Data protection and brexit
Brexit & EU Data Processing
Last updated: 10 January 2020
What will happen to GDPR post Brexit?
When the UK exits the EU, the EU GDPR will no longer be law in the UK.
However, the UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the ‘UK GDPR’). It will sit alongside an amended version of the DPA 2018.
The UK government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the planned amendments.
While the key principles, rights and obligations will remain the same; there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK government intends that the UK GDPR will also apply to controllers and processors based outside the UK if their processing activities relate to:
1. offering goods or services to individuals in the UK; or
2. monitoring the behaviour of individuals taking place in the UK.
There are also implications for any UK controller with an establishment in the EEA, customers in the EEA, or monitoring individuals in the EEA.
In these cases, the EU GDPR will apply to this processing, but the way an enterprise interacts with European data protection authorities will change.
What are the probable key changes?
On exit date there will be two sets of rules to consider:
1. the UK rules on transferring data outwards from the UK.
2. the impact of EU transfer rules on those sending you personal data from outside the UK (including from the EEA) into the UK.
In both cases, it will be permissible to transfer personal data if it is covered by an adequacy decision, an appropriate safeguard or an exception.
If personal data is transferred outside the EEA as it the case now, the requirement to have arrangements in place for making a restricted transfer under the GDPR will remain.
While no new arrangements for transfers from the UK will be required, the need to put in place safeguards to maintain data flows from the EEA into the UK will remain.
Post Brexit, UK enterprises will be able to make restricted transfers if it is covered by new UK adequacy regulations. Adequacy regulations confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
The UK government intends to recognise the EU adequacy decision made by the European Commission before the exit date. This will allow restricted transfers to continue to be made to most organisations, countries, territories or sectors covered by an EU adequacy decision.
Specific UK arrangements have now been confirmed regarding the recent EU adequacy decision for Japan. This secures the necessary protections for UK data as well as EU data, so that data can continue to flow from the UK to Japan.
Modified arrangements will apply regarding the EU adequacy decision for the EU/US Privacy Shield, as this is an EU/US-specific arrangement. The UK government is making arrangements for its continued application to restricted transfers from the UK to the USA and there is further information on the US government’s Privacy Shield website.
If the UK exits the EU without the Withdrawal Agreement (‘no deal’), then UK businesses will continue to be able to transfer personal data to US organisations participating in the Privacy Shield if they have updated their public commitment to comply with the Privacy Shield to expressly state that it applies to transfers of personal data from the UK.
If no adequacy decision covers a restricted transfer, UK businesses should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.
1. For most businesses, a convenient appropriate safeguard is the use of standard contractual clauses. The UK government intends to recognise EC-approved standard contractual clauses as providing an appropriate safeguard for restricted transfers from the UK.
2. For restricted transfers from the UK but within a corporate group or to a group of overseas service providers, another convenient method of providing an appropriate safeguard is the use of binding corporate rules. The UK government will recognise binding corporate rules authorised under the EU process before the exit date as ensuring appropriate safeguards for transfers from the UK. On that basis, if on exit date UK businesses have in place binding corporate rules covering the UK sender of data and the receiver (wherever located), the personal data may be sent. UK businesses will need to update their EEA binding corporate rules, so that the UK is listed as a third country outside the EEA.
3. Other contractual or policies-based mechanisms may provide appropriate safeguards, but so far none have been approved.
If there is no adequacy decision and no appropriate safeguards, but one of the list of exceptions under the EU GDPR applies, the ICO confirms that UK Enterprises will be able to make the restricted transfer. These exceptions will continue under the UK GDPR.
Author: Ronan Smith, Founder