2020 has been a tough year and that's putting it mildly. The countdown on new year's eve will not only mean the coming of a new hopeful year, but also the coming of something big. With the transition period expiring on the 31st December 2020, brace yourself - Brexit is coming!
In January 2020, the United Kingdom ('UK') formally left the European Union ('EU') with a deal referred to as the Withdrawal Agreement, which set out the process to be followed to allow the departure to be run as smoothly as possible. This Agreement did not however set the terms of the relationship between the UK and the EU going forward - these terms were to be agreed during the following 11 month transition period. During this transition period to negotiate the future relationship, the UK still traded within the EU and followed EU rules as it had before.
The transition period however expires in less than six weeks and the troubled negotiations have led to reports that sealing a Brexit deal might be delayed to the 28th December, a mere 3 days before the UK is officially and automatically dropped from the single market and existing arrangements between the Member States.
Brexit therefore poses implications on a variety of industries on both sides of the pond. This first article, in this two-part series, discusses the main issues to be considered in the field of data protection, whilst the second article, which you can read here, explores the implications that Brexit brings about in the sphere of intellectual property.
Brexit & Data Protection
Since the 25th May 2018, data protection within the EU has been regulated primarily by Regulation [EU] 2016/679, or as it is otherwise known, the General Data Protection Regulation (the 'GDPR'), which harmonised the approach to the protection of data across the Member States. With the UK leaving the EU, for all intents and purposes, the UK will now be deemed to be a 'Third Country', and therefore this affects the manner in which personal data can be shared with entities established within the UK, and vice versa. So how does this impact you?
First and foremost, it is important to understand the applicable legal framework. A general misconception is that when Brexit comes into effect, you or your business will only be bound by one specific law and that GDPR will no longer apply to the UK. In truth, at the end of the transition period, an equivalent of the GDPR will be enacted within the UK, having generally similar provisions but catered for the UK. Both laws, the GDPR and the UK GDPR equivalent will have an extra-territorial effect, so it is highly likely that a business will have to comply with different legal regimes. To clarify, you will need to comply with the UK GDPR equivalent if you (i) are established in the UK; or (ii) sell goods/services to individuals in the UK; or (iii) monitor the behaviour of individuals in the UK. Equally, you will need to comply with the GDPR, as you have been for the past 2 years, if you (i) are established in the EU/EEA; (ii) sell goods/services to individuals in the EEA; or (iii) monitor the behaviour of individuals in the EEA. Here it is important to note that in accordance with the Withdrawal Agreement, any personal data transmitted to the UK before the end of the transition period shall continue to be subject to the GDPR after the end of the transition period.
It is therefore important to identify whether you or your business fall within the scope of the UK GDPR equivalent, and if so, assess how, if at all, you may need to adapt internal processes and action points to comply with both the GDPR and the UK GDPR equivalent. From a regulatory perspective, this also means that the concept of One Stop Shop will no longer apply, and that therefore you might be subject to more than one regulator. Additionally, in the case of a 'No Deal', there might be an issue of 'double jeopardy', where you may be fined under the two separate regimes, that is, your total potential exposure would therefore increase up to ?40M or 8% of annual global turnover (whichever is the higher).
Brexit is an extremely thorny subject in the field of data processing, particularly in relation to transfers of personal data to third countries, one of which will now be the UK. This issue is meant to form part of the negotiations for a 'Brexit' Deal, however if there is 'No Deal' by the end of the transition period, it is important to assess what this mean for you and your business.
To this effect, the European Commissions has issued a statement to stakeholders1 to remind them of the legal situation applicable from the 1st January 2021, as well as clarify certain provisions relevant to the discussion on processing of personal data as set out in the Withdrawal Agreement. Any transfers to the UK as a third country must be made under one of the mechanisms recognised under the GDPR. Firstly, the GDPR caters for Adequacy decisions, that is, where the European Commission finds that a third counrty provides a level of adequate protection to processing of personal data. Currently, the EU has found adequacy for a handful of countries, and this process usually takes around 3 years. The UK is pining for an adequacy decision, however it is highly unlikely that adequacy is found by the end of the transition period. Furthermore, in the assessment as to whether adequacy can be found, many factors are taken into consideration, such as the compatibility of the country's laws with EU laws. The October decision on the excessive surveillance operations that security services carry out in the UK won't help on this front.
