The GDPR is an EU Regulation that applies to all EU Member States. The UK has adopted the GDPR into its own national legislation under the Data Protection Act 2018 which will apply regardless of whether we are in the EU or not. However, the way we transfer personal data outside the UK and receive personal data from the EU may be affected on our depart. So, if you have personal data stored on servers outside the UK, have customers or suppliers located outside the UK, listen up.
Brexit is looming and there are three ways it can go:
- the deal scenario – where a Withdrawal Agreement is approved between the UK and the EU;
- the no deal scenario – where the UK leaves the EU without the Withdrawal Agreement having been agreed, otherwise known as ‘hard Brexit’; or
- no Brexit scenario – where the UK does not leave the EU on the exit date either because the negotiations are extended or because a second referendum overturns the earlier vote.
Now, it’s quite obvious that if we never leave the EU, nothing will change – or at least not in relation to data protection. We will continue to be subject to the General Data Protection Regulation (GDPR) and the E-Privacy Regulations as if the past few months of political turmoil was all just a vivid dream. This blog is going to focus on the first two points: what will happen if we get a deal and what will happen if we don’t get a deal.
The deal scenario
If the UK and the EU manage to agree a Withdrawal Agreement, it will include provisions for an implementation period to the end of 2020, during which EU law will continue to apply in the UK. During the implementation period, the UK will commit to applying EU data protection law in the same way that it does now.
The Withdrawal Agreement will ensure that there will be no restrictions on the transfer of personal data from the EU to the UK and the UK will continue to be included in any reference to ‘EU Member States’. By the end of the implementation period, it is expected that the Commission will have granted the UK an ‘adequacy decision’. An adequacy decision is a finding by the European Commission that the legal framework in place in a country that is not the EU (and is therefore not subject to the GDPR) provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data. Therefore, we will not be subject to the same rules on international transfers as most countries located outside the EU are.
No deal scenario
Although we have implemented EU data protection law into our own domestic legislation, from the EU’s perspective, as soon as we leave the EU, all EU data protection law ceases to apply to the UK from that date. Similarly, the UK will cease to be an EU Member State from the date of exit and instead, will be classified as a ‘third country’ for data protection purposes. Therefore, GDPR restrictions on the transfer of personal data to and from the UK, as a ‘third country’ will apply immediately following our exit and we will have to implement Commission approved transfer mechanisms in all of our contracts, where personal data is passing through our borders. The only exception to this is that it is likely that there will not be restrictions on the transfer of personal data from the UK to the EU due to the relationship between us.
Just like in the deal scenario, an adequacy decision is likely, however, the Commission has given no clarity around timings and so it may be a while before that decision is granted.
Against the uncertainty, the immediate takeaways for businesses should be as follows:
- Update agreements to ensure that the data protection provisions allow for the transfer and processing of personal data to the UK as a possible third country.
- Consider updating agreements to include the standard contractual clauses to legitimise data transfers to and from the UK until the UK is granted an adequacy finding.