Data Privacy and Brexit


  1. The UK is due to leave the EU on 29 March 2019, whereupon, in the absence of any other agreement, all EU laws, including GDPR, will cease to apply as a matter of EU law. At a purely domestic UK level however, all currently applicable EU laws, including GDPR will then have been incorporated into UK law by the European Union (Withdrawal) Act 2018. In addition, GDPR has been implemented in the UK by the Data Protection Act 2018 (“DPA”) which is expressly stated to be read alongside GDPR.
  2. The clear intention of the DPA, as stated in its explanatory notes is to set new standards for protecting personal data “in accordance with recent EU data protection laws”. So, after 29 March 2019, at least from a domestic UK law perspective, GDPR will apply to activities in the UK, including transfers of personal data from the UK to countries remaining in the EEA.
  3. However, what is less clear, is how transfers of personal data from the EEA to the UK will be dealt with and of course this is of practical importance to multinational businesses with substantial continuing operations and interests elsewhere in the EU. After Brexit, although the UK’s data privacy laws will be substantively similar to those in the EU, the UK will technically be considered a third country and so require a decision from the European Commission that its protections are “adequate” to enable the continuation of the status quo for transfers to the UK. Although on the face of it, this should be a formality due to the DPA incorporating GDPR, the political and institutional context of the broader relationship between the UK and the residual EU members (“rEU”) may complicate matters. At the very least, there may be a degree of uncertainty between the date of Brexit and the date on which the Commission issues any decision on adequacy.
  4. That said, from a practical perspective, the most likely approach would be that the Commission, the CJEU, domestic EU regulators and Courts, would find it uncontroversial to treat transfers to the UK pending an adequacy decision as being in any event ones which were to a third country with adequate protections, at least in terms of prioritising investigations of complaints. This may provide some degree of comfort, particularly when combined with companies’ Binding Corporate Rules (“BCRs”) if they have been approved by that time (the process in the UK for approval involves notification to ICO which reviews and approves from a UK perspective and then forwards to the regulators in two other EU Member States for their approval – if a company has not already notified its BCRs to ICO it is highly unlikely that the process would be capable of being completed prior to 29 March 2019).
  5. This is nevertheless, dependent to the progress and nature of the continuing negotiations between the UK and the EU around the terms of Brexit and the future relationship between the UK and rEU. Although at present there does not seem to be any intention by the current government to reach an agreement which would involve departing from the UK applying GDPR, whether by legal obligation or as a voluntary matter, until that position is crystallised, there is uncertainty and therefore risk. The more antagonistic an approach the UK takes over the coming months, the greater the uncertainty on this issue and in particular, the lower the chances that the Commission would be inclined to reach a quick decision on matters like making a declaration of adequacy in the UK’s favour (or that the EU national privacy regulators would feel any need to attempt to find UK companies’ BCRs compliant ahead of Brexit or expedite doing so[1]).
  6. Another issue worth noting is that on Brexit, the UK, in the absence of other agreement, will not be party to the EU-US Privacy Shield. This may cause some operational difficulties if a company exports data collected within the EU which was transferred to the UK prior to further processing in the US, although this would be avoidable by ensuring that such transfers, if hitherto reliant on the privacy shield were directly from the EU to US without going via the UK. From a UK perspective, while the privacy shield may not technically apply, it is not likely that ICO would consider transfers from the UK to the US to breach DPA if prior to 29 March 2019 they would have benefited from the privacy shield.
  7. There are five broad scenarios for the future relationship with the EU which will have differing impacts from a data privacy perspective. The account below is by necessity somewhat speculative as the actual direction and content of what is negotiated and ultimately agreed between the UK and EU is evolving and may not fully come to light until very close to the date of Brexit itself.
    1. Reversing the decision to leave the EU
    2. Continuing to remain a member of the EEA and/or rejoining EFTA and negotiating some UK-specific derogations (sometimes referred to as “Norway+”)
    3. An agreement with the EU largely based on the approach set out in the government’s White Paper on the future relationship with the EU
    4. A looser agreement with the EU, in particular without any form of “common rule book” which would preserve EU laws in the UK in a way which would be formally recognised by the EU (sometimes referred to as “Canada+++”)
    5. No deal – no ongoing legal or treaty obligations towards the EU at all
  8. Scenarios a and b do not raise any significant data privacy issues as they both involve keeping the UK within the scope of GDPR directly and not being a third country. At present neither scenario looks particularly likely and both would involve significant political change within the UK including the possibility of a change of government, a further referendum and/or a General Election. The uncertainties that would arise from these political changes are such that while the final outcome of these scenarios would be to retain the current status quo in respect of data privacy, the impact of data privacy as a business risk would be likely to be minor compared to the other business risks posed by such a period of political upheaval.
