The impact of Brexit
Data protection is unlikely to be foremost in people’s minds when considering the impact of Brexit, whether it be soft or hard, deal or no deal. The UK Government has, however, recently issued papers about various topics in a ‘no deal’ situation and one of these entitled: Data protection if there’s no Brexit deal.
In the event of a ‘no-deal’ Brexit, with no agreed arrangements covering data protection, the Government is advising organisations to prepare appropriate contracts to ensure any transfer of European Union citizens’ personal data to the UK is compliant with privacy laws.
The UK faces the prospect of being regarded as a third country when it exits the EU. As a result, the transfer of personal data from organisations within the EU to other organisations in the UK will be subject to strict data transfer rules, as set out by the EU General Data Protection Regulation (GDPR). EU organisations will have to ensure their transfers to UK are lawful and that’s not going to be as simple as it is now.
You may have heard talk about ‘adequacy’ and speculation if the UK will be given ‘adequacy status’. Let’s explain.
What is adequacy?
It’s all about demonstrating to the EU that the UK is a safe place for data processing so that restrictions on data transfers are not imposed. The European Commission can assess non-EU countries’ level of personal data protection to see if it is essentially of an equivalent level to that of the EU. If a country ‘passes’ the rigorous testing, the Commission can make an Adequacy decision.
The European Commission has so far recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. We should also mention the US-EU Privacy Shield, which is a recognised control for data transfers between the US and EU. This is limited to organisations in the US who sign up to the Privacy Shield framework.
Most recently in July this year, the EU and Japan agreed to recognise each other’s data protection systems as ‘equivalent’.
Will the UK automatically be awarded adequacy status?
Unless a Brexit deal is reached between UK & the EU which covers data protection & data transfer arrangements, the answer is no. The Commission would need to go through an assessment process before adequacy could be granted. Despite pleas from the UK Government for this process to start, the Commission’s current position is that it will not commence the process until the UK has left the EU and become a third country. Article 45 of GDPR sets out what the Commission should take into account when considering whether to grant adequacy.
Is the UK likely to be awarded adequacy status?
If the UK leaves the EU in March 2019 with no agreement surrounding data protection & data transfers, the UK Government has stressed, “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.
It is widely hoped this will go a long way in persuading the EC to grant adequacy. However, there are concerns the Commission will take a more detailed look at the UK’s crime and national security legislation during its assessment, and in particular the controversial Investigatory Powers Act 2016. This has been criticised by the European Court of Human Rights for giving too much power to security and intelligence services which could violate individual privacy.
Emma Butler, Data Protection Officer at Yoti Ltd. says, “Japan will be the first adequacy decision made under GDPR so the UK Government can learn a lot from the process, the EDPB (European Data Protection Board) opinion that has been requested, and the final adequacy decision (once published). Japan has a different data protection regime and has had to agree to add to their national law to get adequacy. Therefore, given the UK implemented Directive 95/46 and has implemented GDPR, a decision that the UK is not adequate would seem unlikely. However, as a third country the UK will be subject to greater scrutiny, and Brexit is unprecedented, so nothing is certain”.
The EC’s process for reaching an adequacy decision typically lasts several months (even years) and there is no guarantee it will be granted.
So, what do organisations need to do?
Let’s be clear, if no agreement is reached the UK will become a third country to the EU and will not have adequacy – at least not right after Brexit. So new restrictions for EU-UK data transfers will apply – at least in theory.
UK to EU transfers
The transfer of personal data from the UK to EU member states will, according to the Government, remain unaffected. The Government has stated, “In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”
EU to UK transfers
UK organisations which receive any transfers of personal data of EU citizens, or any personal data from EU member states, need to prepare for the possibility of no deal. Initially, at the least, the UK will not be deemed an adequate country and there will be a burden for compliance with Articles 46-49 of GDPR on organisations sending personal data to the UK.
Organisations are being advised now to work with their EU partners to ensure compliant transfer of personal data between the UK and EU can be achieved.
The Government is advising that for the majority of organisations the most relevant legal basis for such transfers would be Standard Contractual Clauses (SCCs). These EC-approved data protection clauses, often known as model clauses, need to be embedded within contracts (without any changes), or added as an appendix to an existing contract, which may need to be reviewed on this point to avoid ambiguity. They cover the contractual obligations between both parties to protect the rights of the individuals whose data is being transferred. So model clauses are the way to go.
Robert Bond, Partner at Bristows LLP and Chair of the DPN adds the further point, “UK entities that are part of multinationals will as equally be affected as pure UK only organisations, where personal data is transferred into U.K. from EU. However, multinationals that already have approved Binding Corporate Rules (BCRs) may not be affected as a BCR is more focused on the group approach to management of personal data including data transfers. Some multinationals have also set up a framework agreement incorporating EU Standard Contractual Clauses, and here such an Agreement may well survive Brexit as the U.K. company described as a data exporter simply switches to a data importer. This, however, would not be the case where the U.K. entity was signed as an exporter on individual standard contractual clauses, based contracts.”
Organisations based outside the EU which offer goods and services to EU citizens, or monitor the behaviour of EU citizens, fall under the scope of GDPR Article 27, which includes the requirement for such organisations to nominate a representative in one of the EU member states. So, after Brexit, when the UK is outside the EU, this article will bring many UK organisations within its scope.
Also, worth considering is whether your organisation is currently relying on the EU-US Privacy Shield. If so this will need revisiting, as upon Brexit the UK will not be part of this arrangement.
In this period of uncertainty, it would appear prudent to start preparing for what may come – i.e. abide by existing legislation but anticipate possible changes and scrutiny to businesses processes impacted by cross-EU data-sharing. One would need a crystal ball to predict the outcome of any Brexit deal (at the time of writing only six months away), but it is entirely possible a period of ambiguity might result as political manoeuvrings are completed.
As ever, businesses which act in good faith, recording and justifying any changes to business processes and decisions, will be less vulnerable than those which do not – Keep Calm and Data On!
Simon Blanchard, September 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.