Whereas some impacts of a no deal Brexit have been well documented in the press, such as the potential shortage of medical supplies, issues around data protection have received less attention. Notwithstanding this, the consequences of a no deal Brexit could impose significant regulatory hurdles for many UK businesses and it would be advisable for businesses to prepare accordingly prior to Brexit taking place.
In this article, we discuss the data protection challenges posed by a no deal Brexit and detail some of the solutions which businesses should consider implementing in order to overcome these challenges.
Following a no deal Brexit, UK laws concerning data protection, including the Data Protection Act 2018, would continue to apply and the GDPR would become incorporated into UK law – this is referred to as the UK GDPR. As such, UK organisations will essentially be required to comply with the same obligations which they should have been adhering to since the introduction of the GDPR in May 2018.
One of the key causes for concern in the event of a no deal Brexit is the impact this will have on data transfers between the UK and the European Economic Area (“EEA”). As things currently stand, data can be transferred freely between organisations in the UK and those elsewhere in the EEA. However, in the event of a no deal Brexit, such transfers would become subject to restrictions, at least insofar as these relate to transfers from the EEA to the UK.
In respect of data transfers from the UK to the EEA, the British government has said that these will not be restricted, meaning that no additional steps would need be taken to continue to transfer data from the UK to other entities in the EEA.
In terms of transfers of data from the EEA to the UK, the rules as to data transfers as set out in the GDPR would apply following a no deal Brexit. Once Britain leaves the EU, it will technically become a third country for the purposes of the GDPR and therefore organisations based in the EEA which are seeking to transfer data to entities in the UK would need to have in place a lawful mechanism for doing so.
The most seamless way to transfer to a recipient in a third country under the GDPR is where an “adequacy decision” has been made by the EU Commission in respect of that country. Where this is the case, personal data can be transferred freely to such countries without relying upon other legal mechanisms. It had been hoped by the UK government that an adequacy decision in relation to the UK would be in place immediately following Brexit. However, the EU Commission has insisted that it will not start the (often lengthy) adequacy decision process in respect of the UK until such time as it has formally left the EU.
The effect of this is that transfers from the EEA to the UK will need to be based on other lawful mechanisms set out in the GDPR from the date a no deal Brexit takes place. In the vast majority of cases, the most appropriate lawful mechanism for such transfers will be for the parties to enter into EU approved “standard contractual clauses” (“SCCs”). There are currently two sets of SCCs which have been approved by the EU Commission – these regulate transfers from:
- an EEA controller to a non-EEA controller; and
- an EEA controller to a non-EEA processor.
One legal grey area that has emerged is in relation to transfers from an EEA processor to a UK controller following a no deal Brexit. There are no SCCs which would regulate such transfers and often there will be no other suitable lawful mechanism for these types of transfer. It is expected (or perhaps hoped) by the UK government that the European Data Protection Board would issue guidance on this in the event of a no deal Brexit.
An alternative to SCCs which group companies with a UK presence may consider is to implement Binding Corporate Rules (BCRs). However, BCRs are subject to approval from the relevant supervisory authority and it will, therefore, prove time consuming to put such documentation in place.
Finally, UK organisations which currently rely on the EU-US Privacy Shield to transfer personal data to organisations in the US should be aware that this will no longer serve as a valid transfer mechanism in the event of a no deal Brexit unless the recipient US organisation has updated its public commitment to comply with the Privacy Shield to include the UK.
Notwithstanding the fact that the UK will have left the EU, many UK organisations will continue to be caught by the EU GDPR due to the extra-territorial scope of the GDPR. Where this is the case, organisations will have to consider whether or not they are required to appoint an EU representative pursuant to Article 27 of the GDPR.
On the flipside, the UK government has indicated that a similar requirement will apply to non-UK entities which are bound to comply with the UK’s data protection regime following Brexit, meaning many EU organisations carrying out activities in the UK could be caught.
In addition to the above, UK organisations which have any branches or establishments in the EU or are otherwise caught by the extra-territorial provisions of the GDPR and will be carrying out cross-border processing in the EEA following Brexit may be required to update their lead supervisory authority following Brexit.
Updates to documentation
At present, many organisations have drafted their GDPR compliance documentation from the perspective of the UK being a member the EU. Businesses should review their GDPR compliance documentation to ensure that these references are updated accordingly. In particular, it would be prudent to review:
- Privacy notices – to ensure that the position in respect of international transfers is correctly stated; and
- Contracts with third parties – to ascertain whether these contain any restrictions on transfers outside the EEA.
As can be seen from the above, the implications of the UK leaving the EU without a deal will have serious data protection consequences not only for UK organisations, but also for EU organisations which transfer or process personal data to or in the UK. Businesses should be aware of the additional compliance steps which they may need to overcome following the UK’s exit from the EU without a deal and begin preparations for this as soon as possible.
Please contact us if you need any assistance preparing for Brexit.
Ben Nolan is a Solicitor, Admitted in Scotland in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org