EU: Navigating Brexit data protection uncertainty, risks, and options
The UK's departure from the EU on 31 January 2020 ('Brexit') changes the EU/UK data governance landscape. The agreed transition period1 until 31 December 2020 offers a period of EU/UK data protection continuity2 and 'business as usual.' In the longer term, however, there is uncertainty about EU to UK personal data flows, UK data protection law, and General Data Protection Regulation3 (Regulation (EU) 2016/679) ('GDPR') compliance. EU-based, European Economic Area ('EEA') based, and international businesses face a series of challenges when seeking to understand and fully predict the UK's data protection future. Wayne Cleghorn, CEO of PrivacySolved, explores these uncertainties, risks, and options to shed light and offer guidance on priorities and actions.
Mind the gap: UK data protection and EU GDPR future
EU, EEA, and international businesses and organisations understand that EU data protection laws lay at the heart of EU politics, human rights, economy, and trade. The GDPR seeks to place data protection at the heart of the EU's single market and the future digital single market while also further elevating the protection of personal data and special categories of data as a fundamental EU right and a broader human right4. The UK's EU Withdrawal Agreement Act5 removes the UK from this system, by revoking6 key EU treaties from applying to the UK. However, the UK enacted the Data Protection Act 2018 ('the Act')7 to anchor the GDPR into UK domestic law. This Act will replace the GDPR after the end of the transition period and offers most of the protections of the GDPR, but without the key functional mechanisms that other EU Member States will rely on. These mechanisms include the role of the European Commission in data protection, European Data Protection Board ('EDPB') membership8, the consistency mechanism9, the One Stop Shop10 mechanism, the EU-US Privacy Shield11 ('the Privacy Shield'), and the data protection decisions of the Court of Justice of the European Union12 ('CJEU'). Legally and practically, UK data protection divergence begins on 1 February 2020, even within the short transition period. At the end of the transition period, UK data protection risks becoming less aligned with the EU and less automatic. The UK and EU will be on different paths as a result of the post-Brexit status and inertia. This 'new normal' creates pockets of uncertainty, risks, opportunities, and options.
Uncertainties and risks
UK adequacy decision
UK, EU, EEA, and international businesses' personal data flows are best protected and suffer the least disruption if the European Commission issues a post-Brexit 'adequacy decision13' that the UK provides an adequate level of data protection comparable to the EU. The UK has a good claim to such an adequacy decision because of its existing GDPR alignment14, but the adequacy process includes wide-ranging investigations and a formal decision of the European Commission in consultation with other EU bodies15. As a result, a decision is unlikely to be made for many months and it may become entangled in the UK/EU free trade agreement negotiations occurring throughout 2020 and beyond.
International data transfers
On exiting the EU and the EEA, after the transition period, without an adequacy decision, the UK becomes a 'third country' in terms of data protection16. EU and EEA businesses and organisations, as well as international businesses with EU/EEA operations, need to review and plan in advance for the appropriate safeguards needed to facilitate EU to UK personal data transfers. Standard Contractual Clauses17 ('SCCs') are the most common solution, but the data exporter must be in the EU and the data importer outside the EU, so these will not typically facilitate data transfers from the UK to the EU after the transition period. The existing Privacy Shield18 will no longer cover the UK, for UK to US data transfers, and so existing arrangements will need to be adjusted in advance and while a UK version of the Privacy Shield is created. Binding Corporate Rules19 ('BCRs') are a stable solution but these cover only intra-group data transfers, but take a long time to prepare and receive approval from EU data protection supervisory authorities. The agreed transition period appears to be too short to begin any substantial BCR applications at the UK Information Commissioner's Office ('ICO'). After transition, the ICO will no longer be a GDPR BCR-granting data protection supervisory authority, and so EU and international businesses and organisations need to examine their legal proximity and access to other EU data protection supervisory authorities for their BCR compliance activities. One key post-Brexit transition period challenge will be how EU-based data processors and sub-processors respond to data protection compliance instructions from UK-based data controllers. This scenario20 was never envisaged by the authors of the GDPR. As a result, this situation creates many complications and must be dealt with on a case-by-case basis. Bespoke contracting will be one of the ways to create solutions for these gaps.
The ICO and UK courts
At the time of publication, the ICO21 is one of the largest, most active, and influential data protection authorities in the EU and around the world. During the Brexit transition period, it will continue its GDPR supervisory authority role22, but at a distance and with the disadvantage of no longer being an active decision-making member23 of the EDPB. The ICO's longer term position in the EU's structures remains even more uncertain after the Brexit transition period. While the ICO will continue to safeguard UK residents and be the data protection authority for many UK-based businesses, it is unclear whether the ICO will accept and handle GDPR complaints from EU citizens, EU-based, and international data controllers and processors under the GDPR24. Several of the ICO's key powers come from the GDPR, which has made it an integral member of the EDPB25. However, the ICO has accepted that, in law, it will no longer be a 'supervisory authority' for the GDPR after the end of the transition period26, but it will seek to maintain a close relationship with the EDPB. Going forward, the most impactful issue is the likelihood that the ICO will begin to apply data protection legal interpretation primarily from UK courts and not the CJEU or other EU Member States. If this occurs, UK data protection divergence will become entrenched. UK courts have only recently begun to produce high level court decisions on data protection remedies27. Post-Brexit, these courts may retreat to narrower and more UK-centric data protection interpretations and applications.
