The UK’s withdrawal from the European Union on 31 January 2020 marked the beginning of what will inevitably be a period of change for the country’s data protection laws.
During the “transition period”, which will last until 31 December 2020, the UK’s data protection laws remain the same in effect as they did on exit day. The Information Commissioner’s Office (ICO) noted in its “Statement on data protection and Brexit implementation – what you need to do” of 29 January 2020 that it will be “business as usual for data protection” during this period (see Legal update, ICO publishes statement on data protection and Brexit implementation).
So for the time being, the abrupt impact of a no-deal Brexit has been avoided, but that is not to say that the potential for significant disruption to international data flows from 1 January 2021 has been wholly removed.
At the end of the transition period, it is far from clear what the future will hold for both data protection regulation in the UK, and the nature of the relationship between the UK and the EU. As both sides limber up for trade negotiations, there is the unsurprising indication that – in data protection terms, among others – the UK would like to both have the proverbial cake (in the form of the ability to develop independent policy) and eat it (in the form of a recognition of the UK’s data protection adequacy by the EU).
In a written statement on future UK/EU relations submitted to Parliament on 3 February 2020, Prime Minister Johnson stated that the country would on the one hand “in future develop separate and independent policies in areas such as…data protection, maintaining high standards as we do so.” The statement also contains the comment that “the UK would see the EU’s assessment process on…data adequacy as technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit. The UK intends to approach its own assessment process in this spirit.” (See Legal update, Prime Minister gives statement on government’s approach to future UK-EU relationship negotiations.)
Personal data flows between the EEA and the UK
International transfers of personal data are a key area of focus for companies considering the impact of Brexit on their operations. Following expiry of the transition period, the UK will become a “third country” for the purposes of Article 44 of the GDPR.
To avoid the need for companies to provide “appropriate safeguards” for any international data transfers from the EEA to the UK, such as entering into EU approved model clauses for data transfers, it would be preferable for the European Commission to adopt an adequacy decision in respect of the UK.
To that end, the Political Declaration states that the European Commission will “endeavour to adopt decisions by the end of 2020, if the applicable conditions are met.” (See Practice note, Brexit: political declaration on framework for future UK-EU relationship: Data protection.)
To assess its vulnerability to disruption if an adequacy decision is not adopted, an organisation needs to understand the extent to which it relies upon EEA to UK personal data flows and (though less pressing) flows from the UK to the EEA (see Practice note, Brexit: the implications for data protection: Matrix of potential free flows).
The GDPR extended the responsibility for compliant international transfers to third countries, so that processors as well as controllers became accountable for this. That is an area of practical difficulty for many vendors which are processors, because the recognised EU model clauses route to achieving “appropriate safeguards” do not cater for situations where processors are exporters of personal data (see Practice note, Overview of GDPR: UK perspective: Changes in relation to processors).
The position will be very different for a group of companies which, for example, run their European HR or marketing functions from the UK, compared with a UK business with mainly US trade links.
As with all aspects of the future UK-EU relationship, however, it is not possible to anticipate when a breakthrough in the adequacy assessment process may take place, and what its nature could be. Companies that carry out large-scale international transfers and wish to get ahead of any potential “cliff-edge” scenario may therefore want to consider:
- Reviewing and keeping up to date the details of key international data flows, and any third parties that facilitate these (for example, as part of the Article 30 record of processing activities).
- Where appropriate, preparing standard-form or pre-populated versions of the EU model clauses that can be rolled out to clients on short notice. A number of service providers adopted this approach in the wake of the U.S.-EU Safe Harbor Framework being invalidated in 2015. In some cases, these were also pre-executed.
- Reviewing and amending intra-group data transfer arrangements where necessary.
- Considering whether the UK’s change in status to that of a “third country” may have implications for any data processing clauses within existing agreements, or on down-stream supplier arrangements.
See Practice note, Brexit: implications for data protection: International data flows for a more detailed explanation of the rules governing international data transfers following expiry of the transition period.
Identifying applicable laws
Companies based in both the UK and the EEA should consider how they will be affected by the extra-territoriality provisions in both the EU GDPR and the UK GDPR following the transition period. To the extent that a company in the UK offers goods and services to, or monitors the behaviour of, data subjects in the EEA, they may be caught by the EU GDPR even if they do not have a physical presence there. This also works in reverse, for companies with no presence in the UK, but who offer goods and services to, or monitor the behaviour of, data subjects in the UK.
Where a company does fall within the scope of either the EU GDPR or the UK GDPR by virtue of the extra-territoriality provisions, it may be necessary to appoint a representative (see Practice note, Brexit: implications for data protection: Representatives).
On expiry of the transition period, the ICO will cease to be a “supervisory authority” for the purposes of the EU GDPR. Controllers and processors that have previously identified the ICO as their “lead authority” should therefore consider which authority may take the ICO’s place, and the implications that this will have for existing reporting structures.
Companies within scope of the extra-territoriality provisions outlined above may find themselves subject to the jurisdiction of more than one EEA supervisory authority. Most obviously, this will be of significance in the event of a reportable personal data breach occurring. Companies should review their breach incident response policies accordingly (see Practice note, Brexit: implications for data protection: Lead supervisory authority).
The ICO will continue to be responsible for enforcement of the UK GDPR (see Practice note, Brexit: implications for data protection: Enforcement).
In the meantime, companies would be well advised to ensure they have a clear understanding of current EEA-UK personal data flows which are operationally critical, and consider putting in place EU model contract clauses between EEA and UK entities (particularly where they are part of the same corporate group) to mitigate the risk of potential disruption in the event that there is no UK adequacy finding by the end of the Brexit transition period, (see Practice note, Brexit: implications for data protection: Drafting for Brexit: Brexit clauses and for information on amendments to Practical Law’s boilerplate clauses see Legal update, Brexit: updated boilerplate materials). Those clauses could be expressed to continue in force until an adequacy decision is achieved.
For controller to controller trade relationships as between the UK and the EEA, it is likely to be a matter for the parties’ sector, risk appetite and the strategic importance of the relationship as to whether they seek to put measures in place now, or wait and see whether the position becomes clearer as we approach the end of the transition period (see Practice note, Future UK-EU relationship: negotiations).