Brexit and the GDPR: What Happens Next for EU-UK Data Transfers?
One of the main pieces of law to impact the EU data sphere in the past few years has been the introduction and the application of the General Data Protection Regulation (EU) 2016/679 (GDPR).
This Regulation is today seen as one of the leading examples of data protection and has led to the emergence of a new global standard, inspiring countries such as Canada, India, China, Chile, Brazil and Australia. The GDPR’s effect is global, not just European, as the legislation applies to all EEA citizens and businesses, and international transfers of data.
However, as the UK formally left the EU on 31st January 2020, and is now currently in a transition period until at least 31st December 2020, how in line will the UK’s data protection regime operate in a post-Brexit environment?
Current regime under the transition period
The United Kingdom formally departed the European Union on 31 January 2020. The UK is currently in a transition period until 31 December 2020, at which date, the UK will no longer be bound by EU laws. During this period, neither the rights accorded to data subjects under the GDPR, nor the obligations imposed on data processors and data controllers will change (i.e. the GDPR remains applicable in full force, as does all EU legislation and such legislation deriving from the EU as implemented in national legislation).
If the UK is unable to negotiate a trade agreement before our de facto departure in December 2020, or this appears to be unlikely, the UK has until 30 June 2020 to request an extension of the transition period, which may be extended to 31 December 2021 or even 31 December 2022.
If such an extension is granted, the GDPR will remain applicable in its current form for an even longer period.
Adequacy decision
Beyond this transition period, the UK is expected to be awarded an adequacy decision by the EU. Personal data can currently be transferred freely between European Economic Area (EEA) countries; however a separate regime applies to countries outside of this group.
An adequacy decision is a “finding by the European Commission that a third country, territory, specific sector in a third country or an international organisation offers levels of data protection that are essentially equivalent to that within the EU”.
Essentially, this would mean that the same level of data protection would continue to apply in the UK. Being awarded an adequacy decision would allow cross-border data transfers (international transfers) without the need for further authorisation by a national supervisory authority. This would be good news for all those conducting business between the UK and EEA as all processes of data transfers that currently exist would be able to continue without any substantial further steps required, expect for updating privacy policies, notices and relevant contracts.
One would assume that the UK, a country that is already fully GDPR-compliant and one of the leaders in European data protection, with the UK Information Commissioner’s Office (the ICO) issuing the most detailed and respected guidance in this area, would have a high likelihood (if not a certainty) of being awarded an adequacy decision.
When you couple this with the volume of business that is conducted between London and other European financial centres, it would make sense for the EU to award such an adequacy decision in order to maintain a standard regime across Europe, regardless of the other divergences that we will inevitably being seeing in the coming years.
Furthermore, the European Commission has stated, albeit in a non-binding political declaration and before our actual departure in January 2020, that it would aim to reach a decision on the UK’s status before the end of the transition period in December 2020.
However, we must also take into consideration that the EU has only recognised 13 countries so far as providing adequate protection: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework, which has been analysed in our previous articles). Most of these assessments took 5 years, with the fastest assessment being 18 months for Argentina. In comparison, there remains merely 9 months before the end of the UK’s transition period. Thus, even if an adequacy decision is granted at a later stage, we will experience a period of interruption in relation to the free flow of data with our European neighbours.
Furthermore, in the European Data Protection Board (EDPB)’s opinion on the EU-UK future data protection relationship, the Board highlighted that the assessment of such a status being awarded should be done with special regard to the Law Enforcement Directive “given the specific situation of the UK” and that “any substantial deviation from the EU data protection acquis that wold result in lowering the level of protection would constitute an important obstacle to the adequacy findings”. This could be a reference to the UK’s new agreement with the US in relation to data sharing for national security purposes, as mentioned below.
What will happen in the case of no adequacy decision?
As detailed above, there is no guarantee that the UK will be awarded an adequacy decision.
