Tughans Solicitors

No Deal: No Data?

February 19, 2019

Not long after what was the greatest change to data protection law in years (GDPR, May 2018), we are progressing towards what is likely to be the greatest economic and societal change in a generation: Brexit.

At the time of writing, we can’t comment on whether the correct wording is to say that a No Deal Brexit is: “possible”; or “likely”.

What is a bit more clear, is the prudence of preparing for a No Deal Brexit. Until quite recently, it was hoped that a Deal would be struck, allowing for an orderly Transition Period to commence and parity on data protection to be found before the Transition Period’s expiry. However, governments in the UK and EU27 have ramped up their preparations for such a crash out Brexit now, and businesses who stay in the “wait and see” camp could find themselves in an uncomfortable position come Brexit day.

What legislation will apply?

We do know now that, post-Brexit, the UK will be a “third country” for the purposes of EU GDPR, meaning it won’t be automatically bound by the EU GDPR, but UK companies could be subject to its extra-territorial reach.

Due to the UK’s domestic data protection legislation, UK companies that transfer personal data to and from EU27 will be bound by two versions of the same legislation:

EU GDPR (as we know it and it applies now); and
UK GDPR (a slightly amended version of EU GDPR, as enacted by the UK Data Protection Act 2018 and associated domestic legislation).

Indeed, EU27 companies may also be bound by both sets of legislation if their data-flows cross UK borders.

Whilst the principles of data protection law will remain unchanged post-Brexit (as was a goal of the UK Data Protection Act 2018), a number of issues must be considered now in light of Brexit and particularly a No Deal Brexit.

Just focusing on three main issues for now that should be considered by UK companies:

Transfers

To ensure that personal data isn’t supplied into countries which don’t provide adequate protection, EU GDPR has a starting point that personal data must not be transferred outside the EEA (unless one of a limited number of exemptions applies).

Generally, in deciding whether a destination does provide adequate protection, the sender of the data must consider:

whether the destination is subject to an Adequacy Decision (the UK won’t be automatically, and consideration of whether it should be won’t start until after Brexit happens);
if not, is the transfer subject to Appropriate Safeguards (such as Standard Contractual Clauses or Binding Corporate Rules); and
if not, can another Derogation (set out in GDPR, which can include explicit informed consent or necessity for a contract) .

Companies’ GDPR-compliance projects may already have included a “data mapping” exercise which would give a clear picture of how personal data flows in and out of the business. This “data map” should be re-visited (or conducted) now, to determine what personal data crosses EEA and UK borders and what steps are needed to ensure that this can continue. In particular, UK companies should have an answer prepared if their EU customers or suppliers ask how they can continue to supply personal data into the UK.

We think it is likely that Standard Contractual Clauses will be more widely used as a method of ensuring data can be transferred across borders, but unfortunately, they are not without their own problems (including being subject to an ongoing legal challenge) and can’t be amended from their standard form.

Pre-emptive action is also likely to be required from personal data processors who are subject to contracts that say that personal data should not be transferred outside the EU or EEA “without Controller’s consent”.

So it’s time to check existing contracts, to see what actions need to be carried out now.

Representatives

Given the extra-territorial effect of the EU GDPR, UK companies who offer goods or services to, or monitor the behaviour of, individuals in the EEA will have to nominate a Representative in the EU27 (unless they can rely on an exemption). Consistently, EU27 companies who are bound by the UK GDPR may also be required to appoint a Representative in the UK.

If required, a Representative must be appointed (in writing) to represent personal data controllers and processors and, in summary, fulfils two roles: being a point of contact for individual data subjects; and being a target for enforceability for data protection authorities.

The Representative can be subject to enforcement proceedings from data protection authorities in the event of non-compliance by it, or its appointing controller or processor. As Representatives could be held liable for the administrative fines of the organisations they represent, this could act as a €20million disincentive for a Representative to accept the appointment due to the potentially very large fines that can be levied under GDPR. It will be interesting to watch the markets’ reaction to this requirement in seeking a cost-effective solution for businesses whilst protecting the interests of impacted individuals.

Nonetheless, UK companies must consider whether this is required now and, if so, what country in the EU27 is the most appropriate in which to nominate the Representative.

Supervisory Authority

Given the extent that UK companies benefit from the EU Internal Market, many of them will be processing personal data of people in a number of EU member states.

Under EU GDPR, companies can benefit from a “one-stop-shop” approach to dealing with supervisory authorities (being the Information Commissioner’s Office or ICO in the UK). After Brexit however, UK companies need to consider whether they need to deal with a supervisory authority in the EU as well.

There are several variables to consider (such as what level of establishment is in another country), but UK companies should be aware that (in theory) they may be subject to registration with two supervisory authorities, investigation by both and receive fines from both (although we understand that it is hoped that this will be handled in a co-ordinated way).

Summary

The impact of a No Deal Brexit on data protection is unlikely to be welcome news to UK companies who trade in EU27, particularly after the expenditure required to comply with EU GDPR last year.

However, considering the above and reviewing the data protection notices, polices, legislative references and contracts used by the UK company should be added to the “To Do” list ahead of Brexit, to ensure compliance as at Brexit Day and (more importantly) to avoid the tap being turned off on the flow of personal data into the UK.

While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.

Cookie name	Duration of storage	Purpose
Strictly Necessary Cookies
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-functional	1 year	This necessary cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to store the user consent for cookies in the category "Performance".
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to record the user consent for the cookies in the "Analytics" category.
Google Cookies
_gid	1 day	Installed by Google Analytics, the _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages on our website they visit anonymously.
_gat_gtag_UA_24785398_1	1 minute	Set by Google to distinguish users.
Youtube cookies
YSC	Session only	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
yt-remote-connected-devices	No expiry	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	No expiry	YouTube sets this cookie to store the video preferences of the user using an embedded YouTube video.
CONSENT	2 years	YouTube sets this cookie via embedded Youtube videos and registers anonymous statistical data.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this necessary cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_24785398_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, the _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages on our website they visit anonymously.
Consent	2 years	YouTube sets this cookie via embedded Youtube videos and registers anonymous statistical data.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	Session only	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	No expiry	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	No expiry	YouTube sets this cookie to store the video preferences of the user using an embedded YouTube video.

No Deal: No Data?

Paul Eastwood

Director