Brexit: Implications on Privacy Compliance

Almost four years after the citizens of the United Kingdom have voted in favor of leaving the European Union in a referendum, Brexit is finally approaching on 31 January 2020. Since the General Data Protection Regulation (GDPR) is part of the EU legal framework which will, in principle, cease to apply in the UK, questions on the impact of Brexit on privacy compliance arise.

What to expect in data protection after 31 January 2020?

The good news is that the scenario of a “no deal”, meaning that the UK would leave the EU without any legal agreement between the two parties in place, is off the table. After the approval of the draft deal negotiated by Prime Minister Boris Johnson by the UK’s House of Commons on 9 January 2020 and by the European Parliament today, the way is paved for an amicable solution.

Part 4 of the draft withdrawal agreement provides for a transition period, entailing the legal effect that EU law will remain applicable in the UK until 31 December 2020, including the provisions of the GDPR. In other words, from a legal point of view, the UK will generally be treated as if would still be a member of the EU for the duration of the transition period, even though its formal membership already ceased.

The UK governments aims to negotiate an agreement to govern the future relations with the EU during the transition period. As this seems politically quite ambitious, the withdrawal agreement includes a backdoor to extend the transition period for up to 1 or 2 years in its Article 132. Such decision is in the hands of a joint committee, consisting of representatives of the EU and the UK, and subject to a deadline on 1 July 2020.

While the European Commission president Ursula von der Leyen warned that it would be “impossible” to negotiate a ready-to-go agreement by the end of 2020, Prime Minister Johnson’s Tory party promised its voters in the manifesto for the UK general elections in December 2019 to stick to this tight schedule and to refrain from triggering the extension. Whether or not the transitional period will be extended is likely to become a last minute decision at the end of July.

What to expect in data protection after the Brexit transition period?

After the (extended or not) transition period elapsed, under the British EU Withdrawal Act, the GDPR will be transposed into British law (“UK GDPR”) and amended by the UK Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This new legislative framework, which has been adopted by the UK parliament in anticipation of Brexit, means that the new British privacy laws will follow the regulatory concept of the EU GDPR. Companies complying with the EU GDPR will therefore face no need to substantially alter their current processes in general. However, at least two aspects deserve specific attention.

International Data Transfers

Brexit will trigger applicability of special previsions when it comes to international data transfers. Under the EU GDPR, the transmission of personal data from the EU to vendors (e.g. cloud and hosting services, IT threat detection and maintenance), business partners or affiliates based outside the European Economic Area (so-called “third countries”) require additional safeguards. After Brexit, the UK will be regarded as such a “third country”.

Under the GDPR, free flow of data towards third countries is only guaranteed where the European Commission has explicitly stated that the country is ensuring an adequate level of data protection (so-called “adequacy decision” under Art. 45 GDPR), as it did with regard to, for example, Japan, Canada, Switzerland, and, to the extent the receiving company is certified under the EU-US Privacy Shield, the US. Since the UK “transplanted” the EU privacy standards into national laws, it is likely that the European Commission will also adopt such an adequacy decision for the UK after Brexit.

EU negotiators warned, however, that the initial transition period of 11 months may be too short to finalize a deal on data transfers, as the Financial Times reported. According to European Data Protection Supervisor, Wojciech Wiewiórowski, reaching an agreement within the transition period “is still possible but it is hard”. The biggest impediments concern the conditions for British secret services to access personal information in the UK, since the UK will not be subject to the EU legal framework for intelligence anymore.

For data transfers between the EU und the UK, in the absence of an adequacy decision, companies must rely on alternative instruments for ensuring GDPR compliance. The most common frameworks to safeguard international data transfers acknowledged under Chapter 5 of the GDPR are “Binding Corporate Rules”, covering international intragroup data transfers and subject to approval by EU supervisory authorities, and the so-called “Standard Contractual Clauses”. The latter is a set of standardized contract addenda, imposing various privacy obligations on the data exporter or importer outside the EU. Companies would be required to review existing contracts and, if required, to roll-out contract amendments with business partners.

Companies sharing data between the UK and other non-EU states should review the requirements under the new UK GDPR. The adequacy decisions issued by the European Commission will cease to apply for such transfers, and the competence for issuing such decisions under the UK GDPR lies with the UK Secretary of State. It is expected that the UK will adopt the EU’s adequacy decisions, however, particularly regarding existing EU-US Privacy Shield certifications, the technical details are unclear yet, especially whether companies will have to formally apply for a separate framework, even if it is based on the very same principles.

UK representatives

Under Art. 27 UK GDPR, companies falling within the scope of UK privacy laws but without any establishment in the UK (the criteria of the EU GDPR for determining the territorial scope apply respectively, i.e. non-UK companies aiming at the UK market are subject to the UK GDPR) must appoint a data protection representative in the UK.

We at EU-REP.Global are preparing for such requirement and will be able to provide a UK representative service. We stay tuned with the legal developments and will inform our customers in case any adjustments of privacy policies become necessary.

Overall, …

… there is no need to panic, as the transitional period grants legal certainty at least until the end of 2020. Given the UK legislative framework for post-Brexit, no need for major adjusments is to be expected after the transitional period. Companies should, however, keep track of the EU-UK trade deal negotiations and their impacts on international data transfers between the EU und the UK. The same applies for “adequacy decisions” taken by the British government with regard to the future of data transfers between the UK and non-EU countries.