Oct 42018

Data Protection Post-Brexit

William RM Long and Francesca Blythe
, , ,

Brexit will have fundamental implications for data protection and in particular, the ongoing flow of personal data from the EU to the UK.  However, as with many other issues, the precise implications will depend on the type of deal reached between the EU and the UK.

Data Protection in the UK

Data protection in the UK is currently governed by the EU General Data Protection Regulation 2016/679 (GDPR) as applied by the UK’s Data Protection Act 2018 (DPA).

If the UK leaves the EU on March 29, 2019 the DPA will remain in place and the European Union (Withdrawal) Act 2018 – the legislative framework for the UK’s withdrawal (Brexit) from the EU will incorporate the GDPR into UK law.

In March 2018, the UK and the EU reached political consensus on the terms of a transitional period that will start on March 29, 2019 and will end on December 31, 2020. Such terms are intended to be included in the EU-UK withdrawal agreement, which is still being negotiated. If a transitional period is formally agreed on the terms proposed, common EU rules (including, the GDPR) will continue to apply in the UK during such period.

International Transfers

The GDPR prohibits the transfer of personal data to third countries unless: (a) the transfer is made to an “adequate jurisdiction”, (b) the data exporter has implemented a lawful data transfer mechanism, for example, EU Standard Contractual Clauses, Binding Corporate Rules or the EU/Swiss-Privacy Shield, or (c) an exemption or derogation under the GDPR otherwise applies.

On exit from the EU (i.e., on March 29, 2019), the UK will be considered a third country and as such, transfers of personal data from the EU to the UK will need to satisfy one of (a) through (c) above.

Adequacy Decision

In May 2018, the UK Government published a position paper outlining its proposal for a post-Brexit data agreement. In the proposal, the UK is seeking a legally binding agreement to allow for EU-UK data flows post-Brexit which cannot be changed unilaterally by the EU. Interestingly, there is now precedent for such a bilateral agreement with the EU and Japan recently having agreed a reciprocal adequacy assessment. However, this agreement took years to negotiate and Michel Barnier (the EU’s chief Brexit negotiator) has since rejected the UK’s proposal on the basis that the proposed framework goes beyond the standard adequacy approach the EU has adopted for other third countries.

Interestingly, the European Commission has indicated that it will not consider a determination of adequacy for the UK until the point at which the UK is considered a third county (i.e., on March 29, 2019).

Further, whilst in theory an adequacy decision should be possible to obtain given that the UK has only very recently incorporated the GDPR into UK law and as such, should be “essentially equivalent” to the EU, the question of adequacy is broader than data protection legislation alone. In particular, if the UK is to obtain a post-Brexit adequacy decision from the European Commission it can expect its surveillance regime (including the UK Investigatory Powers Act 2016) to come under close scrutiny. Indeed, the recent ECHR ruling in Big Brother Watch and Others v. The United Kingdom, which found that UK law enforcement agencies engaged in bulk interception of private electronic communications with insufficient safeguards in violation of fundamental rights, is likely to complicate matters further.

Standard Contractual Clauses

On September 13, 2018 the UK Government published a technical notice, “Data protection if there’s no Brexit deal” which sets out the actions UK organisations are recommended to take to enable the continued flow of personal data between the EU and the UK in the event that the UK leaves the EU with no exit agreement in place. In particular, the UK Government recommends that organisations consider using standard contractual clauses (SCCs) as the mechanism to legimtise transfers of personal data from the EU to the UK (i.e., with the UK as the data importer).

Interestingly, the technical notice did not address either transfers of personal data from the UK to the US (i.e., what actions will be taken in relation to the EU-US Privacy Shield), nor the onward transfer from the UK of personal data received from the EU to a third country (e.g., India).

Immediate Steps?

It remains to be seen what the UK’s international data transfer mechanism will look like post-Brexit.  Will the UK adopt the EU’s SCCs, such as, Israel and Switzerland have done?  Will it develop its own form?  With so much uncertainty surrounding post-Brexit international transfers, it is recommended that organisations review their existing data transfer solutions now and determine what steps should be taken to minimise any post-Brexit disruption of data flows.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.