Data Protection & Brexit: What we now know (or at least can guess!)

20.11.2018

What will happen to UK data protection law?
Upon the UK leaving the EU, the GDPR will be transposed into the UK’s domestic law by way of the EU (Withdrawal) Act. The Data Protection Act 2018 (the “DPA 2018”) will continue to apply ‘as is’. Sorry folks, the GDPR is here to stay.
However, Brexit provides for two key areas of uncertainty:
1. data transfers from the EU to the UK; and
2. co-operation between the EU supervisory authorities and the ICO (including over enforcement).
The outline framework, which was published on 14 November 2018, gives us an indication of what the EU and the UK are hoping to achieve by a Brexit deal:
“Commitment to a high level of personal data protection. Commencement of the Commission’s assessments of the United Kingdom’s standards on the basis of the Union’s adequacy framework, endeavouring to adopt decisions by the end of 2020. In the same timeframe, the United Kingdom will take steps to ensure comparable facilitation of personal data flows to the Union. Appropriate cooperation between regulators.”
In the event of a ‘no deal’ scenario, the ICO and the supervisory authorities could still agree informal arrangements on transfers and/or regulatory co-operation, including a moratorium on enforcement for transfers to the UK.
Update: The draft Political Declaration (published 22 November) re-states the intention in the framework, but in slightly fuller terms. However no additional substantive detail is given.
Will the DPA 2018 apply to my business post-Brexit?
A fairly important question – do you even need to worry about UK law?
Country of incorporation Will the DPA 2018 apply?
UK Businesses Yes. Processing of personal data will take place “in the context of” a UK establishment, and the DPA 2018 will apply.
EU businesses Unclear. Currently the DPA 2018 does not apply at all to non-UK controllers who are processing personal data in the context of another EU member state, but not a UK establishment.

Consequently, a controller (or processor) that is processing personal data in the context of, say, its French establishment, will not be subject to DPA 2018, even if the data subjects are in the UK and the processing relates to the offering of goods and services in the UK or the monitoring of their behaviour.
Once the UK leaves the EU, it will be interesting to see whether the UK Government and/or the ICO continue to be happy leaving EU regulators to regulate ‘overseas’ EU controllers and processors, even when processing personal data of UK nationals.
Rest of World businesses Yes, if the processing relates to goods or services offered to data subjects in the UK or the monitoring of their behaviour in the UK.

What happens during the ‘transition period’?
Theresa May’s controversial deal concerns arrangements during the Brexit transition period, from 29 March 2019 to 31 December 2020. The draft withdrawal agreement proposes that:
• The GDPR will continue to apply in the UK during the transition period in respect of non-UK data subjects(based on location, not nationality), unless and until the UK receives an adequacy decision. If for whatever reason this adequacy decision is repealed, the UK must ensure a level of protection which is “essentially equivalent” to EU law. Crucially, this suggests there would be no need to implement a data transfer solution before the end of the transition period.
• The EU cannot treat personal data obtained from the UK during the transition period differently to personal data obtained from an EU Member State, solely on the basis that it comes from the UK (i.e. it cannot permit a lower standard of protection for UK personal data).
What do we know about data transfers?
Brexit affects both the regime for transferring personal data to the UK from the EU, and from the UK to the EU and the rest of the world.
It is transfers from the EU to the UK which are of greatest uncertainty, and the focus of the Brexit negotiations.
If we get a deal: Under the outline framework, in a ‘deal’ scenario the Commission will begin its assessment of the UK’s standards, “endeavouring” to adopt an adequacy decision by 2020. In the same timeframe (albeit we assume this will happen much sooner), the UK will take steps to ensure comparable facilitation of personal data flows to the EU. Assuming the Commission adopts an adequacy decision, organisations will not need to take any steps to address transfers of personal data from the EU to the UK.
If there is no deal: In the absence of a deal, however, organisations will need to implement a data transfer solution which is recognised by EU law, for any transfers from the EU to the UK. This would be the Standard Contractual Clauses or Binding Corporate Rules (for those who have them). By the end of the transition period, we may also see Codes of Conduct or certifications being available as a transfer mechanism.
Transfers from the UK are likely to be much more straightforward, because the UK Government and the ICO who are keen to ensure the transition is as smooth as possible.
The UK Government has confirmed that the UK will permit transfers from the UK to the EU. For other transfers from the UK (including to the US), it seems likely the UK will adopt equivalent adequacy decisions for those ‘white list’ destinations already recognised by the EU Commission, as well as recognising the EU’s Model Clauses as ‘appropriate’ safeguards.
The Privacy Shield has the potential to be slightly more problematic. The Privacy Shield is a treaty between the EU and the US which – post-Brexit – the UK would have no claim under. In the long-term, the UK may look to agree its own version with the US on identical terms, as Switzerland has done. In the short-term, however, the UK may still decide to recognise Privacy Shield as adequate.
What about breach notification and enforcement – could I be fined twice?
Once outside the EU, the ICO will no longer be part of the GDPR’s new ‘One-Stop-Shop’ regime, or bound by the co-operation and consistency rules in the GDPR. There are two main consequences of this:
1. Breaches, which need only be reported to a controller’s ‘lead supervisory authority’ will also need to be reported to the ICO if the controller is subject to the DPA 2018.
2. Organisations could face separate enforcement action in the UK, alongside enforcement from the EU under the One-Stop-Shop, potentially resulting in duplicate fines.
It seems likely the ICO will continue to want to work closely with its EU counterparts, including by information-sharing and co-operation. The framework for a deal suggests an arrangement for “appropriate co-operation between regulators”, but unfortunately no more detail is given.
Ultimately, however, the ICO would still be issuing its own enforcement decision; however it could, in some instances, defer to the enforcement action of the EU (i.e. and decide this was sufficient).
What if the ICO is my lead supervisory authority?
Given the number of international businesses headquartered in the UK, a significant area of uncertainty is whether these businesses will be entitled to the One Stop Shop. It remains to be seen whether these businesses will be able to designate another establishment (i.e. in the EU 27) as their main establishment in the EU or whether, as non-EU controllers, they will be denied access to the One Stop Shop regime altogether.