Profound business uncertainty has surrounded data protection since the UK voted in favour of leaving the EU more than two years ago. The basis on which the UK will leave has still to be agreed, and so much uncertainty remains.
While the proposed deal for leaving the EU – made up of the Withdrawal Agreement and Political Declaration (together the “Proposed Deal”) – may have been rejected by the UK House of Commons on 15 January 2019, it remains the most fully worked-up plan available at this stage. As the ongoing discussions around the Proposed Deal are unlikely to affect its approach to data protection issues, it is still the most valuable indicator of how data protection will be treated should the EU and UK reach political agreement on the terms of Brexit. Businesses within the scope of EU data protection law can take some comfort from a plan which (if it is approved) conserves the data protection “status quo” at least until the end of 2020 (except in relation to how the Lead Supervisory Authority regime under the GDPR operates in the UK).
Data protection FAQs
In this update, we use some data protection FAQs to compare what businesses can expect from a data protection perspective, as at 11pm UK time on Friday, 29 March 2019 (the “Exit Date”), under each of the following foreseeable Brexit scenarios:
- The deal scenario: the UK leaves the EU with a deal having been approved, assuming that the deal which is approved takes the same approach to data protection as the Proposed Deal;
- No deal scenario: the UK leaves the EU without the Proposed Deal (or any other deal) having been approved; and
- No Brexit scenario: the UK does not leave the EU on the Exit Date (for example, the two year period under Article 50 is extended or a second referendum overturns the earlier vote);
Against that uncertainty, our immediate takeaways for businesses are as follows:
- Continue with GDPR projects through to completion, as an organisation which is compliant pre-Brexit is likely to be compliant post-Brexit (irrespective of the shape that Brexit takes).
- Update agreements to ensure that the data protection provisions allow for the transfer to, and the processing of personal data within, the UK as a matter of contract. (Typical data protection clauses will impose restrictions on the transfer of data outside the EEA, and we have seen examples of these which would even restrict sharing of personal data within the UK.)
- Continue to monitor the position concerning EEA-UK data transfers post-Brexit and consider updating agreements to include standard contractual clauses to legitimise data transfers (as a matter of regulatory law) until such time that the UK is granted adequacy (whether that is before or after the end of the transition period under the Proposed Deal).
- Businesses that currently benefit from the Lead Supervisory Authority regime under GDPR will need to carefully consider how the removal of the UK/ICO from this regime will impact them, and whether steps can be taken to mitigate that impact.
|Data protection FAQs: quick-reference table (click answer for more detail)|
|FAQ||Deal Scenario||No deal scenario||No Brexit Scenario|
|1 Will EU data protection law apply in the UK?||Yes||Yes, but subject to some important caveats from a data protection perspective||Yes|
|2 Will there be restrictions on the transfer of personal data from the EEA to the UK?||No||Yes||No|
|3 Will there be restrictions on the transfer of personal data from the UK to the EEA?||No||Unlikely||No|
|4 Is a UK adequacy decision from the Commission likely?||Yes||Yes, in principle, although the Commission has given no clarity around timings||Not required|
|5 Will the UK be within the scope of the co-operation and consistency mechanism under Chapter VII GDPR?||No||No||Yes|
|6 Will UK businesses be able to transfer personal data to non-EEA countries or territories?||Yes, subject to the existing restrictions||Yes, subject to the existing restrictions||Yes, subject to the existing restrictions|
|7 What else do businesses need to consider in relation to the relevant data protection frameworks?||N/A||See here||N/A|
|8 Where can you find further guidance?||See here||See here||N/A|
The deal scenario
During the transition / implementation period (which begins on the Exit Date and runs until 31 December 2020, with the option to extend), the UK commits to applying EU data protection law (i.e. the GDPR, e-privacy directive etc) where:
- personal data of data subjects outside of the UK is processed in the UK; and
- EU data protection law applied to the processing of such data before the end of the transition period.
(Article 71 (Draft Withdrawal Agreement))
This provision works to preserve the “status quo” data protection position at least until the end of the transition period, save that:
- any subsequently agreed adequacy decision will take precedence over this principle (see below); and
- the co-operation and consistency mechanism under the GDPR is not applied in the UK (see below).
