Currently there is a great deal of speculation along with a lot of political posturing and manoeuvring regarding BREXIT and what it will eventually look like. The truth of the matter is that, as we write, no one is quite sure. What we do seem to be certain of though is that there is a lot of uncertainty and that we should all be preparing for a no deal BREXIT as a possible outcome and that companies should be taking note of the Government’s “No Deal Guidance”.
What implications does “No Deal” have for UK Data Protection?
The GDPR was automatically incorporated into UK Law earlier this year via the European Communities Act 1972 and on 29 March 2019, when BREXIT occurs, it will, via the European Union (Withdrawal) Act 2018, be transposed into domestic UK legislation. At that point, if there is no Withdrawal Agreement (WA) in place, whilst the UK will be free to amend the GDPR regulations as it sees fit, it will become a “third country” as far as EU Data Protection Law is concerned.
“Third country” status has significant implications for data flows into the UK from the EU as the transfer may only take place from the EU country if specified conditions are met. For example, consider a UK company whose website is hosted in Germany. Following a no deal BREXIT, local German law would impose restrictions on the company from accessing its own personal data submitted via its website as that would be deemed a transfer of data to the UK, a “third country”.
The UK would then need to be formally recognised as adequate (Article 45(1), GDPR) and be added to the so-called “white-list” of countries which benefit from the transfer of personal data on the same terms as if the recipient were located in the EU.
What might a “Deal” look like as far as Data Protection is concerned?
If we do arrive at an agreement with the EU then, based on the draft Agreement document published in March 2018, the final WA is likely to contain a transition period during which EU law will continue to apply to the UK – 31 December 2020 was the transition end date in the draft Agreement. This means that data protection will operate as it does now at least until the end of the transition period.
If the WA contains an agreement on data protection then it is likely that it will ensure the free flow of personal data into the UK from the EU and vice versa. The Prime Minister, in her Mansion House speech, stated that a deal on data protection was one of the foundations that must underpin a trading relationship between the UK and EU and it is likely therefore that the UK would be looking for more than an adequacy arrangement with the EU.
What if the UK leaves the EU with no deal or no adequacy decision?
The “No Deal Guidance” issued by the Government is intended to be worst-case scenario. However, if the UK leaves the EU with no deal or no adequacy decision in place the guidance identifies that the following is likely:
For data transfers from the UK to the EU: as the GDPR will be domestic UK law and there will be significant alignment between the two regimes, the UK would, following BREXIT, allow the free flow of data from the UK to the EU, whilst keeping this under review.
For data transfers from the EU to the UK: because the UK will be a “third country” adequate safeguards (as set out in Article 46, GDPR) such as the EU’s model contract clauses or binding corporate rules (BCRs) will need to be provided for the transfer to go ahead.
The No Deal Guidance states that the ICO will produce detailed guidance outlining the steps that organisations will need to take at the point that the way forward is certain.
Is there anything that can be done now to prepare?
When preparing to implement the new GDPR regulations in May this year most companies will have conducted an exercise that allowed them to identify international transfers of data and some will have already applied to the ICO, as the lead authority, for BCRs. The ICO has confirmed that these will not be cancelled. The results of this exercise may well be needed again!
It is possible that companies with both UK and EU operations may need to make data notifications, particularly in the case of personal data breaches, to more than one supervisory authority (Article 33, GDPR) but at present there does seem to be a lack of legal certainty in this area.
Data protection aside, companies who are entering into any contract now which will continue after BREXIT occurs, or which might be affected by BREXIT-related developments before then, should consider expressly providing for situations in which their ability to perform or their costs of performing the contract are affected by BREXIT.