Lately, we have received questions about what will happen to previously-obtained permissions and data transfers to the UK once Brexit happens. Many companies today are relying on the General Data Protection Regulation (GDPR) as their manual when it comes to data transfers, permissioning, and much more. The question really seems to be coming from companies that have multiple data centers around in the EU, including the UK.
In short, GDPR will continue to apply to the UK once it leaves the EU, although the picture is a little muddy. The UK has long been committed to bolstering data protection laws and harmonizing these with the EU. In fact, the UK was one of the key contributors to the creation of GDPR law, and the UK had its own laws on the books since the early 1970s. As a result and in the worst case, GDPR will be incorporated into UK domestic law as part of the European Union (Withdrawl) Agreement and will continue to function alongside the UK Data Protection Act 2018. If you recall, each EU member state has to pass its own legislation to actually bring GDPR into its law books, and each implementation can have its own additions and exemptions.
Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR. One reason for this is the cross-over period between the GDPR coming into force and the UK exiting the EU. The UK will need to comply with the Regulation while it is still a part of the EU. So, even when Brexit does occur, this doesn’t mean they are 100% separate from the EU yet.
One of the issues to consider is how the UK faces the prospect of being regarded as a third country when it exits the EU fully after the transition period. The transfer of personal data from organizations within the EU to other organizations in the UK will still be subject to strict data transfer rules, as set out by the EU GDPR. The UK Government has stipulated that following Brexit, it does not intend to apply these restrictions on transfers of personal data from the UK to the European Economic Area (EEA). Therefore, UK organizations will continue to be able to send personal data to organizations in the EEA. UK organizations will also be able to continue to rely on the EU/US Privacy Shield scheme to send personal data to registered entities in the US but only where the US entity has updated its privacy notice to expressly extend protection to transfers from the UK.
However, after Brexit, it is possible that EU organizations will have to ensure their transfers to the UK are lawful, and that might not be as simple as it is now. The EU has not, however, granted similar modifications in respect of transfers to the UK. Following Brexit, transfers of personal data from the EEA to the UK could be restricted. This will have a major impact on any organization that routinely transfers personal data from the EU to the UK.
One such alternative is the use of standard contractual clauses (SCCs). These EC-approved data protection clauses, often known as model clauses, need to be embedded within contracts as we do here at Osano. These provide a means for organizations to bake in GDPR-style data protections into contractual arrangements, acting as terms and conditions that require both parties to agree to and sign. These are particularly useful for sending data to countries like the US in which data protection laws are not deemed adequate by the EU to protect European citizen data.
To move data to the US from the EU, you either have to use Privacy Shield as one of your mechanisms, SCCs, or the more costly Binding Corporate Rules. SCCs cover the contractual obligations between both parties to protect the rights of the individuals whose data is being transferred. The Government is advising that for the majority of organizations, the most relevant legal basis for such transfers would be those SSCs. Model clauses are clearly the way to go.
In the context of Brexit, this means that the UK could use SCCs in the event that a data transfer arrangement is not formalized as part of a negotiated exit. If a negotiated exit does not include a provision for data transfers, or if a no-deal scenario is realized, and/or the UK will need to wait for an indeterminate period of time before an adequacy agreement is reached, then there is an even greater need to create mechanisms such as SCCs.
In terms of an adequacy agreement, will the UK automatically be awarded adequacy status? Unless a Brexit deal is reached between the UK and the EU, the answer is no. The UK government has made clear it will seek an adequacy agreement with the EU, however, the process for this can only start once the UK leaves the bloc. The EU Commission would need to go through an assessment process before adequacy could be granted. On average, an adequacy ruling takes two years to be finalized.
Despite pleas from the UK Government for this process to start, the Commission’s current position is that it will not commence the process until the UK has left the EU to become a third country. The UK was due to become a 'third country' in March 2019, however, the departure date was then postponed until April 2019 and then pushed again to October 2019. Every indication now suggests that the UK will leave the European Union on January 31, 2020.
If the UK leaves the EU with no agreement surrounding data protection and data transfers, the UK Government has stressed, “there will be no immediate change in the UK’s own data protection standards. This is because the UK Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.” It is widely hoped this will go a long way in persuading the EC to grant adequacy. We hope the UK will be given 'third country' status - and again, countries in this category will need to show their data protection laws are robust if they are to secure an adequacy agreement, a requirement to ensure the smooth flow of data to and from the EU and the UK.
- The GDPR and related EU privacy laws will continue to apply to the UK during the transition period.
- The UK must continue to interpret and apply the GDPR and related EU laws consistent with wider EU legal principles. The UK courts will continue to apply the decisions of the Court of Justice of the European Union (CJEU) and changes in EU law through the transition period;
- The CJEU will continue to have jurisdiction in the UK, and decisions on the GDPR may be referred to the CJEU during the transition period;
- All references in EU law to ‘Member States’ and competent authorities of the Member States are to be understood as including the United Kingdom and its competent authorities during the transition period. Importantly, this means the UK will continue to be treated as a Member State for the purposes of the GDPR and so not be subject to the restrictions on data transfers to a ‘third country’ during the transition period.
- EU Member States must continue to apply GDPR in a way that does not discriminate against the UK.
It’s not time to fret just yet. We expect that all countries involved have an understanding of the huge impacts on their data-driven economies if they create divisions preventing needed data transfers. The UK and EU have negotiated the Withdrawal Agreement as a basis for securing a smooth transition in the immediate aftermath of the UK’s formal departure from the EU. The Agreement provides for a transition period until December 2020 (unless extended) during which the UK will remain subject to all EU laws (other than those expressly excluded within the Withdrawal Agreement).