Options and actions for EU-based, EEA-based, and international businesses and organisations
In the short to medium term, the UK data protection landscape should be regarded as a work in progress, a special case, and a candidate country for an EU adequacy decision. Businesses and organisations should seek continuity where possible, reduce the risks to personal data flow interruption, and preserve UK/EU GDPR alignment as much as possible, especially within the Brexit transition period which runs to December 202028. However, this implementation period is short and there are several matters that require specific early attention, review, and action, by data controllers and data processors outside the UK.
Plan to update data protection notices, data protection policies, contract clauses about the GDPR, and initiate supply chain reviews
Key documents that have not already been reviewed will need be updated to ensure that the impact of the UK's Brexit on data protection compliance is acknowledged in commercial arrangements. New arrangements may need to be negotiated, agreed and formally updated.
Plan to replace the UK ICO as the GDPR lead supervisory authority, One Stop Shop authority, and BCR approval authority
EU and international businesses and organisations should review their previous analysis of the UK ICO as their lead supervisory authority for the GDPR, their One Stop Shop authority, and the authority to which their BCRs can be submitted and agreed. Alternative EU supervisory authorities should be considered and selected to replace the ICO's existing role for these activities to properly comply with the GDPR over the longer term. Detailed expert advice may be required to embed these changes. For larger organisations, the transition period could be used to consider and begin to implement any changes.
Appoint an EU representative
During and after Brexit's transition period, the GDPR will still apply to businesses or organisations that offer goods, services, or monitor EU citizens. Where these businesses and organisations have no establishment of settled presence or stable arrangements in an EU Member State, the business or organisation must appoint an EU representative29 to liaise with the relevant EU supervisory authorities, and deal with individuals who wish to exercise their rights under the GDPR. The UK will no longer be an eligible EU Member State after the transition period. As a result, UK businesses and international businesses and organisations that have GDPR obligations will need to re-direct their GDPR compliance focus to other EU countries. International businesses should also reassess UK-based EU representatives which are currently in place. Care should be taken to negotiate and agree the scope of these appointments. The identities of the relevant instructing data controllers and data processors should be clear. Liability, insurance, and the roles and responsibilities of each party should also be explicitly agreed. It will take time to update internal and external teams, processes, technologies, and training, and so larger and more complex businesses should not wait until the end of the transition period to begin this work.
Focus on international data transfers
International data transfers can be a risky area of GDPR compliance and are subject to change. The CJEU is likely to issue court decisions on SCCs and EU institutions will provide updates on the Privacy Shield and BCRs. Currently approved EU SCCs may be updated to better reflect the GDPR. When these updates occur, the UK's position will become apparent, especially if EU institutions and courts require changes to be made, which the UK may not be legally obliged to follow. A key test is due in May 2020, when the European Commission will present its first evaluation and review30 of the GDPR to the European Parliament and the Council of the European Union.
Focus on data protection developments in key sectors and the growth of the GDPR codes of practice and certifications
Codes of practice and certification mechanisms are being developed in the EU and UK, and may provide GDPR compliance solutions and options in the medium to longer term. These may, over time, help to bridge the increasing EU/UK data protection divide and reduce the data protection uncertainties created by Brexit.
Wayne Cleghorn CEO
1. Articles 126-127 of the EU / UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf
2. Article 128 of the EU/UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf
3. GDPR, available at https://eur-lex.europa.eu/eli/reg/2016/679/oj
4. GDPR, Recitals 1-8.
5. EU (Withdrawal Agreement) Act 2020, available at: http://www.legislation.gov.uk/ukpga/2020/1/contents/enacted
6. Section 1 of EU (Withdrawal Agreement) Act 2018, available at: http://www.legislation.gov.uk/ukpga/2018/16/contents/enacted
7. UK Data Protection Act 2018, available at: http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
8. Articles 68-76 and Recitals 139 – 140, GDPR.
9. Articles 63-67 and Recitals 136 – 138, GDPR.
10. Article 56 and Recital 127, GDPR.
11. Available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en#commercial-sector-eu-us-privacy-shield and https://www.privacyshield.gov/welcome
12. Available at: https://curia.europa.eu/jcms/jcms/j_6/en/
13. Article 45, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
14. See: https://publications.parliament.uk/pa/cm201719/cmselect/cmexeu/1317/131702.htm
15. See: https://www.europarl.europa.eu/RegData/etudes/STUD/2018/604976/IPOL_STU(2018)604976_EN.pdf
16. See Speech by EU Chief Negotiator Michel Barnier on 26 May 2018 in Lisbon “..And we cannot, and will not, share this decision-making autonomy with a third country, including a former Member State who does not want to be part of the same legal ecosystem as us” available at: https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_18_3962
17. Article 46, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
18. Article 45, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
19. Article 47, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en
20. EDPB Guidelines 3/2018 on the territorial scope of the GDPR, available at: https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-32018-territorial-scope-gdpr-article-3_en
21. See: https://ico.org.uk
22. See “Statement on data protection and Brexit implementation – what you need to do” on 29 January 2020 and updated “Brexit FAQ”, available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/statement-on-data-protection-and-brexit-implementation-what-you-need-to-do/
23. Article 128 (5) of the EU/UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf
24. Article 57, GDPR.
25. Articles 51-59 and Recitals 117-129, GDPR.
26. See: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal-3/the-gdpr/ico-and-the-edpb/
27. See Vidal-Hall v Google Inc  EWCA Civ 311  QB 1003 see: https://www.judiciary.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf and Lloyd v Google  EWHC 2599, see: https://www.judiciary.uk/wp-content/uploads/2018/10/lloyd-v-google-judgment.pdf
28. Section 33 of EU (Withdrawal Agreement) Act 2020.
29. GDPR, Article 27.
30. GDPR, Article 97.