In 2016, the EU passed the General Data Protection Regulation (GDPR) which came into force in May 2018. That same year the UK voted to leave the UK, and throughout the process of doing so, committed to the standards for data protection set out under GDPR.
A question arose during this process as to whether the UK would maintain those standards post-Brexit, in the same year GDPR came into force, the UK passed the Data Protection Act 2018, incorporating many of the elements of GDPR into national law ahead of the exit. This indicated a level of commitment to those standards, further committed to in the agreed political declaration that would form the basis of the negotiations for the future relationship between the UK and EU.
With the UK’s exit now formalised and having entered the transition stage, negotiations will start regarding the future trading relationship between the UK and EU and the positions taken by the government at this stage might change on the subject of alignment on data protection.
Leaving the EU: Are transfers still permissible?
As of the 31st of January, standard data transfers between businesses are permissible for the time being without being subject to any additional safeguards. This will change as the transition period comes to an end in 2021, in which the UK will become a third country and be treated as such. From this there are two possible scenarios regarding this:
If the first scenario comes into effect, this will mean the situation regarding cross-border transfers of data will pretty much remain the same, in accordance with Article 45 of the GDPR. This is based on alignment, as it currently stands in Law and with the ICO confident that there will be an adequacy decision granted. However, adequacy for those transfers is dependent on maintaining that alignment, which is arguably up to the whims of the government in the long term, which means a decision granted for 2021, can just as easily be revoked.
Under the second scenario, things will be a bit more complicated. All data transfers between the EU and UK will be subject to the grounds under Articles, 46 & 47 or subject to the exemptions outlined within GDPR. Article 46 requires there to be contracts, that either rely on standard contractual clauses, agreements that establish binding mechanisms that allow for the enforcement or binding corporate rules under article 47 which are subject to the approval by national regulators.
Ultimately which ever scenario plays out, businesses will be required to overhaul their compliance framework and strategy for engaging with their EU customers, for most businesses it would be preferable for the first scenario to occur, as it will be the least disruptive.
What other regulatory obligations will UK businesses have to commit to?
In terms of GDPR, businesses in the UK will still have to commit to the general principles and framework currently in place after the transition period, by virtue of the Data Protection Act 2018. Under this, there will not be many changes to the level of compliance required, policies and procedures will still have to be put into place, processing of data will have to remain limited to the purposes for which it was collected, etc.
The obligations within the UK, may then be subject to change as amendments are made over time and dependent on the wishes of the government of the day. Though if adequacy remains a key pursuit of trade policy with the EU, then it is unlikely to change dramatically.
Though once outside the EU, in accordance with ICO guidance, businesses that are processing data in the EU without a physical presence, will be required under Article 27 to appoint an EU Representative. That will serve as the first point of contact between EU citizens and regulators, in making enquiries and complaints related to data protection. The appointment of an EU representative will be required even if an adequacy decision is made.
What is the status in relation to non-EU countries who have been granted adequacy decisions and transfers between them and the UK?
In regard to transfers outside of the UK, the Data Protection Act 2018 is fairly vague beyond its references to GDPR and transfers for Intelligence services and Law Enforcement purposes. However, given the references to GDPR, it is fair to assume that the circumstances for transfers outside the UK will remain subject to same safeguards provided under Article 46 & 47 of GDPR.
For the jurisdictions that are currently subject to EU Adequacy decisions, Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework), the free transfer between these countries and the UK may become restrictive following the UK’s formal exit. However, the ICO have outlined that the government has committed to acknowledging the adequacy decisions, in order to facilitate transfers.
Also, for companies that are processing data in the UK but lack the formal presence in the country, they will be requiring a UK representative in accordance with the guidance provided by the ICO.
What are the key points businesses should take into account?
In light of Brexit, businesses that are processing data will have to navigate further uncertainty, over the next 12 months during the transition period. In light of this businesses should prepare for the worst-case scenario, which is that the UK leaves without a deal and being deemed as providing adequate protections.
In terms of this preparation, businesses should ensure that they are compliant to the standards expected under GDPR, along with making arrangements to appoint an EU representative in an EU member state where they are collecting data but lack a formal presence.
When engaging with EU businesses and transfers of data, companies will also be required to have contracts drafted in order to facilitate those transfers and demonstrate that they enable data subjects to have recourse in regard to their rights under GDPR. This can be done by Standard contractual clauses within the contracts that are formed between such businesses that are sharing the data.
Seers EU Representative Service
Seers can help those organizations that do not have a physical presence in the EU to comply with GDPR through our EURepresentative Service: https://seersco.com/eu-representative-service