation only) meetings of expert groups or similar bodies (which could include the European Data Protection Board) in certain, limited circumstances. This could be, for example, where a discussion of that group relates to natural persons residing in the UK. This is likely to be in an informal, observer capacity, without the right to vote. (Article 128(5), Withdrawal Agreement).
- Explainer for the Withdrawal Agreement (published by the UK government)
- Explainer for the Political Declaration (published by the UK government)
- What is in the Withdrawal Agreement (published by the Commission)
No deal scenario
Through the European Union (Withdrawal) Act 2019, EU data protection law (including the GDPR) existing as at Exit Date will be incorporated onto the UK statute book at 11:00 p.m. on that day.
Despite this, from the EU’s perspective, all primary and secondary EU data protection law (including the GDPR) ceases to apply to the UK from that date.
Similarly, the UK will cease to be an EU Member State from the Exit Date due to the mechanics of Article 50 of the Lisbon Treaty. Instead, from the Exit Date the UK will be classified as a ‘third country’ for data protection purposes.
GDPR restrictions on the transfer of personal data from the EEA to the UK, as a ‘third country’, apply immediately following the Exit Date.
Aside from an adequacy decision (see further below), businesses have the following options to legitimise those transfers:
- Standard data protection clauses;
- Binding corporate rules;
- Approved Code of Conduct;
- Approved certification mechanisms; or
- Limited derogations which allow for transfers in specific cases (such as transfers based on consent).
(Chapter V GDPR, Articles 44 – 50)
These options were communicated by the Commission to EU-based controllers through the EC Preparedness Notice.
The UK government has confirmed in its no deal guidance that given the “unprecedented degree of alignment” between the UK and EU’s data protection regimes, the UK would, following the Exit Date, continue to allow the free flow of personal data from the UK to the EU (although this would be kept under review).
This position is reinforced by the UK Data Protection Act 2018 (Sections 22 and Schedule 6), which are intended to ensure that the GDPR will work in a UK context after Brexit (but this area remains to be to be clarified).
Yes, in principle, although the Commission has given no clarity around timings.
The UK government has confirmed in its no deal guidance that following the Exit Date the UK government would apply for an adequacy decision from the Commission.
The UK government wishes to begin preliminary discussions now, but the Commission’s public position is that the decision on adequacy cannot be taken in a no deal scenario until the UK is a ‘third country’.
Historically, adequacy decisions take months, if not years (the quickest decision took nine months). Until that point, businesses will need to find another solution to legitimise data transfers (as summarised above).
The UK falls outside the scope of Chapter VII GDPR, on the basis that:
- from an EU perspective, all primary and secondary EU law (including the GDPR) ceases to apply to the UK from the Exit Date: and
- the UK will no longer be considered as a Member State for the purposes of the GDPR (Article 51 of the GDPR only recognises supervisory authorities appointed by Member States).
(Article 51, GDPR)
That said, in its no deal guidance, the UK government set out its intention for the ICO to continue to push for close co-operation and joined-up enforcement action with EU supervisory authorities.
- UK government no deal data protection guidance
- European Commission preparedness notice on data protection (European Commission Preparedness Notice)
- European Commission’s Contingency Action Plan for no deal
No Brexit scenario
GDPR restrictions on data transfers do not apply as between Member States. (Chapter V GDPR, Articles 44 – 50)