Authors

Debbie Heywood

Senior professional support lawyer

Read More

Vinod Bange

Partner

Read More

Martin Cotterill

Partner

Read More

Angus Finnegan

Consulting partner

Read More

Graham Hann

Partner

Read More

Christopher Jeffery

Partner

Read More

Glyn Morgan

Partner

Read More

Siân Skelton

Partner

Read More
Authors

Debbie Heywood

Senior professional support lawyer

Read More

Vinod Bange

Partner

Read More

Martin Cotterill

Partner

Read More

Angus Finnegan

Consulting partner

Read More

Graham Hann

Partner

Read More

Christopher Jeffery

Partner

Read More

Glyn Morgan

Partner

Read More

Siân Skelton

Partner

Read More

18 January 2019

Data protection and Brexit

The UK government prepares for a no deal Brexit and aims to ensure the preservation of a functioning UK data protection regime.

What's the issue?

As we know, the default position is that if there is no approved EU withdrawal deal by 29 March 2019, the UK will leave the EU on a 'no deal' basis. If a deal is agreed, we will go into a transition period during which it will effectively be business as usual. The DPA18 has already made provision for a UK version of the GDPR to replace the GDPR but there have been question marks as to how data transfers out of the UK would work.

What's the development?

In December 2018, the government published a second technical notice and ICO guidance on data protection and a no deal Brexit. These were followed by draft Regulations designed to implement the principles set out in the technical notice. The draft Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 will come into force on exit day although if there is a transition period, application of all except the part relating to PECR will be delayed.

Essentially:

  • The Regulations consolidate and amend the EU GDPR and UK DPA18 to create a new UK GDPR.
  • The responsibilities of data controllers in the UK will not change. GDPR standards will continue to apply.
  • The ICO will no longer sit on the EDPB and will not participate in the GDPR consistency mechanism.
  • The UK will transitionally recognise all EEA States, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data, allowing personal data to flow freely to them from the UK.
  • The UK cannot provide for free flow of personal data into the UK. Those relying on such transfers will need to make suitable provision, such as entering into standard contractual clauses (SCCs).
  • The effect of existing EU Adequacy Decisions on a transitional basis (including the EU-US Privacy Shield) will be preserved.
  • SCCs previously issued by the Commission will continue to be an effective basis for international data transfers from the UK in a no deal scenario, so organisations which transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. The ICO will have the power to issue new SCCs after exit day.
  • Existing authorisations of Binding Corporate Rules (BCRs) made by the ICO will continue to be recognised in domestic law. The ICO will have the power to authorise new BCRs after exit day.
  • The extraterritoriality of the UK's data protection framework will continue to apply. This means controllers or processors based outside the UK processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour, will be caught. This includes controllers and processors based in the EU.
  • The GDPR's Article 27 requirements around appointing a representative are replicated. This means controllers and processors not established in the UK (including those in the EU) will be required to appoint a representative unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale.
  • PECR will be amended to include the GDPR definition of consent (this will happen regardless of whether or not there is a deal).

The UK's ICO has also published guidance for businesses and SMEs on preparing for a no deal Brexit. This includes a 'six step' plan, broader guidance, FAQs, and an interactive tool to help assess whether SCCs are an appropriate data transfer solution. Further guidance will be provided to organisations currently relying on BCRs.

What does this mean for you?

The UK government has done what it can to smooth the data protection path in the event of a no deal Brexit. Obviously it cannot exert control over the fact that the UK will become a third country for EEA purposes after Brexit and in the absence of an adequacy agreement (which we know the EU will not consider until after Brexit).

This helps UK businesses which export data but not those importing data from the EEA nor EEA businesses exporting personal data to the UK. These business will need to find a suitable data export mechanism (most likely Standard Contractual Clauses) and consider whether they will be required to appoint a representative. Cross-border businesses will also need to review the location of their Lead SA and their DPO if they have one.

We will be publishing detailed information and checklists about data protection and Brexit on our Global Data Hub in early February. If you would like to be added to the mailing list for this, please sign up here.

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

Commercial & consumer contracts

EC overhaul of consumer protection law

18 April 2019

by Debbie Heywood

Click here to find out more
Commercial & consumer contracts

There's more to life than Brexit

18 January 2019

by multiple authors

Click here to find out more
Data protection & cyber

Direct marketing post GDPR

26 November 2018

by multiple authors

Click here to find out more