Brexit and data protection: what next?
With the United Kingdom formally exiting the European Union on 31 January 2020, and a new relationship being negotiated through the remainder of 2020 (and possibly beyond), where does that leave our data protection laws and what steps should you be taking now to ensure data compliance by the end of the transition period?
Where are we now?
The United Kingdom has formally exited the EU, and the transition period is currently in place until 31 December 2020, subject to any agreed extension (the Transition Period).
During the Transition Period, the current position in relation to data protection will remain largely the same. The UK will remain subject to both the Data Protection Act 2018 (DPA 2018) and the European General Data Protection Regulation (EU GDPR), and data transfers can continue to flow to and from the EEA as before. The Information Commissioner's Office has confirmed that during the Transition Period the way we use personal data in the UK will remain “business as usual”.
After the Transition Period, the UK will be subject to a slightly modified version of the EU GDPR "the UK GDPR" and the DPA 2018.
Whilst the ongoing relationship between the UK and the EU is in the process of being negotiated, we do have a degree of certainty on a number of issues, so it would be sensible to act now.
Is the UK Adequate?
Whilst it is business as usual for the UK at the moment, the big question is what the status of the UK will be after the Transition Period ends. Will it become a “third country” which the EU doesn’t recognize as having adequate protections in place for personal data? Or is there political will to ensure that an "Adequacy Decision" is in place before the end of the Transition Period to ensure uninterrupted data transfers from the EU?
The UK has now implemented legislation to confirm that it will initially recognise all EEA and EU countries, along with Gibraltar, as having "adequate" protections in place in respect of personal data. It will also recognise other countries (such as Argentina, Guernsey, Japan and New Zealand) that the EU has already confirmed as having adequate protections in place under an Adequacy Decision. That means that data can freely flow from the UK to those countries at the end of the Transition Period without further safeguards in place.
However, without its own Adequacy Decision in place from the EU, data flows from the EEA to the UK may be interrupted or restricted after the end of the Transition Period. Those organisations that rely on data flows from the EEA to the UK should be taking stock and thinking about how they might act in the event that an Adequacy Decision is not forthcoming before the end of 2020, in particular by taking steps such as:
- Data Mapping: Understand where data flows into and out of your business, where it is hosted (including by data processors) and how that might be affected after the Transition Period. How important is that data to your business and can it be moved to the UK in the event that an Adequacy Decision is not forthcoming?
- Taking legal advice on the effect of Adequacy on any new contracts, or those coming up for renewal and potential renegotiation; there may be provisions that can be included to protect your business; and
- Considering whether there are any other legal mechanisms that might help to keep data flowing, such as Standard Contractual Clauses, or Binding Corporate Rules.
Are your privacy notices up to date?
Many privacy notices and data sharing agreements state that data will not be shared outside of the EU or the EEA. Those documents should now be revisited and revised to reflect the fact that the UK is no longer part of the EU and be clear about where those data transfers will be taking place.
Transfers to the United States under the Privacy Shield regime
The EU-US Privacy Shield regime is specific to data transfers between the EU and the US. However, for those organisations that rely on the Privacy Shield for data transfers to the US, it will continue to remain valid for UK organisations, subject to certain conditions. Organisations should check whether the US entity has updated its public commitment to include transfers of personal data from the UK to the US, and that this is reflected in your own privacy notices.
Organisations with a presence in Europe
For those organisations that have a presence in both the UK and Europe, including offering goods or services to individuals, or monitoring the behaviour of individuals in the UK and Europe, there are further, additional, steps to consider:
- Will you need to appoint a formal representative in the EU to liaise with individuals and data protection regulators in the EU? Likewise for European business engaging with UK individuals, a UK representative may need to be appointed.
- Will you need to identify a lead data protection regulator within the EU, in addition to being regulated by the ICO?
- How will you ensure that you comply with both the UK data protection regime (under the UK GDPR and DPA 2018) and the EU data protection regime (under the EU GDPR), and any divergence between the two?
If you require any further advice or assistance on any Brexit related matters, please contact our experts in our Data Privacy Team for further information.
Trowers & Hamlins has a data privacy team that brings together individuals from across the firm who specialise in data issues as part of their wider area of expertise (be it in commercial/ transactional, employment, dispute resolution or pensions matters). This is because we believe that data protection advice must be given in the relevant context of those other skills by identifying and applying the relevant principles from the data protection legislation to the matter in hand. This enables our team to provide meaningful and practical insight tailored, with a depth of understanding of the challenges our clients face.