Introduction
The Government has published guidance on how the UK’s data protection law will work in the event of a ‘no deal’ Brexit (https://www.gov.uk/government/publications/data-protection-law-eu-exit/amendments-to-uk-data-protection-law-in-the-event-the-uk-leaves-the-eu-without-a-deal-on-29-march-2019).
Status Quo
As expected, the EU (Withdrawal) Act 2018 retains the General Data Protection Regulation (GDPR) in UK law after exiting the European Union. This means that the day-to-day rules relating to the collection, storage, use and processing of personal data will remain the same for data controllers and data processors within the UK.
The UK will also recognise the countries in the EEA, and Gibraltar, as having an ‘adequate’ level of protection, meaning UK businesses can continue to transfer data to those countries after Brexit.
Warning for importers of personal data from the EEA
However, the guidance confirms that - as it stands - there is no reciprocal recognition from the EU. This means that businesses in the UK cannot be assured of the seamless flow of personal data from the EEA countries. Businesses that rely on data transfers from the EU will need to put alternative mechanisms in place to continue such data transfers.
If your business receives personal data from controllers in the EEA, or data which pertains to EU citizens, you should be prepared to agree alternative data transfer mechanisms with those transferring the data to you. The most typical method used is the inclusion of standard contractual clauses, based on the EU model contract clauses, which will require you and the transferor of the data to enter into a contract variation or new agreement.
Whichever mechanism is used, a decision should be made and actioned/recorded before the UK’s exit (currently 29 March 2019) to allow personal data to continue being transferred after that date.
Other take-aways
Here are a few other points raised in the guidance, which may have an impact on businesses operating in the UK:
1. International data transfers
The UK will transitionally recognise all countries in the European Economic Area (EEA), and Gibraltar, as providing an adequate level of protection for personal data. This means that businesses in the UK can continue to transfer data freely to countries within the EEA after Brexit.
However, the EU and other countries have not yet confirmed that they will recognise the UK as having an adequate level of protection.
The UK will (transitionally) continue to recognise those non-EU countries, which the European Commission has decided provide adequate protection of personal data. Those countries include Jersey, Isle of Man, New Zealand, Switzerland, Canada (commercial organisations) and the United States of America (under the Privacy Shield framework).
2. Standard contractual clauses
The standard contractual clauses for data processing, issued by the European Commission, will continue to be effective under UK law. These are meant to be used for international data transfers, where no adequacy decision has been made and no other basis for the transfer exists.
This means there will be no requirement to amend contracts which use the existing standard contractual clauses. The Information Commissioner will have the power to issue new clauses after the UK’s exit, so for any contracts entered into after exit day businesses should consult on the most appropriate processing clauses to use.
As under the current law, because the UK has recognised the EEA countries and EU-approved countries, this only applies to transfers that cannot be made under another lawful basis. This will need to kept under review as the UK Government has only committed to continue the EU recognition transitionally.
3. Binding corporate rules
Existing authorisations of binding corporate rules will continue to be recognised and, after exit day, the Information Commissioner will continue to be able to authorise new rules under UK domestic law.
4. Extraterritorial scope
The UK will continue the EU’s requirement that businesses outside of the territory, but which process personal data relating to UK data subjects, must comply with the data protection laws. This will apply equally to those within the EU.
Whilst this has little practical impact, it does mean the businesses engaging within the European Union and UK will now have two legal frameworks to contend with, rather than the one framework under GDPR.
The UK data protection laws will be based on authorities, judgements and regulations issued by the UK Government and UK courts, rather than by the European Commission and European Court of Justice, and may diverge further once the dust settles on the UK’s exit from the EU.
5. UK representation for controllers
The GDPR required any controller or processor not established in the EEA to designate a representative within the EEA. The UK Government intends to replicate this, requiring organisations outside of the UK, which process data pertaining to UK data subjects, to appoint a representative in the UK.
As with the scope of the laws, considered above, this results in a degree of overlap and duplication. Organisations may simply be able to appoint the same representative in respect of both the EEA and the UK, but the appointment in respect of the UK will need to be clearly set out (and made distinct from the EEA) in order to comply with the UK data protection law.
Conclusion
The good news is that, for many businesses processing personal data in the UK, it will be business-as-usual as the laws will remain the same. The situation is more complicated for businesses which import personal data from the EEA, or those which are based outside of the UK, but there are mechanisms in place for such businesses to continue transferring and using personal data.
It will be interesting to see what stance the EU takes on data protection in the event of a no-deal Brexit. The ideal for businesses will be that the UK is recognised as providing adequate protection, allowing for seamless data transferring to continue. However, the EU has said in the past that it will not disregard its procedures or cut corners in making an adequacy decision on the UK.
If you would like further advice or assistance with your data protection compliance, please contact us on 0117 928 1910 or email carl.spencer@roxburghmilkins.com.