There are a number of practical steps that organisations (both controllers and processors) should consider taking in relation to data protection, should the UK leave the EU with No Deal. These steps must be considered carefully on a case-by-case basis and we would be pleased to discuss any aspect of this Guide with you in more detail. If there is a deal between the UK and the EU27, under a negotiated exit, we will issue separate guidance.
What will happen to GDPR post-exit day?
The General Data Protection Regulation (GDPR) is an EU Regulation and, post-Brexit, will no longer apply in the UK. However, post-Exit Day, the EU (Withdrawal) Act 2018 and The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will, in effect, preserve the GDPR in UK law, albeit with amendments for the UK context. This separate law has been called ‘UK GDPR’ to differentiate it from the existing GDPR. UK based organisations that also have an establishment in the EEA, or that process the personal data of individuals based in the EEA, will need to continue to comply with the actual GDPR, as it has extra-territorial effect in certain circumstances.
Accordingly, organisations that do business in the UK and the EEA will need to navigate and comply with two regulatory regimes, ‘UK GDPR’ and the actual GDPR. These regimes will approach data protection from a similar set of principles and objectives and, in many areas, no separate action will be required. However, there may be divergences that will need to be taken into account and there are a number of important issues to consider, in particular, in relation to flows of personal data. Organisations may also find that they are at risk of enforcement actions or complaints in several jurisdictions across the EEA and/or the UK (either by regulatory authorities or by individuals) arising out of the same incident.
Transfer of personal data
The free flow of personal data between the EEA and the UK is an issue of critical importance for most organisations, and will be significantly impacted by a No Deal Brexit. In such a scenario, the UK will be treated as a ‘third country’ for the purposes of personal data flows from the EEA, unless and until an adequacy decision from the European Commission (Commission) is in place in relation to the UK’s data protection regime. This could take some considerable time to be agreed.
To prepare, you will need to take stock of your international flows of personal data: work out what personal data you have and where you hold it, as well as where you are transferring it to and from. You can then decide upon the appropriate mechanism for your personal data transfer flows in a No Deal Brexit. Note that where a customer passes their own personal data to the organisation, there will normally not be said to be a data transfer, and so these issues will not need to be considered.
In summary, the position for data transfers in the event of No Deal post-Exit Day is as follows:
Transfers of personal data from the UK to the EEA
These will be able to continue unrestricted, as now. The UK Government has said that it will continue to recognise EU data protection standards as sufficient (albeit it will keep this under review).
Transfers of personal data from the EEA to the UK
Until an adequacy decision in favour of the UK is in place (which is anticipated to take a significant amount of time), transfers of personal data from the EEA to the UK will only be able to occur using:
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- Codes of Conduct and Certification Mechanisms
- Derogations including, for example, explicit consent of the data subject
In many cases, organisations that want to transfer personal data from the EEA to the UK will need to rely upon SCCs. After a No Deal Brexit, any Codes of Conduct and BCRs approved by the UK Information Commissioner’s office (ICO) (and any future ICO approved certification mechanisms) will not automatically be recognised in the EEA.
Where the transferor is an EEA controller, the data processing clause in the contract should include provisions for the Commission’s controller to processor or controller to controller SCCs. Where the transferor is an EEA processor, there are, as yet, no specific Commission standard contractual clauses. However, the EEA processor may, depending on the location of the controller, be able to enter into a sub-processing agreement with the UK processor under the Commission’s controller to processor SCCs. Alternatively, with appropriate authority from the controller, the EEA processor may be able to enter into the Commission’s standard controller to processor SCCs with the UK processor on behalf and in the name of the controller, or the controller may enter into the SCCs with the UK processor directly. It is important to note here that the ICO has said that this does not amount to a transfer that requires appropriate safeguards or an exemption. However, it is yet to be seen how much traction this argument will get with other supervisory authorities.
Transfers of personal data from the UK to other jurisdictions
Where there is no adequacy decision in place, it will be necessary to adopt other appropriate safeguards. The UK government intends to recognise the Commission-approved SCCs as providing an appropriate safeguard for relevant transfers from the UK.
Transfers of personal data from non-EEA jurisdictions to the UK
Where the EU has made an adequacy decision in respect of a particular country, the UK is working with those countries to make specific arrangements for data transfers to continue to flow to the UK. Pending those arrangements, it will be necessary to ensure compliance with local law on the transfer of personal data.
Group Companies and BCRs
In relation to restricted transfers from the UK which are within a corporate group, it will be possible to rely upon BCRs. The UK government will recognise BCRs that have been authorised under the Commission process before Exit Day (the UK will need to be listed as a third country outside the EEA) but it is important to note that there is as yet no indication that the Commission will continue to approve existing BCRs.
Main establishments and ‘One Stop Shop’ under GDPR
Under GDPR, EEA-based organisations which carry out processing in more than one EEA state only need to deal with a single regulatory authority as their lead supervisory authority. This is known as the ‘One Stop Shop’ principle. It means that, for example, there would only be one fine imposed by an authority as a result of an incident that covered a number of EEA territories, and that single fine would cover the whole EEA.
Non-EEA based organisations cannot rely upon the One Stop Shop principle. However, they may be liable for a breach of GDPR on the basis of its extra-territorial effect in certain circumstances. You should consider what cross-border processing you carry out, as this will affect the extent to which you are subject to the ICO and/or EEA supervisory authorities after Exit Day:
Organisations with a main establishment in the UK and establishments in the EEA: You may wish to consider whether any of your EEA establishments in the EEA could be your main establishment, in order to take advantage of the GDPR ‘One Stop Shop’, and avoid being at risk of regulatory action from multiple EEA regulators. Even if you are able to demonstrate that you have an EEA main establishment, however, where cross-border processing involves the EEA and the UK, you will still be subject to the ICO’s jurisdiction, as well as the lead EEA regulator.
Organisations with a main establishment in the UK and no establishments elsewhere in the EEA: you will no longer be able to take advantage of the GDPR ‘One Stop Shop’. As GDPR has extra-territorial effect in certain circumstances, you may have to deal with the supervisory authorities in all EEA states where data subjects are located, and whose personal data you process.
If you are based in the UK and do not have an establishment in the EEA, and you offer goods or services to data subjects in the EEA or monitor their behaviour, you will need to appoint a representative in the EEA, unless you can take advantage of an exception. Exceptions will need to be assessed on a case-by-case basis.
If it is appropriate for you to appoint an EEA representative, you must ensure they are based in an EEA state where at least some of the individuals whose personal data you process are located. You may need to agree an indemnity with the representative, as they are potentially liable for any breaches committed by you under GDPR.
Under the ‘UK GDPR’, relevant organisations located outside of the UK will need to appoint a UK representative, again subject to a relevant exception applying.
Updates to privacy policies, term of conditions, terms of business etc
Your Privacy Policies and related documents such as terms and conditions for websites, and terms of business will need to be updated to take into account the various regulatory regimes that you are subject to post-Exit Day, i.e., GDPR and/or the ‘UK GDPR’.
Digital Services Providers and Essential Services
If you are a company operating with essential services (e.g., banking, health care, energy and transport) or you are currently providing online marketplaces, online search engines or cloud computing services to those in the EU, you may also need to consider the effect of No Deal on the Network and Information Systems Regulations (including the government’s recent consultation in relation to requiring non-UK based Digital Services Providers to nominate a representative in the UK).
The ICO has useful guidance, and a range of resource materials, on the impact of a No Deal Brexit. If you would like to discuss any of the issues raised in this Client Guide, please contact a member of our Data Protection team.