Data protection and Brexit

The UK government prepares for a no deal Brexit and aims to ensure the preservation of a functioning UK data protection regime.

What's the issue?

As we know, the default position is that if there is no approved EU withdrawal deal by 29 March 2019, the UK will leave the EU on a 'no deal' basis. If a deal is agreed, we will go into a transition period during which it will effectively be business as usual. The DPA18 has already made provision for a UK version of the GDPR to replace the GDPR but there have been question marks as to how data transfers out of the UK would work.

What's the development?

In December 2018, the government published a second technical notice and ICO guidance on data protection and a no deal Brexit. These were followed by draft Regulations designed to implement the principles set out in the technical notice. The draft Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 will come into force on exit day although if there is a transition period, application of all except the part relating to PECR will be delayed.

Essentially:

• The Regulations consolidate and amend the EU GDPR and UK DPA18 to create a new UK GDPR.
• The responsibilities of data controllers in the UK will not change. GDPR standards will continue to apply.
• The ICO will no longer sit on the EDPB and will not participate in the GDPR consistency mechanism.
• The UK will transitionally recognise all EEA States, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data, allowing personal data to flow freely to them from the UK.
• The UK cannot provide for free flow of personal data into the UK. Those relying on such transfers will need to make suitable provision, such as entering into standard contractual clauses (SCCs).
• The effect of existing EU Adequacy Decisions on a transitional basis (including the EU-US Privacy Shield) will be preserved.
• SCCs previously issued by the Commission will continue to be an effective basis for international data transfers from the UK in a no deal scenario, so organisations which transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. The ICO will have the power to issue new SCCs after exit day.
• Existing authorisations of Binding Corporate Rules (BCRs) made by the ICO will continue to be recognised in domestic law. The ICO will have the power to authorise new BCRs after exit day.
• The extraterritoriality of the UK's data protection framework will continue to apply. This means controllers or processors based outside the UK processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour, will be caught. This includes controllers and processors based in the EU.
• The GDPR's Article 27 requirements around appointing a representative are replicated. This means controllers and processors not established in the UK (including those in the EU) will be required to appoint a representative unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale.
• PECR will be amended to include the GDPR definition of consent (this will happen regardless of whether or not there is a deal).

The UK's ICO has also published guidance for businesses and SMEs on preparing for a no deal Brexit. This includes a 'six step' plan, broader guidance, FAQs, and an interactive tool to help assess whether SCCs are an appropriate data transfer solution. Further guidance will be provided to organisations currently relying on BCRs.

What does this mean for you?

The UK government has done what it can to smooth the data protection path in the event of a no deal Brexit. Obviously it cannot exert control over the fact that the UK will become a third country for EEA purposes after Brexit and in the absence of an adequacy agreement (which we know the EU will not consider until after Brexit).

This helps UK businesses which export data but not those importing data from the EEA nor EEA businesses exporting personal data to the UK. These business will need to find a suitable data export mechanism (most likely Standard Contractual Clauses) and consider whether they will be required to appoint a representative. Cross-border businesses will also need to review the location of their Lead SA and their DPO if they have one.

We will be publishing detailed information and checklists about data protection and Brexit on our Global Data Hub in early February. If you would like to be added to the mailing list for this, please sign up here.