Brexit and GDPR
After January 31, 2020 the UK ceased to be a Member State of the European Union and, under the terms of the Withdrawal Agreement agreed between the UK and the EU-27, a transition period applies until December 31, 2020.
From a data protection perspective, this has a number of implications. We have summarised the key points below, including what happens after the UK leaves the EU on January 31, the implications for international data transfers, and the likely position after the transition period.
What is the position after January 31, 2020?
- The revised Withdrawal Agreement agreed between the EU and UK in October 2019 and ratified earlier this month establishes a transition period, which will run from January 31, 2020 (the date the UK formally leaves the EU) until December 31, 2020.
- During the transition period, the GDPR continues to apply in the UK. The ICO issued a statement on January 29 confirming that it will be “business as usual” for data protection during the transition period and that organizations will not need to take immediate action during transition. The ICO has also confirmed that organizations should continue to follow its existing guidance during this time.
- The UK Data Protection Act 2018, which supplements the GDPR, will also continue to apply, as will the UK’s implementation of the E-Privacy Directive (the Privacy and Electronic Communications (EC Directive) Regulations 2003).
- Transfers of personal data between the EEA and the UK will not be restricted during the transition period. However, the position may change at the end of transition – see further below.
- UK organizations whose processing is subject to the GDPR do not need to appoint a representative in the EEA during the transition period – though again, the position could change at the end of transition.
- The ICO will also continue to act as a lead supervisory authority and engage in the co-operation and consistency mechanism under the GDPR during the transition period.
- Therefore, the practical impact from a data protection perspective during the transition period is minimal.
What about international data transfers?
- Data transfers to the EEA from the UK and from the UK to the EEA will continue as normal during the transition period, without further steps being required.
- In the revised Political Declaration which accompanies the Withdrawal Agreement, the European Commission confirmed that it will start the assessment process for an adequacy decision for the UK as soon as possible following January 31, 2020, with the intention of adopting an adequacy decision for the UK by the end of the transition period, provided applicable conditions are met.
- However, the Political Declaration is not legally binding. An adequacy decision for the UK is therefore not guaranteed, and securing an adequacy decision within the transition period may prove to be challenging.
- If no adequacy decision (or equivalent arrangement) is in place for the UK by the end of transition and the transition period is not extended, the UK will then be treated as a third country for the purposes of the GDPR restrictions on ex-EEA data transfers and transfers of personal data from the EEA to the UK will need to be legitimised by appropriate safeguards. In practice, this is likely to mean most organizations transferring personal data from the EEA to the UK will need to put in place standard contractual clauses (subject to the outcome of the Schrems II case currently pending before the CJEU), or rely on an alternative data transfer mechanism (e.g. binding corporate rules).
- Under UK data protection law following the transition period, transfers of personal data outside of the UK will be subject to restrictions in a similar way as under the GDPR.
- However, the UK also intends to ensure that personal data can continue to flow freely from the UK to the EEA following the transition period, and intends to recognise the EEA and jurisdictions subject to an adequacy decision by the European Commission at the time of exit as “adequate” for the purposes of UK data protection law. This will allow personal data to continue being transferred from the UK to the EEA without needing to put standard contractual clauses or other safeguards in place (in contrast to the position for EEA-UK transfers).
What will happen after the transition period?
- Although the data protection landscape in the UK following the transition period is not certain, it is likely the UK data protection regime will remain closely aligned to the GDPR.
- The default position following the end of the transition period is that the GDPR will be incorporated into UK domestic law, known as the “UK GDPR”. The UK Data Protection Act 2018 will be updated and sit alongside the UK GDPR.
- If no adequacy decision for the UK is forthcoming by the end of the transition period, companies will need to ensure they address data transfers from the EEA to the UK before the transition period ends.
- The UK ICO will no longer be able to act as a lead supervisory authority under the GDPR after the transition period.
- Organizations in the UK which are subject to the extra-territorial scope of the GDPR (such as UK companies with no offices, branches or establishments in the EEA, but which offer goods or services to individuals in the EEA or monitor the behaviour or individuals in the EEA) will be required to appoint a representative in the EEA under the GDPR.
- In addition, organizations outside the UK whose processing is subject to the UK GDPR (which will mirror the territorial scope provisions in Article 3 of the EU GDPR) will be required to appoint a UK representative.
What should organizations do now?
- During the transition period, there is no need to take immediate action from a data protection perspective.
- However, it would be prudent to use the time during the transition period to put in place measures to address the potential post-transition data protection implications.
- In particular, organizations should:
- Review current international data transfer arrangements and identify any transfers of personal data from the EEA to the UK (as well as any transfers from the UK to other countries), and prepare to put standard contractual clauses or alternative safeguards in place where necessary.
- Organizations which have identified the ICO as their LSA for any of their processing should also review their current LSA positioning and consider whether there is any alternative EU supervisory authority that could act as an LSA for the relevant processing activities (though remember that this is not a “forum shopping” exercise and an LSA cannot be artificially selected).
- Consider any other steps which may be required after the transition period, such as updates to privacy notices, records of processing, Data Protection Impact Assessments or Data Protection Officer appointments.
Written by Hasnath Ahmed, Solicitor