  9. Scenario c is the government’s currently preferred position, although as with much of the debate around Brexit there are competing reports as to how acceptable it might be to the EU and what changes to the White Paper might be required by the EU or as concessions in Parliament to those who do not agree with the government line (whether to remove elements of the White Paper or to expand its scope). In general terms, the aim of the White Paper’s approach is to retain a common rule book with the EU in relation to trade in goods. For those matters covered by such a common rule book, there would by definition be agreement from the EU that the pre-existing UK position would be compliant with EU laws. It is not obvious from the White Paper where this leaves data privacy and GDPR.
  10. From a technical legal perspective, the common rule book, if it “would cover only those rules necessary to provide for frictionless trade at the border” (White Paper Section 1.2.3 para 25) would not extend to GDPR and need not cover any EU laws beyond those which on their face have a Treaty Base of any of Articles 34-37 TFEU (the provisions establishing free movement of goods other than those establishing the Customs Union, which current UK policy is to no longer be bound by). Data privacy is dealt with by Article 16 TFEU, which is the stated Treaty Base for GDPR and so would not be included in that narrow conception of the common rule book. It is most likely that if covered at all by the agreement between the UK and EU, GDPR would be treated as part of the provisions relating to services and “digital” trade which the White Paper proposes will involve new arrangements which will mean “the UK and EU will not have current levels of access to each other’s markets” (White Paper Section 1.3 para 48).
  11. That leaves open the possibility that GDPR might not be included in the future arrangements or even that the UK may decide to have a different data privacy regime, although that does not look like the approach the current government will pursue given the way in which the DPA was written and its stated intent. It is most likely that the future arrangements under this approach would either incorporate GDPR as is to provide certainty in relation to digital and services trade between the UK and EU without the need for a separate adequacy finding or that they would be silent on it but the general atmosphere would be one in which obtaining an adequacy decision would be considered by both EU and UK to be routine based on current UK legislation. As a broadly non-confrontational negotiation stance it would also be likely to be neutral with respect to the progress of approval by EU regulators of a UK company’s BCRs.
  12. Scenarios d and e would both require the UK to rely upon an adequacy finding and/or for UK companies’ approval of its BCRs. Neither inherently alters the underlying substance of existing UK law and its implementation of GDPR but as both are more potentially confrontational they may raise the risk of delay in obtaining those decisions or even (if the discussions become particularly acrimonious) grounds arising for refusing them. For example, if scenario e of “No Deal” transpired and there were threats from either side of any form of trade war, given the importance of personal data in many businesses, restricting the UK or UK companies’ ability to receive and process data from rEU may be considered as a valid tactic in such a dispute.
  13. Escalation of matters this far is probably not very likely but if it did occur may require more significant mitigations to be adopted. For example, it might be prudent in these circumstances to conduct a detailed audit of the actual data flows within a company group to identify the extent to which it was operationally essential and unavoidable to transfer personal data from rEU to the UK and whether this could be worked around (eg by dealing with more processing in-country and using third party processors in rEU rather than the UK, if transfers out of rEU are needed, to look at whether there are other third countries which have more settled relations with the EU on privacy etc).
  14. A more likely outcome is that scenario d would require, to be realistic, maintaining good relations with the EU (eg if the government wishes to get Canada+++ it will want to be as friendly in its discussions with the EU as Canada is). Scenario e could also be achieved without confrontation, albeit that most of its current proponents seem to be otherwise inclined. In both of these situations, a longer term risk might be that the UK decides that the GDPR framework is too restrictive a way of achieving its aims and looks to create an alternative approach (eg California has recently enacted data privacy laws focusing on specific practices by businesses like selling consumer data rather than processing per se, or this suggestion that the UK should change from a blanket prohibition on processing without a lawful basis to prohibiting particularly egregious types of processing while not regulating processing generally) . This would be a risk as a change to domestic UK law from DPA would impact any previous finding of adequacy of UK protections and so would push UK companies back to relying on their BCRs and model clauses (etc) unless the UK were able to persuade the Commission that its new approach remained adequate.

 

[1] The Government has published a guidance note on the anticipated effect on data protection in the event of “No Deal”. It states that while preliminary discussions about an adequacy assessment have taken place, the Commission has not indicated a timetable and has stated that it cannot take an adequacy decision until after the UK has left the EU and become a “third country”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s