The Withdrawal Agreement works to ensure that during the transition period, any reference to “Member States” in EU data protection law (including the GDPR) should be understood as including the UK. (Article 127(6) of the Withdrawal Agreement)
For this reason, organisations looking to export data from the EEA to the UK during the transition period are not caught by the data transfer restrictions in Chapter V (Art 44-50) of the GDPR. Those restrictions only apply to transfers of personal data to a third country (one who is not a Member State or is outside of the EEA) or an international organisation.
For the reasons above, UK-EEA data transfers are treated like transfers between any other Member State.
The EU also makes an express commitment to avoiding treating data and information obtained from the UK differently from data obtained from any other Member State on the sole ground that the UK has withdrawn from the EU. (Article 73 (Withdrawal Agreement))
The expectation is that an adequacy decision will be put in place to legitimise data transfers from the EEA to the UK (without the need for any other transfer safeguards) by the end of the transition period.
In particular, paragraph 8 of the Political Declaration sets out that:
- the Commission will begin its assessment of the UK data protection standards as soon as possible after the Exit Date;
- the Commission commits to “endeavouring” to adopt decisions by the end of 2020; and
- the UK will take steps – in the course of establishing “its own international transfer regime” – to ensure comparable facilitation of personal data flows from the UK to the EU within the same period.
Once an adequacy decision is granted, the UK domestic rules on personal data protection will apply and will supersede the provisions outlined above.
If the UK subsequently lost its adequacy status, the UK would apply data protection standards which are essentially equivalent to those in the EU.
The EU wishes to retain its decision making autonomy and so this section of the GDPR is carved out from the scope of EU data protection law which applies in the UK as from the Exit Date. (Article 70(a) (Withdrawal Agreement)).
This means that from the Exit Date the UK will technically not have continued participation on the European Data Protection Board or the “One-Stop Shop”/Lead Supervisory Authority regime.
This could lead to potential additional costs and bureaucracy for UK controllers, including multiple breach reporting requirements, for example.
That said, it remains to be seen exactly how this will work in practice given the clear mutual benefits for the ICO and other EU supervisory authorities of ensuring close co-operation and joined-up enforcement action. In addition:
- paragraph 10 of the Political Declaration outlines a firm commitment from the UK and the EU to make arrangements for “appropriate” cooperation between data protection regulators; and
- the Withdrawal Agreement does appear to grant the UK data protection commissioner, the ICO, the right to attend (by invitation only) meetings of expert groups or similar bodies (which could include the European Data Protection Board) in certain, limited circumstances. This could be, for example, where a discussion of that group relates to natural persons residing in the UK. This is likely to be in an informal, observer capacity, without the right to vote. (Article 128(5), Withdrawal Agreement).
As set out above, during the transition / implementation period, the UK commits to applying EU data protection law in the UK. That means that the mechanisms for transferring personal data from the UK to non-EEA countries or territories after the Exit Date are the same as those which are currently used (such as, standard contractual clauses or binding corporate rules).
This means that, at this stage, UK businesses would not need to take any specific additional steps in relation to transfers of personal data to non-EEA countries or territories as a result of Brexit. During the transition / implementation period, further steps may be required to address the position after that period.
- Explainer for the Withdrawal Agreement (published by the UK government)
- Explainer for the Political Declaration (published by the UK government)
- What is in the Withdrawal Agreement (published by the Commission)
No deal scenario
Yes, but subject to some important caveats from a data protection perspective.
Through the European Union (Withdrawal) Act 2018, EU data protection law (including the GDPR) existing as at Exit Date will be incorporated onto the UK statute book at 11:00 p.m. on that day, so while the EU GDPR will not strictly apply in the UK, the UK will have its own version (the “UK GDPR”).
The UK GDPR will need to be amended (prior to the Exit Date ) to ensure that it works effectively in a UK context; for example, by removing references to EU institutions and procedures that will not be directly relevant when the UK is outside the EU (replacing references to “Union or Member State law” with “domestic law”). A draft UK Statutory Instrument to effect this has been published, but not yet finalised.
UK Regulations which implement European Directives – such as the Privacy and Electronic Communications (EC Directive) Regulations 2003, and the Network and Information Systems Regulations 2018 – will continue to apply in the UK. Again, they will be subject to consequential amendments.
Despite this, from the EU’s perspective, all primary and secondary EU data protection law (including the GDPR) ceases to apply to the UK from that date.
Similarly, the UK will cease to be an EU Member State from the Exit Date due to the mechanics of Article 50 of the Lisbon Treaty. Instead, from the Exit Date the UK will be classified as a ‘third country’ for data protection purposes.
