No Deal: No Data?
Not long after what was the greatest change to data protection law in years (GDPR, May 2018), we are progressing towards what is likely to be the greatest economic and societal change in a generation: Brexit.
At the time of writing, we can’t comment on whether the correct wording is to say that a No Deal Brexit is: “possible”; or “likely”.
What is a bit more clear, is the prudence of preparing for a No Deal Brexit. Until quite recently, it was hoped that a Deal would be struck, allowing for an orderly Transition Period to commence and parity on data protection to be found before the Transition Period’s expiry. However, governments in the UK and EU27 have ramped up their preparations for such a crash out Brexit now, and businesses who stay in the “wait and see” camp could find themselves in an uncomfortable position come Brexit day.
What legislation will apply?
We do know now that, post-Brexit, the UK will be a “third country” for the purposes of EU GDPR, meaning it won’t be automatically bound by the EU GDPR, but UK companies could be subject to its extra-territorial reach.
Due to the UK’s domestic data protection legislation, UK companies that transfer personal data to and from EU27 will be bound by two versions of the same legislation:
- EU GDPR (as we know it and it applies now); and
- UK GDPR (a slightly amended version of EU GDPR, as enacted by the UK Data Protection Act 2018 and associated domestic legislation).
Indeed, EU27 companies may also be bound by both sets of legislation if their data-flows cross UK borders.
Whilst the principles of data protection law will remain unchanged post-Brexit (as was a goal of the UK Data Protection Act 2018), a number of issues must be considered now in light of Brexit and particularly a No Deal Brexit.
Just focusing on three main issues for now that should be considered by UK companies:
To ensure that personal data isn’t supplied into countries which don’t provide adequate protection, EU GDPR has a starting point that personal data must not be transferred outside the EEA (unless one of a limited number of exemptions applies).
Generally, in deciding whether a destination does provide adequate protection, the sender of the data must consider:
- whether the destination is subject to an Adequacy Decision (the UK won’t be automatically, and consideration of whether it should be won’t start until after Brexit happens);
- if not, is the transfer subject to Appropriate Safeguards (such as Standard Contractual Clauses or Binding Corporate Rules); and
- if not, can another Derogation (set out in GDPR, which can include explicit informed consent or necessity for a contract) .
Companies’ GDPR-compliance projects may already have included a “data mapping” exercise which would give a clear picture of how personal data flows in and out of the business. This “data map” should be re-visited (or conducted) now, to determine what personal data crosses EEA and UK borders and what steps are needed to ensure that this can continue. In particular, UK companies should have an answer prepared if their EU customers or suppliers ask how they can continue to supply personal data into the UK.
We think it is likely that Standard Contractual Clauses will be more widely used as a method of ensuring data can be transferred across borders, but unfortunately, they are not without their own problems (including being subject to an ongoing legal challenge) and can’t be amended from their standard form.
Pre-emptive action is also likely to be required from personal data processors who are subject to contracts that say that personal data should not be transferred outside the EU or EEA “without Controller’s consent”.
So it’s time to check existing contracts, to see what actions need to be carried out now.
Given the extra-territorial effect of the EU GDPR, UK companies who offer goods or services to, or monitor the behaviour of, individuals in the EEA will have to nominate a Representative in the EU27 (unless they can rely on an exemption). Consistently, EU27 companies who are bound by the UK GDPR may also be required to appoint a Representative in the UK.
If required, a Representative must be appointed (in writing) to represent personal data controllers and processors and, in summary, fulfils two roles: being a point of contact for individual data subjects; and being a target for enforceability for data protection authorities.
The Representative can be subject to enforcement proceedings from data protection authorities in the event of non-compliance by it, or its appointing controller or processor. As Representatives could be held liable for the administrative fines of the organisations they represent, this could act as a €20million disincentive for a Representative to accept the appointment due to the potentially very large fines that can be levied under GDPR. It will be interesting to watch the markets’ reaction to this requirement in seeking a cost-effective solution for businesses whilst protecting the interests of impacted individuals.
Nonetheless, UK companies must consider whether this is required now and, if so, what country in the EU27 is the most appropriate in which to nominate the Representative.
Given the extent that UK companies benefit from the EU Internal Market, many of them will be processing personal data of people in a number of EU member states.
Under EU GDPR, companies can benefit from a “one-stop-shop” approach to dealing with supervisory authorities (being the Information Commissioner’s Office or ICO in the UK). After Brexit however, UK companies need to consider whether they need to deal with a supervisory authority in the EU as well.
There are several variables to consider (such as what level of establishment is in another country), but UK companies should be aware that (in theory) they may be subject to registration with two supervisory authorities, investigation by both and receive fines from both (although we understand that it is hoped that this will be handled in a co-ordinated way).
The impact of a No Deal Brexit on data protection is unlikely to be welcome news to UK companies who trade in EU27, particularly after the expenditure required to comply with EU GDPR last year.
However, considering the above and reviewing the data protection notices, polices, legislative references and contracts used by the UK company should be added to the “To Do” list ahead of Brexit, to ensure compliance as at Brexit Day and (more importantly) to avoid the tap being turned off on the flow of personal data into the UK.
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.