No Deal Brexit – implications for data and privacy law compliance
The Brexit rollercoaster ride continues. At the time of writing, the UK and EU have just announced the agreement of a new withdrawal deal but there are serious doubts about whether it will be backed by Parliament. Despite the requirements of the Benn Act, the risk of the UK leaving the EU without a deal continues to be a concern.
As the government's posters and online adverts keep telling us, there are plenty of areas that businesses need to consider in order to get ready for Brexit. In this article, we focus on the area of data protection, and summarise some of the key issues that will impact UK businesses if we were to crash out of the EU without any withdrawal agreement.
1. Data Transfers to and from the UK
Data Transfers from the EEA to the UK
Under GDPR, personal data may not be transferred by organisations in the European Economic Area1 ("EEA") to recipients outside the EEA unless the organisation receiving the data is in one of the 13 countries that have been deemed as "adequate" by the EU, an exemption applies or an approved mechanism, such as Standard Contractual Clauses ("SCCs"), has been implemented. The prohibition applies both to transfers of data and also where EEA organisations permit access to their personal data e.g. allowing software maintenance providers remote access to an organisation's systems.
If the UK leaves the EU without agreeing a withdrawal agreement (which would preserve the UK's "adequacy" for data transfer purposes during a transitional period), the UK will be a third country from the date of exit, and personal data flows between the EEA and the UK could be interrupted. The UK may obtain an adequacy decision from the EU in due course, but it will take some time.
This will affect many businesses, such as:
(i) UK companies that receive personal data from EEA customers (e.g. enterprise SaaS providers with UK hosting infrastructure);
(ii) EEA companies that share data with UK affiliates; and
(iii) EEA service providers that share personal data with processors located in the UK.
Although there are exceptions that apply to the transfer restriction, most EEA organisations will look to implement SCCs with those UK organisations that they share personal data with. The UK Information Commissioner ("ICO") has templates and contract builder tools for both controller/controller and controller/processor transfers.
Data Transfers from the UK to the EEA
As the UK Government confirmed in its "No Deal Readiness Report"2 of 8th October, personal data transfers from the UK to the EEA will be uninterrupted in the event of a no-deal Brexit, as the government will recognise, at least for now, the adequacy of the EEA countries. It will however keep this position under review.
Data Transfers from the UK to Other Countries
Following Brexit, although the EU GDPR will fall away, the UK government will preserve the UK's implementation of GDPR (through the Data Protection Act 2018) ("UK GDPR"). This will mean that, like today, personal data transfers to countries outside the UK will be restricted in the same way as under GDPR. So, other than transfers to the EEA states (which are approved on a transitional basis) or to the thirteen countries approved by the EU (which the UK will continue to recognise as adequate), organisations will need to find exceptions or compliant mechanisms (such as the SCCs) to ensure their transfers are lawful.
Data Transfers from non-EEA Countries to the UK
In order for the thirteen white-listed countries to obtain and retain their adequacy status, they have to have restrictions on onward data transfers, so technically once the UK falls outside the EU, there could be an issue in relation to transfers from these countries to the UK. However, as confirmed in the No-Deal Readiness Report, twelve of the thirteen countries (all except Andorra) have taken steps to legitimise data transfers to the UK post-Brexit.
In respect of transfers from other non-EEA countries to the UK, the ability to transfer personal data to the UK will continue to be subject to any local laws in the country from which the data is being sent.
Privacy Shield in the US
Many UK organisations rely on the bespoke EU-US deal for enabling trans-Atlantic data flows, the Privacy Shield, which effectively provides an adequacy decision for those US organisations who have self-certified under Privacy Shield. UK organisations can continue to use Privacy Shield in the event of a No Deal Brexit, subject to ensuring that the receiving US organisation has updated its public commitments to include transfers from the UK, not just from the EU.
2. Requirement for EU Representative
Broadly, GDPR applies to controllers and processors that:
(i) process personal data in the context of an establishment in the EU; or
(ii) although not established in the EU, process personal data of individuals in the EU where the processing activities are related to offering goods or services to those data subjects or the monitoring of their behaviour.
GDPR also requires that controllers and processors who fall into category (ii) appoint a representative in one of the EU member states where the relevant data subjects are located. For UK businesses that offer goods or services to customers in the EU, but do not have establishments in the EU, they will have to find an independent representative in the EU that can liaise with data subjects and supervisory authorities in the EU. Using a company's Data Protection Officer for this role is not permissible.
We have had a number of queries from clients asking for recommendations, particularly for companies offering representative services in Ireland. Our understanding is that the market in the EU for these services is nascent, and it is not a simple task to find a representative. This may have something to do with the fact that the European Data Protection Board issued an opinion stating that representatives would potentially be liable for GDPR breaches by the companies they represent.
3. Removal of the One Stop Shop
Under GDPR, where there is cross-border processing of personal data, notification of a personal data breach needs to be made to the lead supervisory authority. This will ultimately be the place where the decisions on the purposes and means of the processing of personal data are taken. This 'one stop shop' approach means that it should in principle only be necessary to deal with one supervisory authority about a personal data breach that affects data subjects in various EU states.
This has meant that in practice for UK data controllers taking decisions about the means and processing of personal data in the UK, they should be able just to deal with the ICO as the lead supervisory authority, even if the breach affects data subjects from other EU states.
Once the UK is no longer in the EU, UK data controllers will no longer be able to take advantage of this one-stop shop approach. To the extent that the GDPR applies, for example on the basis that goods or services are being offered to data subjects within various EU states, it might be necessary to notify more than one supervisory authority of a breach.
4. Dual Compliance Requirement
For those UK businesses that also have operations, or sell to customers, in the EU, post-Brexit they will have to comply both with the EU GDPR (and any member state nuances in their implementation of GDPR), and also with the UK GDPR. Going forwards, if there is divergence between the two, this will potentially lead to a compliance headache for UK businesses.
5. Review and Update Documentation
In addition to the above issues, UK organisations will need to review their privacy documentation, such as Privacy Notices, contracts and internal policies, to reflect the UK's new position, the different legislation references, and to explain the steps taken in relation to data transfers.
No doubt the rollercoaster will continue over the next few weeks, and we hope for the most seamless and least disruptive outcome in all areas. However, if you need any advice in the run-up to Brexit, or just need a sounding board on your arrangements, please do get in touch.
1 EU plus Iceland, Norway and Lichtenstein.