No-deal Brexit – what’s the data protection impact?
What steps should organisations take to prepare?
This guide aims to cover the key areas organisations should consider, and provide links to resources should you require more detailed information.
In the event of a no deal Brexit, the UK will no longer fall under the EU GDPR. The Data Protection Act 2018 will remain in place and the Government says it intends to bring the GDPR into UK law on exit, to sit alongside it.
Most GDPR requirements will remain the same, but it will require some adjustments to the UK version of GDPR for it to work in a UK-only context.
The ICO says, ‘This means the first and most important step is to ensure you comply with GDPR principles, rights and obligations. Our current guidance remains relevant and can help you comply, and we will continue to update it regularly. If you have a data protection officer (DPO), they may continue in this role. They can combine their future UK responsibilities with any ongoing EU responsibilities, as long as they have expert knowledge of both UK data protection law and the EU regime, and are “easily accessible” from both locations’.
The UK will be a ‘Third Country’
If the UK leaves without a deal, with no provisions for data protection, it will automatically become what is termed a ‘third country’. For instance, Australia, Brazil, and China are treated as ‘third countries’.
Currently personal data can flow unrestricted between countries within the European Economic Area (EEA). For example, if you’re a processor based in the UK, and handle personal data on behalf of a company based in the EU, this data can be transferred without any ‘appropriate safeguards’ in place. But once the UK is outside the EEA, you’ll be operating in a ‘third country’ and transfers will be subjected to restrictions. Such transfers from the EEA are termed a ‘restricted transfer’.
What needs to be in place to ensure a compliant ‘restricted transfer’ outside the EEA?
An Adequacy Decision
What is Adequacy? The European Commission can assess non-EEA countries’ level of personal data protection to see if it’s essentially of an equivalent level to that of the EU. If a country passes the rigorous testing, the Commission can make an Adequacy decision.
For countries granted Adequacy personal data can flow unrestricted. Such countries are not bound by the ‘appropriate safeguards’ requirement for international data transfers outside of the EEA as set out in Article 46.
The European Commission has so far recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and most recently Japan.
The UK Government has confirmed it will seek Adequacy. However, the EU has said the decision process cannot commence until exit day. This is not a quick process, and there’s no guarantee the UK will be granted adequacy at the end of it.
So, with no Adequacy on exit day, transfers of personal data from the EEA to the UK will be subject to restrictions; they’ll be ‘restricted transfers’.
Standard Contractual Clauses (SCCs)
A data transfer can be made, if there’s a contract between an EEA organisation and a non-EEA organisation which includes standard data protection clauses. These clauses contain contractual obligations on both parties, and cover the rights of individuals whose personal data is being transferred.
These EC-approved data protection clauses, known as SCCs or model clauses, need to be embedded within contracts (without any changes), or added as an appendix to an existing contract, which may need to be reviewed on this point to avoid ambiguity.
Many UK organisations will be familiar with using SCCs if they currently transfer personal data to organisations in ‘third countries’. It’s a question of taking that step to realise that the UK, upon exit from the EU, would similarly be a third country.
There are four sets of SCCs, which cover controller to controller or controller to processor relationships, and organisations should choose the set which best suits their business arrangements. More information can be found in in the “appropriate safeguards” section of the ICO’s Brexit guidance on international transfers
The ICO has confirmed that the Commission plans to update the existing contractual clauses for GDPR. Furthermore, existing contracts incorporating SCCs can continue to be used for restricted transfers, even when new GDPR standard clauses have been adopted.
The Government is advising that for the majority of organisations SCCs will be the most relevant legal basis for EEA to UK transfers. See the ICO’s guidance on SCCs
EU-US Privacy Shield
In some instances, companies use the Privacy Shield as an alternative to SCCs. In those instances personal data can be transferred to US companies which are certified under the Privacy Shield. This places requirements on these US companies to protect personal data and provides mechanisms for individuals to seek redress.