In the event that an adequacy decision is not awarded before the transition period ends on 31 December 2020, transfer of data between the UK and the EEA would not be prohibited entirely, as such a practice is not only commercially detrimental to all those involved, but also completely unfeasible in practice. Instead, such transfers will have to meet certain legal safeguards.
The onus will be on businesses to ensure compliance with these legal safeguards on a case-by-case basis and the most prudent way of doing this is through adherence to the Standard Contractual Clauses (SCCs). The SCCs are standard sets of T&Cs between the data sender and data recipient that allow for contractual obligations in compliance with the GDPR in the absence of an adequacy decision in the territory to which data is being transferred or membership of the EEA of one of the parties. However, in line with Article 46 GDPR, these clauses must be adopted in their entirety and must be unaltered. Additional safeguards can be adopted in a written agreement between the parties, provided that such provisions do not contravene, directly or indirectly, the provisions of the SCCs or the rights they grant to data subjects.
Implementing SCCs will therefore require creating or updating existing agreements/contracts between the parties sending and receiving such personal data. If you are a business who has international transfers of personal data, you will have to ensure that your actions are GDPR-compliant by reviewing existing contracts and/or seeking legal advice.
However, the validity of such SCCs is currently being contested in Schrems II, detailed in our earlier article (Are the Standard Contractual Clauses Still Valid?). The AG opinion states that the SCCs are still valid and even if such an opinion is not binding on the Court of Justice of the European Union, it is a reliable indicator of how the court will approach the issue. However, the creation of uncertainty on the validity of such SCCs, and the lack of an adequacy decision for the UK, could create a risk that some European companies reduce or stop their business with their UK counterparts.
Trends in the UK sectors
An interesting takeaway from the analysis of the impact of Brexit as a whole on UK industries, and the applicability and importance of the GDPR on UK industries, is that we can see a negative correlation between the two.
The sectors that are least likely to be detrimentally affected by Brexit as a whole, tech, telecommunications, R&D, (and in some cases, are seeing staggering growth regardless of the current sluggish economic climate) are those that have the most exposure to the GDPR in the course of their business activities.
Sectors that are expected to be hit the hardest, the iron and steel industry, automotive, manual labour, are those that have less exposure to the GDPR in the course of their principal day-to-day activities.
Additionally, sectors in the middle that are expect to see some detrimental effects of Brexit but have good odds of surviving, such as the finance industry with the issue of EU passporting rights and the health industry in terms of R&D and sharing of clinical trial data, have consistent exposure to the GDPR in order to facilitate their business activities.
Therefore, the importance and applicability of data protection laws will remain a key economic consideration of the post-Brexit story and as such, the UK government would be wise in ensuring that they are able to do everything within their power to be awarded an adequacy status.
Could the UK diverge from the GDPR
An important consideration with Brexit is the importance that has been placed on the “taking back control” rhetoric on a political level. As such, there could be a risk that instead of pursuing an adequacy status, or in the event that such a status is not awarded despite the UK’s pursuance, that the UK government would diverge from the current regime in Europe, as part of a wider anti-EU sentiment.
We have already seen differences in the privacy rights accorded in the UK as opposed to the EU (in the absence of the EU privacy bill being agreed and in force) through the US-UK Cloud Act Agreement, and the UK’s recent choice not to implement the EU Copyright Directive, (whilst relating to Intellectual Property matters rather than Personal Data) despite being one of the 19 member states that initially supported the law.
In such an eventuality, UK businesses could expect more obligations to be placed on them, and this is something that they would have to monitor, especially as trade in the 21st century is highly dependant on cross-border data flows, right down to basic internal processes involving cloud-based storage.
Next steps for you…
If you are a business that is concerned about the applicability of the GDPR after the transition period, take care to:
Review your existing flow of data transfers
Review your contracts/agreements that are currently in place and update where necessary
Consider entering into new/revised agreements where applicable
If you have any questions about this article or how your business’ personal data handling may be affected by Brexit, please do not hesitate to contact us!
Article by Komal Shemar @ Gerrish Legal, February 2020 / Cover photo by Ali Yaqub on Unsplash