UK Data Privacy ~ Post-Brexit
BREXIT -- It’s a word that keeps the eyes of UK citizens glued to the latest news …
… OR, it draws a huge groan from a deeply frustrated British population.
If PM Boris Johnson actually achieves his goal, and the United Kingdom leaves the European Union on October 31st it will no longer be a member of the European Union.
This means not only will UK residents no longer benefit from the protections provided to EU based individuals under the GDPR, U.K. businesses will no longer be required to comply with GDPR Article 3(1), which states:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
I can’t help wondering how many UK companies realize there could actually be a lot more red tape around data privacy than currently exists!
While it’s relatively well known that the GDPR has seen many copycat versions introduced around the world - California’s Consumer Privacy Act (CCPA) being the most prolific - what is not so well known, is the fact that implementations of the GDPR within the European Union can vary from one country to another. In fact, each EU member state has either already passed, or will soon pass the GDPR into its own data protection legislation. And, the United Kingdom is no exception, having already passed the UK Data Protection Act 2018 (DPA) in May, 2018, - the UK implementation of the EU GDPR legislation, codifying its requirements into UK law.
However, in the UK’s version, there are some additional scenarios where data must be processed according to GDPR-like protections. There are also certain exemptions regarding data access rights and notifications. The DPA also transposes the EU’s Law Enforcement Directive into the UK at the same time as the GDPR.
Linda Thielov, Privacy Counsel at OneTrust, said:
People might not realize how closely knit the UK legislation is with relation to the EU GDPR and that it's actually built on a lot of similar principles, while still being this sort of standalone and I would say quite independent piece of legislation at the same time,
Brexit Deal or No Deal: UK Data Protection will Remain
Whatever flavor of Brexit the UK ends up with, the Data Protection Act will remain in place, albeit in a different guise. This means UK businesses will still be required to comply with an almost identical set of regulations and requirements.
Moreover, just like any other country outside the European Union, UK businesses that process the personal information of EU citizens will still be required to comply with the EU GDPR.
When the UK departs from the European Union, the current DPA law will be effectively replaced by The Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019.
There will be two significant effects of this change:
The impact on data transfers between the UK and EU;
Businesses might need to appoint an addition EU representative
The biggest headache for the UK, is that while it will declare the EU “adequate” from day-1, the UK will need an ‘adequacy decision’ from the EU to confirm that the country’s data protection laws are up to the same standard as the EU GDPR, for this to be reciprocated.
Some companies might be relying on the notion that if, and when, Brexit happens, we will have an adequacy decision in place with immediate effect. However, according to Thielov, this is very likely not going to be the case.
It usually takes quite some time for the European Commission to reach a decision on adequacy. I would really advise for the companies to, when they are preparing for Brexit, not to rely on adequacy as the likeliest way for them to transfer personal data in between the EU and the UK and look for some other options there.
This basically means that personal information concerning UK citizens will be allowed to flow freely to the EU under Article 45, but EU personal data flowing into the UK will be subject to appropriate safeguards according to Article 46.
Thielov reiterates the effect of this issue:
When you [are] actually transferring data outside the UK into the EU, you have to make sure that there are actually some safeguards in place and you might have to set up a representative within the EU to make sure that you are sort of easy to reach and you have somebody accountable on the EU side in case of any issues with your compliance.
The EU already released a statement that confirms it will treat the UK as a 'third country' after the withdrawal date, until an adequacy decision has been made.
Representation or Bust
According to GDPR Article 27, a non-EU company is required to designate an EU representative if it sells to EU citizens, or monitors them…
“The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.”
Likewise, under the UK legislation, if a company that has no UK representation sells to customers in the UK, or monitors them, it must appoint a U.K. representative.
To make matters even more challenging, businesses that do not have an office, either the UK or the EU, will have to appoint both. Such companies would normally already have an EU office. However, unless that office also has a representative in the UK, it will now need to find one to act in this capacity.
UK-based companies that sell to customers in EU states, but have no EU office will have to appoint an EU representative - and vice versa.
Formulating any kind of plan is extremely difficult for UK businesses, due to the degree uncertainty surrounding Brexit.
The UK government lost the small majority it previously had in Parliament, so a general election is highly likely, but by no means a certainty. The PM still maintains that the UK will leave the EU on October 31st, deal or no deal, while continuing to insist that he would prefer to leave with a deal. And the newspapers persist with publishing conflicting stories based on their leaning to the left, or to the right.
So, with no-one really having clear insight into what is likely to happen at the end of October, and the EU expressing their disdain at the prospect of yet another extension, undertaking a general election is likely to delay any purposeful legislative action - at least until we get much closer to a Brexit deadline.
When a “Best Guesstimate” is Better Than No Plan At All
Various preparatory actions have been suggested to businesses by data privacy practitioners, both in the UK and EU. The following elements are offered by Tim Bell, writing for the International Association of Privacy Professionals (IAPP), to companies considering appointing a UK or EU representative at this time.
Can you agree to a conditional contract with them so there will be nothing to pay if Brexit doesn’t occur, the appointment is delayed during any extension period, or a deal is agreed between the EU and U.K. (a “No Brexit, No Fee” contract)?
Will you need to appoint more than one representative (U.K. and EU) if you don’t currently have one? Alternately, can you appoint a representative with establishments in both jurisdictions?
If you already have an EU representative, do they have a U.K. establishment? If so, will the U.K. representative role be automatically included with their existing appointment?
The usual considerations for the appointment of an EU representative:
• Are they established in the EU member state where the controller/processor has the largest number of data subjects (a best-practice expectation set out in European Data Protection Board guidance note 03/2018, section 4)?
• Will data subjects in other EU member states have easy access to the representative (also set out in the guidance)?
• Is the representative already acting as your data protection officer (please be aware that, in line with the guidance, this is not permitted due to the potential conflict of interest between the roles)?
• How responsive are they, i.e. do they have a service level for acknowledging and forwarding communications they receive to ensure you have the maximum remaining time in the one-month timetable to respond to the request?
• Have they protected themselves against the risk of being required to pay GDPR fines and compensation awarded against their other clients, something that the EU authorities can ask the representative to do (if their client has not met those payments)?
With the strong likelihood of yet more twists and turns before Brexit is finally done - one way or another - all any business can do is “prepare and hope for the best.”