Once the UK leaves the EU it will be outside this specific EU-US arrangement. If there’s no-deal Privacy Shield participants will have to take specific steps. This includes updating their public commitment to comply with the Privacy Shield to include personal data received from the UK. More information on this can be found in the US Department of Commerce Privacy Shield & UK FAQs
Binding Corporate Rules (BCRs)
BCRs are an internal code of conduct which operate within multinational groups and apply to the restricted transfers of personal data from the group’s EEA entities to those outside the EEA. BCRs must be approved by an EEA supervisory authority in a country where one of the companies is based. See ICO’s guidance on BCRs
Article 49 of the GDPR provides some limited exceptions, such as relying on the explicit informed consent of the individual, the transfer is necessary for the performance of a contract, is in the public interest or is necessary for the establishment, exercise or defence of legal claims. See ICO’s guidance on Exceptions
Personal Data Transfers from the UK
If you’re a UK organisation transferring personal data outside the UK, consider the following three scenarios.
- Are you transferring data to an EEA Country? The UK Government has confirmed that data transfers from the UK to the EEA will be permitted. Transfers to Gibraltar will also be able to continue with no additional actions required. This will be kept under review.
- Are you transferring data to a non-EEA country with Adequacy? The UK government will recognise EC adequacy decisions made prior to the UK leaving the EU. This will allow transfers to continue with no additional action required.
- Are you transferring to Non-EEA non ‘adequate’ countries? In this scenario you should already have in place ‘appropriate safeguards’ for this restricted transfer of personal data, such as SCCs.
The UK government says it intends to recognise EC-approved SCCs as providing an appropriate safeguard for restricted transfers from the UK.
Nominating an EU Representative
Upon exit, UK organisations may fall under the GDPR Article 27 requirement to appoint a suitable representative in the EU.
You will need to do this if your organisation is:
- based in the UK, and has no branches or establishments in any other EU or EEA state
- You offer goods and services to individuals in the EU, or monitor the behaviour of individual in the EU
The ICO says, ‘This person will act as your local representative with individuals and data protection authorities in the EEA. This is separate from your DPO obligations, and your representative cannot be your DPO or one of your processors. You do not need to appoint a representative if you are a public authority, or if your processing is only occasional, low-risk, and does not involve special category or criminal offence data on a large scale’.
The EDPB (European Data Protection Board) has published guidelines, for public consultation on the Territorial Scope of GDPR, but these do not specifically identify what might be classed as ‘occasional’.
An EU representative can be any natural or legal person who is based in an EU member state. For example, if you are a UK organisation which processes personal data relating solely to Italian citizens, your representative should be based in Italy. However, if you process personal data of citizens from a number of different EU countries, you can select an appropriate country for your EU representative to be based in. A number of legal and other firms have set themselves up to offer EU representative services.
It is worth noting the UK Government has indicated that it intends to replicate the Article 27, which would mean controllers outside the UK would need to appoint a representative in the UK.
No One Stop Shop
The One Stop Shop means organisations who are conducting cross-border processing within the EU, can generally deal with one single European supervisory authority, who would take action if required on behalf of other supervisory authorities. In the event an organisation breaching GDPR, this means in theory it would only be investigated by one supervisory authority and only receive one fine across the EEA.
If the UK is currently your lead supervisory authority, and you operate in Europe, the advice is to review the structure of your European operations. It may be, that if appropriate, you will opt to change your lead supervisory authority to another EU country.
However, if your operations are UK-based and you can’t ‘switch’ to another lead authority, the ICO says, ‘After the UK exits from the EU, if you no longer have a lead authority and cannot benefit from One-Stop-Shop, this could significantly affect your business and the resources you need to deal with enquiries from various European data protection authorities.’
The EDPB has published guidelines for identifying your lead supervisory authority.
Also see the ICO’s Guidance on One Stop Shop
Documentation & Policies
Organisations are advised to review their privacy information and documentation. It may be necessary to identify details that will need updating when the UK leaves the EU. For example,
- any references to EU law or other EU terminology will need to be updated to reflect UK terms
- what you say about international transfers may require amending
- Data Protection Impact Assessments may need to be reviewed if they involve data transfers between the UK and EEA
We’ll have to wait and see what the next few weeks of political turmoil bring, but the clear advice is to be prepared.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.