- Friday, September 13, 2019
As the 31 October deadline approaches, the continuing deadlock between the UK government and the EU is bringing the prospect of a 'no-deal' Brexit ever closer. Our data protection expert Jon Belcher looks at the implications for data protection.
Back in January 2019, we published an article on the potential data protection implications of a no-deal Brexit. At the time, Theresa May's government had just suffered a heavy defeat in the House of Commons on the withdrawal agreement, and people were beginning to seriously consider the UK leaving the EU without an agreement.
Politically, an awful lot has happened since then – the extension to the Article 50 period to 31 October, the European elections, a change of Prime Minister and now the potential proroguing of Parliament. But despite all of those changes, there has been no meaningful progress on reaching a withdrawal agreement acceptable to the House of Commons.
Of course, there is still time for a new withdrawal agreement to be passed, or for a change of government seeking a further extension or even revocation of the UK's Article 50 notification. And who would be brave enough to predict what will happen next? But in the absence of some intervening event, it remains the default position that the UK will leave the EU without a deal on 31 October. In the circumstances, organisations who have delayed thinking about their Brexit planning should not put it off any longer.
Data protection is one area of law that has always had an international dimension, and where the EU has taken a leading role. Organisations in the UK will already be familiar with the General Data Protection Regulation (GDPR), which came into force in May 2018. In the event of a no-deal Brexit, the GDPR would cease to apply to most UK organisations. However, the UK government has already laid regulations to replace the GDPR with an (almost) identical 'UK GDPR', which would apply instead. In practice, many organisations are unlikely to notice the difference.
There is one crucial area where data protection will be impacted by a no deal Brexit. This relates to the rules around data transfers between countries. Most organisations are familiar with using cloud services, engaging service providers to host their data or to provide outsourced data processing activities. Where this happens, personal data is transferred to and stored elsewhere, often in countries outside of the UK.
The GDPR is a stronger law than most equivalent legislation around the world and gives various rights to individuals. In response to concerns these individual rights could be weakened by sending data outside of Europe, the GDPR contains restrictions on transferring personal data to third countries outside of the European Economic Area. These include where the European Commission has determined that a country has equivalent laws (known as an 'adequacy decision'), or where transfers are on the basis of standard contract clauses that have been approved by the European Commission. There are no restrictions on data flows between countries within the EU.
In the event of a no-deal Brexit, the UK would automatically become a "third country" on leaving the EU. Data flows from the EU to the UK would therefore become subject to the restrictions contained in the GDPR. The UK government hopes that the UK will be granted an adequacy decision, which would enable data to flow between the EU and the UK unrestricted, but this is likely to take time. According to the recently leaked Operation Yellowhammer report into the UK government's no-deal preparations, in the event of a no-deal Brexit an adequacy decision "could take years". There should be no such immediate problems for data transfers from the UK to the EU, because the UK government has stated that it intends to allow these to continue unrestricted. However, the transfer of data to the US under the EU-US Privacy Shield may be affected, because the UK would no longer be a party to those arrangements.
All of this means that organisations in the UK need to consider their data flows. Where does their personal data come from? Where is it held? Where is it sent to or accessible from? If personal data is received from or sent to locations outside the UK, you need to take action. This includes checking current contracts and, where necessary, putting in place revised arrangements such as the standard contractual clauses to ensure that there will be no disruption to those data flows in November.
A no-deal Brexit could have more profound effects for organisations operating in or selling into multiple jurisdictions in Europe. The GDPR applies to organisations outside of the EU which offer goods or services to, or monitor the behaviour of, individuals within the EU. This means some UK companies will need to continue complying with both the GDPR, as well as the new UK GDPR, after a no-deal Brexit. If your organisation is in this situation, you should seek specialist advice on the steps you should be taking now to prepare.