UK data protection legislation has historically been largely EU-driven, going right back to the 1995 Directive which was the foundation of the Data Protection Act 1998.
More recently, the General Data Protection Regulation (GDPR), having direct effect in all member states, come into force on 25 May 2018 to harmonise the acquisition, processing and retention of personal data across the EU. On the same date the UK implemented the Data Protection Act 2018 to supersede the 1998 Act and reflect the provisions of the GDPR.
Given the inextricable link to EU law in this key regulatory area, the prospect of Brexit has caused some concern as to the impact on UK businesses. At this stage, the future remains unclear and will be determined by the deal/no deal conundrum. The following explores the current position and what businesses need to consider in anticipation of the changes likely to occur.
Although the UK left the EU on 31 January this year, nothing has changed as yet, because we are in the transitional period pursuant to which EU law will continue to apply in the UK until 31 December 2020. The latest date for applying for an extension to this period, 1 July 2020, has now passed and accordingly GDPR will cease to have direct effect in the UK on New Year's Day 2021, at which point the UK will become a third country for the purposes of EU data protection law.
The UK is committed to maintain an equivalent regime post-Brexit to minimise the impact on UK data controllers and processors and to this end the Government has passed the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (The Exit Regulations) which serve to ensure EU law as it exists on exit day, including GDPR, will be incorporated into UK law.
From that point, at the end of the transitional period, the UK legislative regime will comprise the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and the 'UK GDPR'.
So it will effectively be business as usual then? Well not quite: as well as additional administrative demands on businesses trading in both the UK and the EU which will become subject to dual regulation, there is still one key piece of the jigsaw missing. Smooth and easy data transfer to and from the EU post Brexit is fundamental to the ability of British businesses to trade freely with EU member states. As outlined above, the UK status under EU data protection law will change on 1 January to that of a third country. As such, new arrangements need to be put in place determining what controls will apply to the import and export of personal data going forward and these have yet to be resolved.
Data transfer - the current position
At present, personal data can flow freely between EEA territories (the EU member states and Norway, Liechtenstein and Iceland) and those third countries (12 in all including Canada, Switzerland and New Zealand) which have been afforded 'adequacy status' by the EU. An adequacy ruling is crucially important, as it means that effectively these countries are treated as if they were in the EU as regards the transfer of personal data without any further safeguards being required.
Absent an adequacy ruling, the transfer of personal data from EEA territories to a third country requires 'appropriate safeguards' to be in place. Such safeguards include:
- Use of the EU Standard Contractual Clauses (SCCs) (known historically as the model clauses) between importer and exporter (but only covering data controller to data processor and data controller to data controller transfers)
- Binding Corporate Rules, the use of which is limited in practice as they apply only to intra-group transfers and the application process for adopting them is lengthy
- (Prior to the decision of the European Court of Justice on 16 July 2020 in the case of Schrems II, which is covered below) for transfers to the US, confirmation that the receiving party was a member of the US department of commence 'Privacy Shield'.
Data transfer - post Brexit
With regard to the transfer of personal data from the UK to the EU, the Exit Regulations provide that the UK will recognise all EEA countries (and Gibraltar) as 'adequate', as well as those countries already subject to an EU adequacy decision, and permit the transfer of personal data to them without the need for additional protections. The UK will also recognise the SCCs as a legitimate basis for transfer and all binding corporate rules existing on exit day.
So the UK has already played its part in taking the necessary steps to preserve business as usual for data transfer from the UK to the EU once the transitional period comes to an end.
Whether the EU will reciprocate remains to be seen, however. If it doesn't make an adequacy ruling for the UK by 1 January 2021, future transfers of personal data from the EEA to the UK will be restricted. It seems unlikely that an adequacy decision will be made by this date, unfortunately, as although the EU has indicated it will consider such an application, it will not do so until the UK has left the EU and so there will be no seamless transition in this regard. Accordingly, any UK businesses which routinely transfer personal data from the EU to the UK (including UK-based business which serve EU-based customers) will need to implement alternative safeguards to maintain the free flow of data import.
The SCCs are the most obvious solution and are largely boilerplate, with limited scope for amendment or negotiation, which should expedite the process; nonetheless UK organisations with pan-European operations will need to start putting preparations in place sooner rather than later.
Schrems II - a spanner in the works?
Recent developments with regard to the Court of Justice in the EU (CJEU) decision on the validity of the US Privacy Shield in the case of Schrems II risk causing further problems to the Brexit negotiations on data transfer.
In this case, the CJEU held that the Privacy Shield did not afford adequate protection for personal data transferred to member organisations, specifically due to the intrusive public surveillance measures approved under US law. Following the judgment, personal data can no longer be compliantly transferred from within the EU to organisations in the USA on the basis of Privacy Shield certifications and organisations which were relying on this have been left in a panic having to urgently implement alternative safeguards, which meet the requirements of the GDPR, although the judgment has cast some doubt on whether the SCCs will actually work in this context.
So why is this a potential issue for our position post Brexit? Because at the same time as the UK is seeking to negotiate and obtain an adequacy ruling from the EU, it is also seeking to negotiate a data trade arrangement with the US. The EU will be closely scrutinising this and clearly won't be prepared to allow the UK to circumvent the Schrems II ruling with a separate data transfer deal with the USA. If the European Commission harbours any concerns that the UK may simply be used as an outpost between the EU and the USA to facilitate data transfers which couldn't be made directly, it is likely to seriously impede the UK's ability to obtain an adequacy decision.
It is clear from the above that our data protection journey to the other side of Brexit is not clearly mapped. UK businesses have only a few months to prepare for change assuming exit day is 1 January 2020 and in anticipation of change and you should act now to:
- Map your data import activities from the EEA and identify what alternative mechanisms (like SCCs) need to be put in place to facilitate legitimate data transfer from exit day
- If your data processing activities take place in both the UK and the EU, consider how you need to adapt for dual regulation, including whether you need to appoint separate data protection officers and nominate a new lead supervisory authority.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.