Data Protection Post-Brexit

Brexit will have fundamental implications for data protection and in particular, the ongoing flow of personal data from the EU to the UK.  However, as with many other issues, the precise implications will depend on the type of deal reached between the EU and the UK.

Data Protection in the UK

Data protection in the UK is currently governed by the EU General Data Protection Regulation 2016/679 (GDPR) as applied by the UK’s Data Protection Act 2018 (DPA).

If the UK leaves the EU on March 29, 2019 the DPA will remain in place and the European Union (Withdrawal) Act 2018 – the legislative framework for the UK’s withdrawal (Brexit) from the EU will incorporate the GDPR into UK law.

In March 2018, the UK and the EU reached political consensus on the terms of a transitional period that will start on March 29, 2019 and will end on December 31, 2020. Such terms are intended to be included in the EU-UK withdrawal agreement, which is still being negotiated. If a transitional period is formally agreed on the terms proposed, common EU rules (including, the GDPR) will continue to apply in the UK during such period.

International Transfers

The GDPR prohibits the transfer of personal data to third countries unless: (a) the transfer is made to an “adequate jurisdiction”, (b) the data exporter has implemented a lawful data transfer mechanism, for example, EU Standard Contractual Clauses, Binding Corporate Rules or the EU/Swiss-Privacy Shield, or (c) an exemption or derogation under the GDPR otherwise applies.

On exit from the EU (i.e., on March 29, 2019), the UK will be considered a third country and as such, transfers of personal data from the EU to the UK will need to satisfy one of (a) through (c) above.

Adequacy Decision

In May 2018, the UK Government published a position paper outlining its proposal for a post-Brexit data agreement. In the proposal, the UK is seeking a legally binding agreement to allow for EU-UK data flows post-Brexit which cannot be changed unilaterally by the EU. Interestingly, there is now precedent for such a bilateral agreement with the EU and Japan recently having agreed a reciprocal adequacy assessment. However, this agreement took years to negotiate and Michel Barnier (the EU’s chief Brexit negotiator) has since rejected the UK’s proposal on the basis that the proposed framework goes beyond the standard adequacy approach the EU has adopted for other third countries.

Interestingly, the European Commission has indicated that it will not consider a determination of adequacy for the UK until the point at which the UK is considered a third county (i.e., on March 29, 2019).

Further, whilst in theory an adequacy decision should be possible to obtain given that the UK has only very recently incorporated the GDPR into UK law and as such, should be “essentially equivalent” to the EU, the question of adequacy is broader than data protection legislation alone. In particular, if the UK is to obtain a post-Brexit adequacy decision from the European Commission it can expect its surveillance regime (including the UK Investigatory Powers Act 2016) to come under close scrutiny. Indeed, the recent ECHR ruling in Big Brother Watch and Others v. The United Kingdom, which found that UK law enforcement agencies engaged in bulk interception of private electronic communications with insufficient safeguards in violation of fundamental rights, is likely to complicate matters further.

Standard Contractual Clauses

On September 13, 2018 the UK Government published a technical notice, “Data protection if there’s no Brexit deal” which sets out the actions UK organisations are recommended to take to enable the continued flow of personal data between the EU and the UK in the event that the UK leaves the EU with no exit agreement in place. In particular, the UK Government recommends that organisations consider using standard contractual clauses (SCCs) as the mechanism to legimtise transfers of personal data from the EU to the UK (i.e., with the UK as the data importer).

Interestingly, the technical notice did not address either transfers of personal data from the UK to the US (i.e., what actions will be taken in relation to the EU-US Privacy Shield), nor the onward transfer from the UK of personal data received from the EU to a third country (e.g., India).

Immediate Steps?

It remains to be seen what the UK’s international data transfer mechanism will look like post-Brexit.  Will the UK adopt the EU’s SCCs, such as, Israel and Switzerland have done?  Will it develop its own form?  With so much uncertainty surrounding post-Brexit international transfers, it is recommended that organisations review their existing data transfer solutions now and determine what steps should be taken to minimise any post-Brexit disruption of data flows.