Impact of Boris's Brexit on UK Data Privacy
So, the UK has a new prime minister.
Boris Johnson has begun his term by assembling his team, following a large-scale clear out of cabinet, with former chancellor Philip Hammond and former foreign secretary Jeremy Hunt among those going.
But this article is not about the who's-who of Mr Johnson's new cabinet. Nor is it about the promise to bolster the police force by promising a further 20,000 officers, or the promise to sort out social care across the country.
What is firmly in the minds of the UK population is whether or not Boris can deliver on his Brexit promise - that the UK will leave the European Union by 31 October – “no ifs, no buts”.
However, what businesses around the world with commercial interests in the UK want to know now, is...
What does Brexit mean for data protection in the UK?
Thousands of businesses, not only across the EU, but also further afield, have implemented processes, policies, and procedures, in order to achieve GDPR compliance - many at considerable cost, to protect their sales of products and services to EU customers.
So, with just 99 days to go, until (according to Mr Johnson) the United Kingdom leaves the EU, the uncertainty continues as to how the new PM will orchestrate the UK's exit – with, or without a deal.
Deal or No Deal?
Currently, as a member state of the EU, Britain duly implemented the General Data Protection Regulation (GDPR) in May of last year. Since then, it has benefited from the unrestricted flow of personal data between the UK and the rest of the EU.
If (and it's a huge IF) the new prime minister is able to agree a “better deal “ (Withdrawal Agreement) with his EU counterparts, the UK and EU will enter into a transition period, during which the two parties will endeavor to agree to a new longer term trade deal.
At least, that's the theory.
However, as everyone knows, Boris's predecessor, Teresa May failed to win over EU leaders, Messrs Juncker and Tusk, and instead returned to Parliament after each visit, with, what the House considered was an acceptable deal.
Despite several attempts by the then prime minister, to persuade politicians that what she presented was the best deal available, she failed to deliver Brexit, much to the increasing frustration of the nation.
….but I digress...back to data protection...
If the UK leaves WITH a deal
During the aforementioned “transition period”, Britain will have to abide by all EU rules regarding data protection. This means that EU residents' personal data can continue to flow freely.
In the interim, the EU will consider whether the UK’s data protection practices are, in essence, the same as the EU's GDPR, and will “endeavour to adopt” an adequacy decision that will ensure the continued free flow of personal data following the transition period.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.
If, and when, the UK leaves the EU, it will be assessed, just like any other country that requests to be included under an “adequacy decision”. But, even though Britain has implemented the GDPR, there is no absolute guarantee of receiving an affirmative adequacy decision from the EU.
The EU will pick through every aspect of the UK's data protection arrangements with a fine tooth comb, with a particular focus on the rule of law, as well as the degree to which public authorities have access to personal data.
As a precautionary measure, the UK has already incorporated the GDPR into UK law with references to EU legislation, rather than referring to appropriate UK bodies and incorporated legislation.
If the UK leaves WITHOUT a deal
In the event of the UK exiting the EU in a “no deal” scenario, it will still incorporate the GDPR into UK data protection law. However, the UK will be viewed as a third country by the European Union.
In this scenario, businesses are advised to consider the following actions:
Data Privacy Documentation
Review all documentation regarding data privacy, contracts, and other agreements including references to the EU, UK, and the European Economic Area (EEA) and apply updates where necessary.
International Data Transfers
Map all transfers of personal data between the UK and EU/EEA. With respect to transfers from the UK to EU/EEA, the British Government will view the EU/EEA as adequate. The laws of any other country that has already received an adequacy decision will also be viewed as adequate by the UK.
With regard to personal data transfers from EU/EEA to the UK, the EU will view the UK as a third country. The EU/EEA will not consider the UK “adequate”. Therefore, any such transfers will need to be transacted based on another lawful basis, such as standard contractual clauses, or binding corporate rules (BCRs). In time, the EU will examine the UK’s adequacy. However, it is considered unlikely that there will be an agreed time frame in which to complete this process.
In this scenario, businesses must ensure that appropriate safeguards are in place - or that there is an exception that can be relied upon – in order to transfer personal data from the EU/EEA to the UK lawfully.
If the safeguard is based on BCRs, businesses should think about the location of the current lead authority. If the lead authority is the UK, it must be changed to an EU lead authority. Also, BCRs would need to be updated to ensure that the UK is considered a third country. The UK and the EU would both need to approve any future BCRs.
Companies that are based in the UK and do not have business operations in the EU, but target EU data subjects, or monitor the behaviour of EU data subjects, should consider whether they need to appoint an EU representative.
The UK will also replicate this provision, where a business is based outside the UK, but targets data subjects in the UK, or monitors the behaviour of data subjects in the UK, in which case a UK representative should be appointed.
If a data breach occurs in both the UK and in the EU, then the business will need to report the breach to both the Information Commissioner's Office (ICO) and the relevant EU data protection authority. It is possible that this could lead to financial penalties being imposed by both the ICO and the EU data protection authority.
What if Brexit is delayed AGAIN?
Despite the bold promise by Boris Johnson that Brexit will happen on October 31, three months is a long time in politics, so anything can happen in the next 99 days.
At the time of writing, there is no way of telling whether Brexit will be delayed, or even halted altogether!.
What is clear is until the UK exits the EU, nothing is likely to change. While the UK is still a member of the European Union, personal data can continue to flow freely.
Further reading: Data protection after Brexit