Brexit and data protection: what to do next (when you don’t know what’s happening next)

Whilst the threat of a no-deal Brexit has been averted for now, the future is by no means certain. We have highlighted some of the key issues for UK-based organisations, and the EEA organisations that do business with them, in these uncertain Brexit times.

A further ‘extension to Article 50’ has been granted until 31 January 2020, again delaying the UK’s exit from the European Union. The future is, however, by no means certain.A range of potential scenarios could still play out, including that:

• the current deal on the table may be passed by Parliament following scrutiny (or maybe not…);
• we could get to the end of the transitional period with no agreement having been reached on the UK’s future relationship with the EU, and the UK could still lapse into a “no-deal” Brexit scenario (or maybe not…); or
• now that a general election is scheduled for 12 December 2019, there could be a change of government with a whole different Brexit agenda (or maybe not…).

Below are some of the key issues that are likely to be most relevant for many UK-based organisations, and the EEA organisations that do business with them, in these uncertain times.

Brexit Deal

If a Brexit deal is reached, it’s business as usual, right? Well – yes and no. The deal currently being discussed is only in relation to the terms of the UK’s withdrawal from the European Union.After that, a deal still needs to be reached as to the UK’s future relationship with the EU (and other trading partners). During the period when such future deal is being negotiated, transitional arrangements would apply to effectively maintain the status quo for a specific period.

However, if by the end of that transitional period a future deal has not been reached (and the transitional period is not extended), the UK could still lapse into a “no-deal” Brexit scenario. Therefore, despite the recent extension agreed and in circumstances of a Brexit deal, no-deal Brexit remains a possibility and may need to be planned for either way.

No-Deal Brexit

Legal framework

It is intended that the UK data protection law that will apply from the date of the UK’s exit from the European Union (“Exit Date”) will essentially be a “copied and pasted” version of the EU GDPR that applies immediately before Exit Date. However, certain amendments are required (as well as to the UK Data Protection Act 2018 and ePrivacy regulations) so that the UK’s legal framework for data protection and ePrivacy can continue to function in the event of Brexit. These amendments are contained in the Data Protection, Privacy and Electronic Communications (Amendment etc) (EU Exit) Regulations 2019. (We refer to this new UK law below as the “UK GDPR”.)

The European Data Protection Board (EDPB), UK Information Commissioner’s Office (ICO) and certain other supervisory authorities (such as the CNIL in France) have issued guidance on how to deal with a no-deal Brexit scenario. This does not address all the complexities arising out of a no-deal Brexit, but it does at least provide an indication of the sorts of compliance issues that the regulators are focusing on when it comes to data protection and Brexit.

International data transfers

The GDPR prohibits the transfer of personal data outside the EEA unless to countries or international organisations that the EU Commission has determined have an equivalent protection pertaining to the personal data or a ‘safeguard’ or ‘derogation’ otherwise applies. From the Exit Date, there will be two sets of rules to consider in the following scenarios:

1. first, the UK rules on transferring personal data out of the UK (as set out in the UK GDPR); and
2. second, the EU rules on personal data being transferred from the EEA to the UK.

Transfers from the UK to the EEA

The UK Government has previously confirmed that it will continue to permit personal data to flow freely from the UK to the EEA and all other countries deemed adequate by the European Commission at the time of Brexit.

Transfers from the UK to the US under EU-US Privacy Shield

A ‘safeguard’ that may be used in relation to transfers of personal data to the US, is where the transfer of personal data is to a recipient that has self-certified under the Privacy Shield framework, that their processing of personal data is in conformity with GDPR equivalent standards.

In relation to the Privacy Shield framework, the U.S. Department of Commerce has confirmed that businesses currently relying on Privacy Shield to receive personal data from the UK will still be able to do so, provided they continue to meet the annual certification requirements and update their relevant policies. This will involve updating the public commitment to comply with the Privacy Shield (i.e. the privacy shield policy) to state expressly that the commitment extends to personal data received from the UK in reliance on the Privacy Shield.

Further, if a business intends to receive HR data from the UK in reliance on Privacy Shield, it must also specifically update its HR privacy policy in the same way.

See our Law-Now: "Reliance on the EU-U.S. Privacy Shield for UK data following Brexit"

Transfers from the EEA to the UK

If the UK becomes a “third country” under EU GDPR (which it will in the event of a no-deal Brexit), the following options may be available to data exporters in EEA jurisdictions that want to compliantly transfer personal data to the UK:

• an adequacy decision from the European Commission;
• binding corporate rules (“BCRs”);
• standard contractual clauses;
• approved codes of conduct or approved certification mechanisms; or
• certain specified derogations, such as explicit data subject consent.

