This article summarises the likely impact of Brexit, in whatever form it might take, on UK based businesses involved in cross-border transfers of personal data on EU citizens or residents.
The current position
The General Data Protection Regulation (GDPR) is an EU Regulation which came into force on 25th May 2018. For as long as the UK remains an EU member state it governs the UK’s data protection regime and its provisions have been incorporated into the UK’s Data Protection Act 2018.
An article highlighting the main provisions of GDPR is available at http://tc-consultancy.co.uk/frequently-asked-questions-about-gdpr/.
Will Brexit stop GDPR applying in the UK?
No, for two reasons.
First, GDPR seeks to have ‘global reach’ and not only applies to organisations located within the EU but also applies to organisations located outside the EU if they hold the personal data of data subjects residing in the EU or offer goods or services to, or monitor the behaviour of, EU data subjects. Post Brexit, or at the end of any transition period, the UK will be outside the EU and so regarded as a ‘third country’ but still subject to GDPR.
Second, the provisions of GDPR have been incorporated into the UK’s Data Protection Act 2018 and so now form part of the UK’s own legislation.
How does the timing and nature of Brexit affect data protection?
The UK is currently (September 2018) intending to leave the EU on 29 March 2019 but there are two scenarios that dictate when a likely impact of Brexit might be on data protection in the UK. Essentially, it depends on whether the UK has a ‘soft’ or ‘hard’ Brexit.
A soft Brexit would involve the UK concluding a Withdrawal Agreement with the EU. The terms of the draft Agreement are not finalised but, as currently proposed, it would mean that when the UK leaves the EU on 29 March 2019 there would be a transition period during which time EU law would, in most instances and including data protection, continue to apply to the UK until a later date which the EU has indicated should not be later than 31 December 2020. So, in that scenario the UK’s data protection relationship with the EU would remain unchanged, and the free flow of data with the EU would continue, until 31 December 2020 at which point it would become regarded as a ‘third country’ outside the EU for data protection purposes.
A hard Brexit would involve the UK leaving the EU on 29 March 2019 without any provision for a transition period so that would then be the date from which it would be regarded as a ‘third country’ outside the EU for data protection purposes.
The UK’s data protection position after Brexit
When the UK withdraws from the EU it will become regarded as a ‘third country’ by the EU and so lose the automatic right to the free flow of personal data within the EU but it will remain subject to GDPR. UK organisations transferring personal data on EU individuals from the UK to other third countries (i.e. non EU countries) will be bound by the EU’s framework on data protection, the specific provisions of which are outlined below.
Transfer of personal data from the UK to the EU after Brexit
The UK government has indicated to the EU that, in recognition of the high degree of alignment between the UK and EU’s data protection regimes, a likely impact of Brexit will be that at the point of exit from the EU the UK would continue to allow the free flow of personal data from the UK to the EU, although this will be kept under review as the Brexit negotiations continue.
Transfer of personal data from the EU to the UK after Brexit
Once the UK has exited the EU’s data protection regime and become a third country the automatic free flow of data will cease and the transfer of personal data from the EU to the UK might be regulated in one of two ways.
First, the EU may issue an adequacy decision in favour of the UK. This would recognise that the UK offers an adequate level of data protection meaning that the transfer of personal data to the UK could take place without any specific authorisation. However, the EU is currently indicating that it will not issue a decision on the UK’s adequacy until the UK has become a third country and the EU has also flagged up concerns over the UK’s data protection regime so it cannot be assumed that it will issue an adequacy decision.
Second, if the EU does not issue an adequacy decision in favour of the UK then other safeguarding provisions will apply to the transfer of personal data to the UK, namely:
- Binding corporate rules. BCRs are suited to multinational companies transferring data internally as they operate like a code of conduct to ensure that data transfers within a corporate group are safe. BCRs must contain privacy principles, tools of effectiveness such as audits and training and a method of proving that the rules are binding. The UK’s Information Commissioner’s Office (ICO) must approve an organisation’s BCRs.
