Oct 42018

Data Protection Post-Brexit

William RM Long and Francesca Blythe
, , ,

Brexit will have fundamental implications for data protection and in particular, the ongoing flow of personal data from the EU to the UK.  However, as with many other issues, the precise implications will depend on the type of deal reached between the EU and the UK.

Data Protection in the UK

Data protection in the UK is currently governed by the EU General Data Protection Regulation 2016/679 (GDPR) as applied by the UK’s Data Protection Act 2018 (DPA).

If the UK leaves the EU on March 29, 2019 the DPA will remain in place and the European Union (Withdrawal) Act 2018 – the legislative framework for the UK’s withdrawal (Brexit) from the EU will incorporate the GDPR into UK law.

In March 2018, the UK and the EU reached political consensus on the terms of a transitional period that will start on March 29, 2019 and will end on December 31, 2020. Such terms are intended to be included in the EU-UK withdrawal agreement, which is still being negotiated. If a transitional period is formally agreed on the terms proposed, common EU rules (including, the GDPR) will continue to apply in the UK during such period.

International Transfers

The GDPR prohibits the transfer of personal data to third countries unless: (a) the transfer is made to an “adequate jurisdiction”, (b) the data exporter has implemented a lawful data transfer mechanism, for example, EU Standard Contractual Clauses, Binding Corporate Rules or the EU/Swiss-Privacy Shield, or (c) an exemption or derogation under the GDPR otherwise applies.

On exit from the EU (i.e., on March 29, 2019), the UK will be considered a third country and as such, transfers of personal data from the EU to the UK will need to satisfy one of (a) through (c) above.

Adequacy Decision

In May 2018, the UK Government published a position paper outlining its proposal for a post-Brexit data agreement. In the proposal, the UK is seeking a legally binding agreement to allow for EU-UK data flows post-Brexit which cannot be changed unilaterally by the EU. Interestingly, there is now precedent for such a bilateral agreement with the EU and Japan recently having agreed a reciprocal adequacy assessment. However, this agreement took years to negotiate and Michel Barnier (the EU’s chief Brexit negotiator) has since rejected the UK’s proposal on the basis that the proposed framework goes beyond the standard adequacy approach the EU has adopted for other third countries.

Interestingly, the European Commission has indicated that it will not consider a determination of adequacy for the UK until the point at which the UK is considered a third county (i.e., on March 29, 2019).

Further, whilst in theory an adequacy decision should be possible to obtain given that the UK has only very recently incorporated the GDPR into UK law and as such, should be “essentially equivalent” to the EU, the question of adequacy is broader than data protection legislation alone. In particular, if the UK is to obtain a post-Brexit adequacy decision from the European Commission it can expect its surveillance regime (including the UK Investigatory Powers Act 2016) to come under close scrutiny. Indeed, the recent ECHR ruling in Big Brother Watch and Others v. The United Kingdom, which found that UK law enforcement agencies engaged in bulk interception of private electronic communications with insufficient safeguards in violation of fundamental rights, is likely to complicate matters further.

Standard Contractual Clauses

On September 13, 2018 the UK Government published a technical notice, “Data protection if there’s no Brexit deal” which sets out the actions UK organisations are recommended to take to enable the continued flow of personal data between the EU and the UK in the event that the UK leaves the EU with no exit agreement in place. In particular, the UK Government recommends that organisations consider using standard contractual clauses (SCCs) as the mechanism to legimtise transfers of personal data from the EU to the UK (i.e., with the UK as the data importer).

Interestingly, the technical notice did not address either transfers of personal data from the UK to the US (i.e., what actions will be taken in relation to the EU-US Privacy Shield), nor the onward transfer from the UK of personal data received from the EU to a third country (e.g., India).

Immediate Steps?

It remains to be seen what the UK’s international data transfer mechanism will look like post-Brexit.  Will the UK adopt the EU’s SCCs, such as, Israel and Switzerland have done?  Will it develop its own form?  With so much uncertainty surrounding post-Brexit international transfers, it is recommended that organisations review their existing data transfer solutions now and determine what steps should be taken to minimise any post-Brexit disruption of data flows.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.