Data Protection in the UK Post-Brexit
After months of intense negotiations, the UK and the EU have reached a deal for the UK’s exit from the European Union or, as it’s more commonly known, Brexit. However, to gain approval, the 585-page withdrawal agreement must still earn a vote from the British parliament as well as one from the European Parliament prior to the UK’s departure from the EU on 29 March 2019.
With both the public and members of the UK Parliament skeptical of the agreement, the risk is growing that the UK will either exit the EU without a deal or it will have to seek an extension of the negotiation period from the EU. But what does this all mean for data protection and how will it affect UK businesses’ GDPR compliance? Let’s find out!
The GDPR Post-Brexit
Data protection in the UK currently falls under the incidence of the EU General Data Protection Regulation (GDPR) which has been adopted into the UK’s national legislation through the Data Protection Act 2018 (DPA).
Whether there will be a Brexit deal or not, the DPA will stay in place. Furthermore, through the European Union (Withdrawal) Act 2018, which will convert over forty years of legislation applied through EU Law into UK domestic law, the GDPR will essentially become part of the UK legislation post-Brexit.
Another thing to consider is that, should Theresa May’s agreement receive approval, the UK will enter a transition period during which all EU laws, including the GDPR, will continue to apply. The length of the transition period is still undecided, with the first suggestions being that it should end on 31 December 2020, but recent discussions putting it as late as 2022.
International Data Transfers
With the GDPR becoming domestic law and the DPA already in force, it may seem that Brexit will have no impact on UK companies’ compliance with the GDPR. While that might be true when it comes to data protection standards, once the UK leaves the EU, it will no longer be treated as a member state in the context of the GDPR, but as a third country. What this essentially means is that personal data transfers from the EU to the UK will no longer be automatically allowed, despite the existence of the DPA.
Under the GDPR, transfers of personal data to countries outside the EU are prohibited unless exemptions apply, the transfer is made to a country whose level of data protection has been deemed “adequate” by the European Commission or the companies executing the transfer have implemented lawful data transfer mechanisms such as EU Standard Contractual Clauses or Binding Corporate Rules.
In order for personal data transfers to be freely allowed from the EU to the UK, the British government will have to seek an “adequacy decision” from the European Commission. Although the UK has already requested an evaluation for this purpose, the Commission has stated that it cannot make an adequacy decision for the UK until it has effectively become a third country, after 29 March 2019.
Because of this, the UK’s Department for Digital, Culture, Media and Sport (DCMS) has issued a guidance for data protection in case of a “no-deal” Brexit. To ensure that UK businesses stay GDPR compliant, the DCMS recommends using standard contractual clauses (SCCs) to legitimize transfers of personal data from the EU to the UK. The SCCs are model data protection clauses approved by the European Commission which enable the free flow of personal data when embedded in a contract.
Moving forward post-Brexit
After the UK leaves the EU, the Information Commissioner’s Office (ICO) will continue to act as the UK’s data protection authority, but will be removed from the European Data Protection Board, effectively losing its right to contribute to future interpretations and decisions concerning data protection laws in the EU. The ICO is also expected to issue its own guidance for ensure UK organizations will continue to meet their GDPR obligations post-Brexit.
While the UK has embraced GDPR as a legislation, companies must keep a vigilant eye on Brexit negotiations to ensure that, come 29 March 2019, they don’t suddenly become noncompliant.