Data Protection Regulation in the Case of a No-Deal Brexit
When discussing Brexit, data protection might not seem like a priority. It seems people are more preoccupied with what will happen to their holiday plans, the contents of their shopping basket, or their Christmas markets. However, the importance of data regulation for businesses post-Brexit is crucial, especially in the case of a no-deal.
The UK government recently released a paper on the various topics of a ‘no deal’ Brexit, one of which was on the data protection regulation. In such a case, if no agreement has been made covering data protection, the Government are advising all organisations to prepare appropriate legal work and contracts to ensure that the transfer of European Union Citizens’ personal data to the UK is compliant with privacy laws.
It has been noted that the UK faces the prospect of being regarded as a ‘Third Country’ once it leaves the EU. As a result of this, the transfer of personal data from organisations in the EU to organisations in the UK will be subject to stricter transfer rules, as mentioned in the EU General Data Protection Regulation (GDPR).
There has been speculation about whether the UK will be given ‘adequacy status’. ‘Adequacy’ is the term given to countries outside the EU that have data protection measures which are deemed essentially equivalent to European standards.
Countries with adequacy are not bound by the appropriate safeguard requirements set out in Article 46 and Article 47 of the GDPR and personal data can flow unrestricted. The UK would firstly have to demonstrate that it is a safe place for data processing so that restrictions on the transferred are not imposed.
However, unless a Brexit deal is reached between the UK and the EU which covers data protection and data transfer arrangements, the UK will not be automatically awarded adequacy status. The European Commission would have to impose an assessment process first. Despite repeated requests from the UK Government for this process to already start, the Commission’s current position is that it will not commence the process until the UK has left the EU and become a ‘Third Country’.
Currently, there are concerns about the UK’s crime and national security legislation, in particular the controversial Investigatory Powers Act 2016, which has been criticised by the European Court of Human Rights for giving too much power to security and intelligence services which could violate individual privacy.
What would that mean for businesses? The government has stated that the transfer of personal data from UK to EU member states will remain unaffected. This will be different for the transfer of data from EU organisations to UK ones. The Government is advising that, for the majority of oragnisations, the most relevant legal basis for such transfers would the Standard Contractual Clauses (SCC’s). These EC-approved data protection clauses need to be embedded within contracts or added as an appendix to an existing contract. They cover the contractual obligations between both parties to protect the rights of the individuals whose data is being transferred.
Businesses should also consider whether their organisation is currently relying on the EU-US Privacy Shield. In the cases where it is, it would need revisiting as the UK will no longer be part of this arrangement after Brexit.
If an organisation has processing activities in both the EU and the UK, following Brexit, it is likely that the organisation will be subject to regulatory responsibilities under both the EU and the UK versions of the GDPR. This may require businesses to appoint a separate data protection office (DPO) for both the UK and the EU or appoint a local representative in the EU/UK where they are processing data from outside the jurisdiction. It could also require them to nominate a new supervisory authority in the EU as well as registering with the ICO for processing activities in the UK.
Ellie Nikolova