With the UK voting to leave the EU in 2016 and reaching the third year of negotiations. The pressing question for data protection professionals and businesses handling data, as to how the General Data Protection Regulation (GDPR) will apply in the UK after Brexit.
Where are we now?
No one really knows the uncertainty relating to Brexit has consumed the debate. With it no longer being certain if it will happen. Though if no agreement between the UK and EU is reached in the first months of 2020. It is likely that the UK will crash out with no arrangements in place.
Under the current Withdrawal agreement proposals, there will be an implementation/transition period for determining the terms of the future trade arrangement between the EU and the UK.
During that period, existing EU laws will continue to apply within the UK. It means that businesses will still be required to comply with the existing regulations. And regulations that may come into force during that time, such as GDPR and the incoming ePrivacy Regulation.
The future relationship
Businesses on both sides of the channel and the UK Government would like the free flow of personal data to continue after Brexit. For this, once the UK has left the EU, it would have to seek an adequacy decision from the EU. Similar to the decisions for New Zealand, Argentina, Canada, and Japan.
Though such a decision is based on whether there are adequate safeguards and protections of individuals and their rights. This requires the UK to maintain some form of regulatory alignment after Brexit. Given the UK Data Protection Act, 2018 was passed to adopt all the GDPR provisions, it is likely that the UK will be granted an adequacy decision. Which is something the EU has partly committed to in the current political declaration on the future relationship, in which they will endeavor to adopt an adequacy decision by the end of the Transition Period.
What happens if the UK leaves with No Deal?
If the UK ceases to be a member in early 2020, without an agreement that passed through Parliament, then there will be no agreement for the transition period or a plan for the future trading agreement. This will leave the UK, as a Third Country, which from a Data Protection perspective means an adequacy decision required, or other safeguards are required for transfers from the EU.
Though leaving the EU with no deal, potentially undermines achieving an adequacy decision for a variety of reasons even if the UK maintains the same level of regulatory alignment.
What other safeguards can be relied upon?
First, there is a legally binding and enforceable instrument, such as a contract or an agreement between public bodies. If you are a private organisation, then this is not applicable.
Secondly, there are binding corporate rules, which apply to multinational groups and are internal codes of code for how transfers of data should be handled between their EEA to non-EEA entities within the group. Though such rules must be submitted for approval by a Regulatory Authority within the EEA. This can be a costly process. For private SME organisations, this is unlikely to be a solution.
Then there are standard contractual clauses or model clauses that have been adopted by the EU commission. These stand useful in contracts and approved but not updated to reflect the changes under GDPR. They cover the transfer or processing of personal data to non-EEA countries. But only when used without any amendments.
Though there has been a recent case, which has given rise to questions as to whether they would still be valid by the EU. If they found invalid, then there will be issues on relying upon such clauses for those transfers.
What will happen to the UK approach after Brexit?
The current law stands under the Data Protection Act 2018. There will not be dramatic changes once we leave the EU. Though the government will be able to make changes through regulations made under the EU Withdrawal Act. This might see some changes. Though as stated above, regulatory alignment with the EU for Data Protection is one of the top priorities.
The Government has a plan outlining amendments for the Data Protection Law in the case of a no-deal Brexit. The proposed amendments under no-deal planning were updated in April 2019. The main focus of these amendments, include recognition of all EEA Countries as adequate for the free-flowing of data. Also, incorporating the current adequacy decisions and the current standard contractual clauses. Lastly, giving the ICO new powers to issue new clauses and maintain the extraterritorial scope of UK data protection law. This indicates a certain level of seriousness on the part of the UK government. Finally, it is maintaining the high standards of data protection set out under the GPDR.