GDPR restrictions on the transfer of personal data from the EEA to the UK, as a ‘third country’, apply immediately following the Exit Date.
Aside from an adequacy decision (see further below), businesses have the following options to legitimise those transfers:
- Standard data protection clauses;
- Binding corporate rules;
- Approved Code of Conduct;
- Approved certification mechanisms; or
- Limited derogations which allow for transfers in specific cases (such as transfers based on consent).
(Chapter V GDPR, Articles 44 – 50)
These options were communicated by the Commission to EU-based controllers through the EC Preparedness Notice.
The UK government has confirmed that it will transitionally recognise all EEA states, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data (although this would be kept under review).
This position is reinforced by the UK Data Protection Act 2018 (Sections 22 and Schedule 6), which are intended to ensure that the GDPR will work in a UK context after Brexit (but this area remains to be to be clarified).
This means that personal data should be able to continue to flow freely from the UK to the above destinations after the Exit Date, although the relevant UK legislative activities to give effect to this position may well lag after the Exit Date.
Yes, in principle, although the Commission has given no clarity around timings.
The UK government has confirmed in its no deal guidance that following the Exit Date the UK government would apply for an adequacy decision from the Commission.
The UK government wishes to begin preliminary discussions now, but the Commission’s public position is that the decision on adequacy cannot be taken in a no deal scenario until the UK is a ‘third country’.
Historically, adequacy decisions take months, if not years (the quickest decision took nine months). Until that point, businesses will need to find another solution to legitimise data transfers (as summarised above).
The UK falls outside the scope of Chapter VII GDPR, on the basis that:
- from an EU perspective, all primary and secondary EU law (including the GDPR) ceases to apply to the UK from the Exit Date: and
- the UK will no longer be considered as a Member State for the purposes of the GDPR (Article 51 of the GDPR only recognises supervisory authorities appointed by Member States).
(Article 51, GDPR)
That said, in its no deal guidance, the UK government set out its intention for the ICO to continue to push for close co-operation and joined-up enforcement action with EU supervisory authorities.
The mechanisms for transferring personal data from the UK to non-EEA countries or territories after the Exit Date are as set out in the GDPR, as these will be incorporated in UK GDPR as explained above. The UK government and/or the ICO have further confirmed that:
- where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to the Exit Date (such as in respect of New Zealand, Canada and Guernsey), it intends to preserve the effect of those decisions on a transitional basis;
- the only adequacy decision which needs to be treated slightly differently is the EU/US Privacy Shield (the “Privacy Shield”) – UK businesses will continue to be able to transfer personal data to US organisations participating in the Privacy Shield provided that those US organisations have updated their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK (this will need to be checked);
- the version of the standard contractual clauses issued by the European Commission (so-called ‘model clauses’) will continue to be an effective basis for transfers (until the ICO issues new versions after the Exit Date); and
- existing authorisations of Binding Corporate Rules made by the ICO will continue to be recognised in domestic law.
That means that – at this stage – UK businesses don’t need to take any specific additional steps in relation to transfers of personal data to non-EEA countries or territories as a result of Brexit (other than the checks in relation to US organisations relying on Privacy Shield as explained above).
In certain circumstances, UK businesses will need to comply with the EU’s data protection framework, and non-UK businesses (including those in the EU) will need to comply with the UK’s data protection framework.
Those circumstances are where:
- a UK business is processing personal data in the context of the activities of an establishment in the EU (or vice versa); or
- a UK business is processing personal data about individuals in the EU (or vice versa) in connection with offering them goods and services, or monitoring their behaviour (in which case, the business will also need to appoint a representative in the UK or the EU (as applicable) (unless one of the permitted exceptions applies).
- UK government no deal data protection guidance
- Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019
- ICO Blog: Data protection and Brexit – ICO advice for organisations
- ICO’s ‘Six Steps to Take’ guide
- ICO’s guidance on the effects of leaving the EU without a withdrawal agreement
- ICO’s Frequently Asked Questions
- European Commission preparedness notice on data protection (European Commission Preparedness Notice)
- European Commission’s Contingency Action Plan for no deal
No Brexit scenario
GDPR restrictions on data transfers do not apply as between Member States. (Chapter V GDPR, Articles 44 – 50)
Yes, subject to the existing GDPR restrictions on data transfers outside the EEA. (Chapter V GDPR, Articles 44 – 50).