Implications of Brexit for data protection and privacy
Published on 13th Aug 2018
Is any new EU legislation expected to come into force and effect before the end of the transition period?
The E-Privacy Regulation, which is currently in draft form, is expected to be in final form and published in the Official Journal by end of 2018 or the first half of 2019. The current draft has a one year implementation period, meaning that it would apply in the UK provided it is passed before the end of 2019.
Is a new regulator needed, or do additional powers to be given to an existing regulator?
No. The ICO will continue to be the UK data protection supervisory authority post-Brexit. However, the relationship between the ICO and other EU supervisory authorities and the EDPB is currently unclear. We expect more clarity as all parties get to grips with the GDPR and their new roles.
Is there an existing "equivalence" or "recognition" regime for recognising Third Country regulatory regimes?
The EU data protection regime includes a mechanism by which the European Commission can recognise a third country's regulatory regime as being "adequate", which allows personal data to be transferred from the EU to that country.
The UK is seeking a bespoke arrangement on data transfers. However, the current position – per the statement issued by Michel Barnier (discussed above), is that the UK must apply for an adequacy decision post-Brexit. If/until adequacy is granted (or a bespoke agreement is concluded), standard contractual clauses will be needed to legitimise any transfers of personal data outside of and into the UK.
Does current UK government policy mean that (subject to the terms of a future trade agreement between the UK and the EU) material changes to regulation or enforcement are likely post-Brexit?
This is unlikely, given that the UK is looking for an arrangement (or, failing that, an adequacy decision) that recognises the UK's regulatory regime as affording broadly similar protection for personal data. However, this could potentially change depending on the outcome of the UK's adequacy application post-Brexit.
What should businesses be doing now to prepare for Brexit?
- Continue with GDPR projects through to completion, as an organisation which is compliant pre-Brexit is likely to be compliant post-Brexit.
- Update agreements to ensure that the data protection provisions allow for the transfer and processing of personal data to the UK as a matter of contract (typical data protection clauses will impose restrictions on the transfer of data outside the EEA).
- Continue to monitor the position concerning EU-UK data transfers post-Brexit and consider updating agreements to include standard contractual clauses to legitimise data transfers (as a matter of regulatory law) until such time that the UK is granted adequacy.