With the vote on the draft Withdrawal Agreement pending and recent political uncertainties, it has become advisable for businesses to prepare for a no-deal Brexit. The Department for Digital, Culture, Media & Sport ('DCMS') and the Information Commissioner’s Office ('ICO') have respectively published guidance notes and blog posts warning companies to take steps to ensure the free flow of personal data in the event of a no-deal Brexit. Following these publications, a draft 'Data Protection, Privacy and Electronic Communications (Amendments etc) (EU exit) Regulations 2019' has been put to Parliament, listing the key amendments to be made to UK data protection laws. Details of the DCMS’, the ICO’s and the government's proposals for data protection regulations after a no-deal Brexit are as follows.
Dual data protection regime
Upon Brexit, the UK will bring GDPR into national law with limited amendments to the current wording of GDPR. The extra-territorial nature of GDPR means that many UK companies will also continue to be subject to GDPR after the 29 March exit date. Whilst the UK legislation will help ensure data subjects’ rights are protected after Brexit, it will not be sufficient to maintain the free flow of personal data between the UK and the EU27 if the UK leaves without a deal.
International Transfer
Under GDPR, transfers of personal data to non-EEA countries ('third countries') are restricted unless one of the appropriate safeguards or exemptions is available, including Standard Contractual Clauses ('SCC'), Binding Corporate Rules ('BCR') and adequacy decisions. Upon the exit date, the UK will become a third country. Transfers of personal data from the EEA to the UK will therefore be restricted. Meanwhile, transfers from the UK to the EEA and the rest of the world may also be restricted under the UK GDPR-equivalent legislation.
Transfers from the UK to the EEA and countries with EU adequacy decisions
The DCMS confirms that the UK government will transitionally recognise all EEA states, EU/EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. This means that personal data can flow freely from the UK to the EEA. Similarly, the UK will preserve the effect of adequacy decisions made by the EU Commission prior to the exit date.
It is worth noting that the EU’s adequacy decision in relation to the US was limited to organisations certified under the EU-US Data Privacy Shield. Therefore, upon the exit date, UK companies transferring personal data to the US must check whether the relevant US organisation has confirmed it will extend its commitment to the Privacy Shield to transfers from the UK. The US Department of Commerce has required Privacy Shield participants to make such amendments to privacy notices by the exit date in the event of a no-deal Brexit.
Transfers from the UK to the rest of the world
Most transfers from the UK to the rest of the world will be restricted under the UK's GDPR-equivalent legislation. The UK government will recognise current EU SCCs and BCRs authorised by the ICO as valid basis to justify restricted transfers. By recognising GDPR safeguards to be valid under national law, it is hoped that any potential disruptions will be limited. However, BCRs under GDPR allow free flow of personal data both within and outside the EEA. Most other EEA countries currently recognise BCRs certified by the ICO under mutual recognition, but from the exit date, the EU27 may not continue to recognise BCRs certified by the ICO.
Transfers from the EEA to the UK
In a no-deal scenario, how EEA countries should transfer personal data to the UK will become purely a matter of EU law (i.e. GDPR, which the UK government will not be able to influence unilaterally). Despite the UK's compliance with GDPR, it is extremely unlikely that an adequacy decision in relation to the UK will be made by the European Commission before the exit date. The Commission has previously stated that it will not start the adequacy decision procedure before the exit date. EEA data exporters will therefore need to put appropriate safeguards such as SCCs and BCRs in place for transfers of personal data into the UK. However, EU SCCs currently only cover transfers from controllers. It is unclear whether data transfers from an EEA processor to a UK controller will be restricted under GDPR and if so, what alternative safeguards companies can adopt if they do not have BCRs in place.
Appointing representatives
The UK government intends the UK GDPR-equivalent legislation to have extra-territorial nature. This means that a company based in the EEA and not established in the UK will be subject to the UK version of GDPR if it offers goods or services to individuals in the UK or monitors their behaviours. Such EEA companies will be required to appoint representatives in the UK. Similarly, UK companies without EEA establishments will be required to appoint representatives in the EEA under GDPR. Representatives act on behalf of their principals and can be fined by the ICO or EEA data protection authorities for non-compliance.
Dealing with supervisory authorities
Currently companies carrying out cross-border processing only need to deal with a single EEA data protection regulatory authority. Upon the exit date, the ICO can no longer act as a lead authority. UK companies carrying out cross-border processing may therefore be supervised and potentially fined by one or more EEA data protection authorities in addition to the ICO. This could have significant implications for data protection indemnities post-Brexit.
PECR and NIS Regulations
The UK government has confirmed that upon the exit date the Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR') will continue to apply in the UK. However, the UK will not implement the new draft ePrivacy Regulation. If the new ePrivacy Regulation diverges from PECR, companies will be required to comply with dual regulatory regimes in relation to direct marketing to individuals in the UK and EU27. However, post-Brexit, the Network and Information Systems Regulations 2018 will remain valid as national law. In order for UK companies to maintain access to EU markets, UK-based digital service providers will be required to appoint representatives in the EU.
How can Burges Salmon help?
Whilst the DCMS’ and the ICO’s proposals are pragmatic and aimed to limit disruptions to the free flow of personal data, a no-deal Brexit would significantly affect transfers of personal data from the EEA to the UK. Various practical actions also need to be taken on exit date, such as appointment of representatives and updating privacy notices. If you would like assistance with this, please contact our data protection team.