The most favourable position for the UK would be for the EU Commission to grant the UK an “adequacy decision” that would give it a “whitelisting” such that personal data could be transferred to the UK from the EEA without any additional measures being needed. However, the EU has said that it will not grant an adequacy decision for the UK before Brexit happens. The process of granting adequacy is not quick, so it may take some time after the Exit Date before such a decision may be granted.

BCRs only apply to transfers within a group of companies, so could not be used to transfer personal data between independent service providers and their customers, for example. These also tend to be costly to prepare and finalise and can take many months, or even years, to be approved by the regulators.

There are currently no approved codes of conduct and certification mechanisms, so this is not currently an option.However, work is underway in certain industries to develop such instruments. For example, The UK Data and Marketing Association (DMA) is working with its European trade association, FEDMA, to develop a European Direct Marketing Code of Conduct.

That leaves standard contractual clauses as the only option for many businesses. This is by no means a perfect solution as there are not currently specific forms of clauses dealing with every data flow scenario that may be relevant to no-deal Brexit, e.g. EEA processor to UK sub-processor, or EEA processor to UK controller.

Lead supervisory authority

If the lead authority under EU GDPR is currently the UK ICO, either the relevant group will not be able to benefit from the ‘lead supervisory authority’ / ‘one-stop-shop’ mechanism under the GDPR or, the group will need to restructure to move the personal data processing decision making to an establishment of the group within the EU. The supervisory authority for that location may then be found to be the new lead.

Representatives

EEA representatives

Due to the extra-territorial effect of the EU GDPR, businesses that do not have any establishments, for example offices or branches, in the EEA will be caught by the EU GDPR if they either:

• target individuals in the EEA with goods or services; or
• monitor the behaviour of individuals in the EEA so far as the behaviour happens in the EEA.

This means that they will need to consider appointing a representative inside the EEA, unless certain exceptions apply.

The representative can be an individual, a company or an organisation established in the EEA provided they can represent the business regarding its obligations under the EU GDPR.

UK representatives

The UK government intends that, after Brexit, UK GDPR will require a controller or processor established outside the UK but that comes within the territorial scope of the UK GDPR to appoint a UK representative.

Miscellaneous updates to policies, procedures and documentation

As mentioned above, from the Exit Date, UK-established businesses that target or monitor the behaviour data subjects in the EU may have to comply with two versions of the GDPR in relation to the same processing activity: the UK GDPR and the EU GDPR.

As a result of these changes, businesses will need to review their current policies, operational procedures and documentation and ensure that these refer to updated data protection and ePrivacy legislation as required. This is likely to include reviewing privacy notices, records of processing and data protection impact assessments (DPIAs), which may require updating to reflect changes regarding UK-EEA transfers, references to ‘Union law’ (or similar) and to identify an EEA and/or UK representative (if required).

What should businesses think about doing next?

• Identify all personal data transfers out of or into the UK (and if so, where to/from) – the key transfers being those:
  • from the EEA to the UK and out of the UK again to other ‘third countries’ (in particular, where contracts prohibit data transfers outside the EEA); and
  • from the UK to the EEA.
• Decide which lawful transfer mechanisms to use after the Exit Date.
• Implement the chosen transfer mechanism so that it is applicable and effective as of the Exit Date – this may require amendments to existing data processing or data transfer agreements.
• Update your privacy notice(s) and other internal documentation concerning your international data transfers.
• If relying on the Privacy Shield framework for transfers of personal data to the US, ensure that the US business continues to meet the annual certification requirements and update relevant policies.
• Continue to comply with GDPR standards – equivalent standards will apply post-Brexit in any event.
• Consider if you will be caught by the extra-territorial scope of the EU GDPR and the UK GDPR in the event of Brexit.
• If needed, appoint a representative in the EEA – in practice, the easiest way to do this may be under a service contract that provides the necessary mandate and agreed allocation of liability.
• If needed, appoint a representative in the UK.
• Ensure the representative’s details are easily accessible to the relevant supervisory authority (or authorities) – although there is no requirement to notify them of the representative’s appointment.
• Update your privacy notice(s) and other internal documentation with details of the identity and contact details of the representative(s).
• Consider whether an alternative lead EU data protection authority (other than the UK ICO) may still be possible through a group restructure.

• Review (and if needed, update) your policies, operational procedures and documentation in relation to compliance with updated UK data protection and ePrivacy legislation.