- Contractual Clauses. The EU has issued three sets of Standard Contractual Clauses containing standard data protection clauses for the transfer of personal data. They will typically be included in a contract for cross-border data transfers between a data controller and a data processor. It is also possible to rely upon non-standard contractual clauses which have been authorised for use by the ICO.
- Approved codes of conduct. Codes of conduct must be approved by, and will be monitored by, the ICO and where the data transfers are cross-border the code of conduct must also be approved by the European Data Protection Board. The code must be accompanied by binding and enforceable commitments so, if breached, action can be brought against the third party data controller or processor.
- Certificated mechanisms. This is a means of demonstrating that appropriate safeguards relating to the adequacy of data transfers have been established. As with the codes of conduct, the ‘third party’ data controller or processor must make a binding and enforceable commitment and the certificate will be issued by the ICO.
Which of those four safeguarding provisions might be appropriate for particular cross-border data transfers will depend upon all the circumstances surrounding the data transfer and the organisations involved.
Additionally, there are certain exceptions (technically called derogations) which mean that transfers of data to third countries are allowed where none of the safeguards above are in place, including:
- where the data subject has provided their specific consent
- where the transfer is necessary for the performance of a contract
- in order to exercise a legal claim
- for public interest reasons.
Transfer of personal data from the UK to third countries after Brexit
Another likely impact of Brexit is that the transfer of personal data from the UK to other third countries might be regulated in one of the following ways.
First, an adequacy decision by the EU in favour of the country receiving the personal data. Currently, only Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay have been approved in full. Canada has been approved for certain types of personal data. UK data controllers may transfer personal data to such countries, in the same way as if the transfer were being made within the UK or within the European Economic Area.
Second, by the use of one of the four safeguarding provisions referred to in the previous section.
Third, perhaps one of the four exceptions referred to in the previous section might apply.
Transfer of personal data from the UK to the US after Brexit
The legal framework governing the transfer of personal data from the UK to the United States of America involves some different provisions which raise some particular issues.
The primary difference is the Privacy Shield which is an EU-US an arrangement that provides participating US organisations with the right to receive and process personal data on EU individuals in the US. US organisations join the Privacy Shield by a self-certifying but legally binding commitment that they will comply with the stipulated data protection requirements. The UK will benefit from the Privacy Shield after Brexit so UK organisations can freely transfer personal data to a US entity listed on the Privacy Shield. However, the Privacy Shield is subject to annual review by the EU to ensure ongoing compliance with EU data protection principles and in July 2018 the European Parliament resolved that the Privacy Shield be suspended for providing an inadequate level of protection due to concerns about the US’s intrusive mass surveillance laws.
The EU and US are now negotiating to resolve the issue but it is not certain that the Privacy Shield will continue in its current form so any UK organisations relying upon it should keep the situation under review.
Personal data on EU individuals can also be transferred from the UK to the US using one of the mechanisms referred to above (Binding Corporate Rules, Standard Contractual Clauses, Approved Codes of Conduct and Certified Mechanisms) and the exceptions may also apply in certain cases. However, the use of Standard Contractual Clauses with US organisations is currently being challenged in the European Court of Justice (a decision expected in 2019) and it is possible that their use may be prohibited; that would impact on their use by UK companies exporting personal data to the US.
As the deadline for concluding a Brexit Withdrawal Agreement moves ever closer businesses involved in the cross-border transfer of personal data on EU citizens to or from the UK should urgently consider whether they are adequately prepared for the impact of Brexit on their operations and, given the apparent stalemate in the Brexit negotiations, it would seem prudent to assume that the new regime will apply from 29 March 2019.
UK organisations transferring personal data on EU individuals to the US should be aware of the possible future removal of the Privacy Shield and Standard Contractual Clauses from the approved framework.
This article is for general guidance only and specific advice should always be taken before acting on any of the matters discussed.
For more information or to talk to me about GDPR and Brexit or data protection generally please contact me at:
t: +44 1491 411579