For many in-house counsel 2018 will be a story of preparing for two seismic events. After much fanfare and the odd headache for lawyers, the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) came into effect on 25 May. Focus is likely to have since shifted towards getting ready for something rather more nebulous and potentially more migraine-inducing: Brexit.
The tectonic plates of data protection and Brexit will soon collide and it may be time to dust off some of the old notes to help preparing. Some of the work lawyers will need to do and direct will have echoes of the exercises many will have carried out in the relatively recent past.
Practical Law has recently published a practice note, Brexit: the implications for data protection, written by Kate Brimsted and Tom Evans of Bryan Cave Leighton Paisner LLP. The note sets out some considerations for companies as part of their contingency planning whether a deal on the withdrawal agreement is struck or not.
The note obviously assumes no people’s vote leading to a reversal of Brexit nor that the UK will join the EEA on leaving the EU.
Clearly, the prospect of a no deal scenario is startling in general terms but averting any disruption to the free flow of personal data between the highly integrated markets of the EU and UK must be a top priority for all businesses.
The UK data protection regime will be almost seamlessly aligned with the EU regime on Brexit day by virtue of the GDPR being brought into UK law by the European Union (Withdrawal) Act 2018. But, whatever the eventual outcome of Brexit, deal or no deal, the UK is set to become a third country in GDPR terms on leaving the EU and will not have an adequacy decision to rely on which would allow for the free flow of personal data between the UK and the EU. The EU won’t make that adequacy decision until after Brexit, leaving the UK effectively in limbo and behind the likes of Uruguay in the EU’s global data protection pecking order.
As per the government’s no deal data protection notice, organisations will need to improvise in much the same way they did when the US-EU Safe Harbor framework was held to be invalid virtually overnight back in 2015 courtesy of Schrems v Facebook. Indeed, we have a heads up of what’s likely to be coming this time and there is time to prepare.
As the new note sets out, most organisations will almost certainly need to embark on another big papering exercise, similar to the one undertaken as a response to Schrems, placing the European Commission’s model clauses between them and their counterparty controllers and processors, thereby placing themselves on the right side of the “adequate safeguards” test under Article 46, GDPR. This is over and above the contract already required by Article 28(3) for controller-processor relationships.
Before doing so, a reopening of the data mapping exercise carried out in readiness for the GDPR will be essential for working out the relevant data flows (for inspiration, see the practice note on Using data mapping). For the papering exercise itself, see Controller-to-controller clauses and Controller-to-processor clauses which, incidentally, the Commission has yet to update for the GDPR but remain valid under Article 46(5).
Binding corporate rules remain a viable but potentially onerous second option.
Another substantial strand to this whole equation is that the ICO’s position at the top table of European data protection regulators is now in major doubt. This is likely to create further headaches for the many organisations, for example, which engage in pan-EU personal data transfers and have chosen the ICO as their lead supervisory authority. In all likelihood, arrangements with other EU regulators will need to put in place. New EU-based DPOs may correspondingly need to be appointed.
There is also the nagging question of whether the UK government’s use of mass surveillance techniques may lead to EU member states raising concerns about data protection in the UK, not to mention future Schrems-like challenges, jeopardising the adequacy decision one might ordinarily expect to be a formality. Worse still, what if the model clauses are invalidated as an adequate safeguard?
The new note goes into depth on all of these and more potential ramifications. As the note concludes, Brexit adds up to a potentially complex cocktail for data protection, and not an enjoyable one to imbibe at that. We also don’t know yet what deadline we’re working towards – 31 December 2020, assuming a deal and a transition period, or 29 March 2019 in a no deal scenario.
But, amid the uncertainty, there is plenty that can be controlled and to set minds to. Focusing on data mapping, scoping the model clauses papering exercise and starting to prepare for the impact of losing the ICO “one stop shop” will be key to avoiding the worst of all hangovers.