The UK’s transition period for exiting the EU is coming to an end. At the same time we are receiving more and more enquiries from clients concerned about what Brexit will mean for them in terms of GDPR compliance and their internal data protection policies. Here we consider some of the things you need to bear in mind to ensure you comply with GDPR rules after Brexit.
We’ll be covering:
- The background to GDPR
- GDPR is an EU law. Will it apply after Brexit?
- Does data protection law apply to my business?
- Could I lose access to personal data when Brexit takes place?
- Why might the flow of personal data be interrupted?
- The EU and ‘adequacy decisions’
- So, what should my business do about data protection after Brexit?
The background to GDPR
The need to protect personal data in our data driven society resulted in a huge effort in Brussels, London and elsewhere to upgrade data protection rules. The result was GDPR to which the UK signed up as an EU member. In the context of Brexit it’s worth remembering that personal data is constantly crossing territorial boundaries in complex technological ways. The need for this data flow won’t diminish after Brexit so organisations in the UK need to ensure that they comply with the rules. The main issue for our clients is that, with the UK’s legal relationship with the EU in a state of flux, there is a good deal of uncertainty about what data protection compliance will look like after Brexit.
GDPR is an EU law. Will it apply after Brexit?
Technically GDPR won’t apply in the UK when the transition period ends. But UK businesses will still have to comply with UK data protection law as the government has indicated that it intends to incorporate all the terms of GDPR into UK law. The new law is likely to be referred to as UK GDPR. In practice therefore the processes you have put in place for GDPR compliance will remain relevant and essential. In addition, if you are doing business in Europe involving the use of personal data you will have to adhere to all the EU rules on data protection – including GDPR. This may make it necessary for you to appoint an EU representative for GDPR.
Does data protection law apply to my business?
If you control or process personal data then you are subject to the rules. In fact, there are few businesses in the UK that operate without processing or controlling personal data – even if the only personal data in a business is used to pay staff. Many businesses are much more reliant on personal data than that. And many of them are reliant upon accessing or processing data across the EU. This may simply be because a business supplies into the EU (or takes supplies from the EU) but might also be for more technical reasons: for example, the definition of ‘processing’ (which is a key term in data law) extends to ‘storage’. The effect of this is that if you store your personal data on a server in the Republic of Ireland, then you are processing personal data there.
The statistics indicate that three-quarters of the UK’s cross-border data flows are with EU countries: a great deal of personal data is being shared across the EU.
Could I lose access to personal data when Brexit takes place?
The government has stressed that it wants to maintain the unhindered flow of data between the UK and the EU after Brexit. But as we explain below achieving this aim may not be entirely straightforward.
Why might the flow of personal data be interrupted?
Under the EU’s data protection framework, any country other than those in the EU and the European Economic Area (the EEA) is classed as a ‘third country’. On leaving the EU, the UK will be a third country. EU requirements mean that personal data can only be transferred to the UK from the EU when an adequate level of protection is guaranteed.
The EU and ‘adequacy decisions’
The obvious solution here would be for the Government to obtain an ‘adequacy decision’ from the European Commission, certifying that the UK’s data protection regime is sufficiently robust to enable the continued uninterrupted flow of data between the EU and the UK .
However, an adequacy decision is a formal, legislative decision of the EU and it takes time. To date the EU Commission has not made an adequacy decision. Some have suggested that the government’s expressed intention to exclude the Charter of Fundamental Rights from EU retained law after Brexit will make it harder for the EU Commission to confirm that the UK’s data protection systems are adequate. That’s because the EU views the Charter as integral to the protection of personal data.
Added to this, the Court of Justice of the European Union’s recent decision in a case known as Schrems II raises a further question mark over data flow between the UK and the EU post-Brexit. Schrems II concerned data flow between the EU and the US. But the court’s focus on US government surveillance powers as a key reason to find the existing ‘privacy shield’ inadequate (the privacy shield enabled the flow of data between the US and the EU) could have repercussions when it comes to deciding on the adequacy of UK data protection. The UK’s Investigatory Powers Act 2016, for example, allows the UK government to access personal data in certain circumstances that are similar to the US authorities highlighted in Schrems II.
So, what should my business do about data protection after Brexit?
The way the flow of data between the UK and the EU is regulated after Brexit will depend largely on whether or not the EU agrees that the UK offers individuals adequate data protection. It may well be that an adequacy decision will not be forthcoming. In such a scenario, UK businesses will have to find other ways to legitimately transfer data to the EU.
For the moment however, and until an adequacy decision is reached the ICO has made clear that until most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same. If the sharing of personal data across the EU is a key aspect of your business, then you should keep a close eye on what the government is proposing in relation to this issue so that you can take it into account in setting your medium and long-term strategies. In the meantime, if you would like any support or advice regarding your data protection processes or policies and how these could adapt, our expert data protection solicitors can provide the help you need.