At this point, therefore, we shouldn't hold our breath for an adequacy decision, and should look at the other mechanisms considered under the GDPR. The latter acknowledges transfers made subject to safeguards which include the following; (i) standard contractual clauses ('SCCs'); (ii) binding corporate rules ('BCRs'); (iii) compliance with an approved certification scheme; or (iv) compliance with an approved code of conduct. The safeguards considered in (iii) and (iv) are not yet in place and therefore at this stage, can be excluded from the discussion. BCRs are data protection policies and procedures used within a group of undertakings or enterprises. Being legally binding, the BCRs regulate intra-group data transfers, however the approval process of the same by the competent data protection authority in the EU is quite lengthy and therefore BCRs are not a cost and time efficient route to be pursued until the end of the transition period. The most relevant safeguard for transfers are therefore SCCs, but that's no walk in the park either.
SCCs are clauses that offer sufficient safeguards on data transfers and have been around for quite a while. The European Commission has in fact issued 2 sets of SCCs for data transfers between an EU controller to a non-EEA controller and one set of SCCs for data transfers between an EU Controller to a non-EEA processor. Just because they've been around, however, does not mean that SCCs have been properly implemented. In this discussion, it is crucial to understand the impact of Schrems II judgment (you can read more on that here). Here the CJEU established that SCCs do not operate in a vacuum and highlighted that the protection granted to personal data must travel with the data being transferred. As a result, it was established that the exporter cannot simply implement the SCCs, but should also be responsible for verifying whether the law in the country the data is exported to impinges on the effectiveness of the SCCs. In this regard, the EDPB recently issued Recommendations on the implementation of supplementary measures - the Recommendations are not legally binding, however they are more onerous than mere guidelines and therefore it is highly encouraged that the Recommendations are followed in cases where the law in the country the data is exported to presents gaps vis-à-vis data protection. The Recommendations also include a non-exhaustive list of examples of supplementary measures.
Additionally, the European Commission has also published a draft implementing decision on new SCCs, with the feedback period lasting until the 10th December 2020. The draft implementing decision takes into account the Schrems II judgment, and includes SCCs regulating transfers between controller to controller, controller to processor, processor to processor, and also processor to controller, with introduction of further transparency obligations, amongst other new clauses. At this stage, it is unclear when the implementing decision would come into force and what the final version would look like, however the draft version does include a proposed one year transition period to move to the new clauses applicable where existing clauses are already in place and the contract in question is not be revised.
The GDPR also caters for transfers made on the subject of derogations, such as explicit consent of the individual and important public interest, amongst others, however it must be noted that derogations should only be used as a last resort and should not be used for ongoing transfers of data.
The UK has said that it will recognise the EEA as an adequate jurisdiction, however in the case of a No Deal, the ICO has stated that a UK representative may be needed where an organisation is based outside the UK but caught by the extra-territorial effect provisions. In the case of a No Deal, it must be noted that, unless an exception applies, if you are based in the UK and you are caught by the GDPR extra-territorial effect, you may need to appoint a legal representative within the EEA.
Ahead of Brexit, we therefore suggest that you prepare for both a scenario of a Brexit Deal and also a scenario of a No Deal. You should assess whether you are dually regulated, and if so, how you will manage that. At this point, you may also need to revise your documentation, such as where the lawful basis of the processing is compliance with law (EU law is no longer applicable to the UK), and potentially carry out a data protection impact assessment (DPIA), if required. Most importantly, you should re-assess your transfers of personal data to third countries, and then consider which legal safeguard you are going to use for that transfer. In the case that the safeguards you are using are SCCs or BCRs, you should also assess the law of the country concerned and if required, identify and adopt appropriate supplementary measures to the transfer. Now, take a deep breath and get started.
1. European Commission (July 2020), Notice to Stakeholders: Withdrawal of the United Kingdom and EU Rules in the fields of data Protection
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.