Brexit: the data protection implications
In the referendum on the UK’s membership of the European Union (EU) on 23 June 2016, the British public voted to leave. This article looks at the potential implications for data protection compliance now Brexit is confirmed.
Before getting into the specific issues relating to data protection it is worth setting out some general considerations. The first is that no-one can currently say exactly what the outcome of the “out” vote will be, the consequences of which will stem largely from how the UK Government now chooses to maintain its relationship with the EU. There is likely to be a period of perhaps two years until the final departure of the UK from the EU. During this period the nature of the UK’s ongoing relationship with the EU will be negotiated.
The extent to which the UK’s legal landscape will change as a result of Brexit therefore depends on which alternative model is chosen to govern the relationship between the UK and the EU post-exit. The five most commonly discussed options are considered here.
Impact on Data Protection Laws
The current EU data protection regime is based on the Data Protection Directive (95/46/EC) (Directive) adopted by the European Commission in 1995 and which sets out the framework for data protection regulation in the EU. Under the current regime (as is the case for all Directives) the Data Protection Directive has been enacted in Member States through local implementing legislation (the Data Protection Act 1998 (DPA) in the UK). Whilst the Directive and DPA are in still place, and if an exit option is selected which does not require the continued adoption of EU laws, then it seems most likely that the UK Government will put in place legislation preserving the DPA. It seems unlikely that the UK Government will move away from the current data protection regime even without a duty, stemming from over-arching EU law, to retain the DPA.
If, by the point of Brexit the General Data Protection Regulation (GDPR) has been enacted then it is possible that the DPA may have been taken off the statute book and replaced by the GDPR. Again, if an exit option is adopted by the UK that requires adoption of EU laws, the GDPR would have direct effect in the UK and if not, the UK would have to consider whether to reintroduce its own data protection legislation, and it seems very likely that that would happen, although one might question whether the UK would choose to adopt the full suite of requirements from the GDPR. Of course, the implementation of the GDPR process and the Brexit process will, to some degree, be running at the same time and as a result it may well be that steps are taken by the EU/UK to not apply the GDPR in the UK and preserve the application of the DPA in the UK (or at least until it is known what post-Brexit option is to be adopted).
Considered below are some of the key issues surrounding data protection in light of Brexit and what actions businesses should be considering and may be required to take.
Different data protection regimes in the UK and EU
To date, the UK has applied a relatively business friendly data protection regime (relative to some other EU member states) and the UK was a dissenting voice on some of the more onerous provisions in the GDPR proposals. If the GDPR takes effect prior to Brexit the DPA will need to be repealed. If an exit option is adopted which means that the UK does not have to apply the GDPR post-Brexit it may be that the UK would not want to reproduce the more onerous requirements of the GDPR and may opt to retain a similar model to that currently in place under the DPA.
This approach would likely limit the regulatory burden on UK businesses compared to that applicable under the GDPR and also potentially create competitive advantages for UK businesses in non-European operations. However, the UK would lose the advantage of regulatory consistency for businesses operating across Europe and pan-European businesses with operations in the UK would face somewhat different data protection regimes (although one could say that situation exists today). The UK would also lose the advantage of the limited "one-stop shop" concept being introduced by the GDPR, meaning compliance with two sets of laws and consequently, exposure to two sets of sanctions for non-compliance (again the situation we have today).
Businesses should begin to review their existing compliance programmes, and ensure that those programmes can be updated and expanded as necessary to comply with the GDPR. Even now Brexit is confirmed, with the GDPR looming it is important that businesses consider taking these actions, particularly those that have operations in the EU and/or rely on trade with EU Member States. Compliance with the GDPR will, in any event, be required for group operations purposes or in order to be able to continue to trade effectively with EU businesses. In any event, the requirements of the GDPR, whilst in many respects demanding, may well come to be regarded as the “gold standard” for data protection compliance even if the UK chooses not to apply the requirements of the GDPR.
Aligned with the “one-stop-shop” issue described above is the consideration of where a company’s “main establishment” is in Europe for the purposes of determining which Data Protection Authority would be the lead authority for the purpose of enforcement of the GDPR and other purposes such as approval of binding corporate rules. Post-Brexit (and assuming an exit option is adopted which means that the UK does not apply the GDPR), companies with their EU headquarters in the UK will find that another EU location will be their “main establishment” and another Data Protection Authority will be their lead authority. This may well change the nature of the regulatory landscape for companies given the differing approach of the UK ICO to a number of other Data Protection Authorities.
We are already seeing companies pro-actively think about where their main establishment will be for the purposes of the GDPR and also whether there are organisational changes that might result in a different analysis of the location of the main establishment. With Brexit looming, companies may want to rethink their analysis of this issue and organisational approach to governance of data processing activities.
Cross-border data flows
Post-Brexit, the UK is still going to need to be able to conduct trade with EU Member States and data will, of course, continue to flow between the UK and EU countries as a matter of course. Whilst the UK is still an EU member state, cross-border data flows to UK companies will not trigger the requirement for “adequate protection” to be put in place as a condition to the transfer of personal data to the UK.
If Brexit results in the UK remaining within the EEA the situation would remain as it currently stands as the rule relates to transfers of data outside the EEA. However, if Brexit involves the UK being outside the EEA there would be a requirement for data controllers to ensure that there was adequate protection for the data (in the same way that is currently the case with transfers, for instance to the US).
If the UK retained a similar model for data protection as currently in place under the DPA, it is likely that the UK would apply to the Commission requesting that it be determined as a country providing an “adequate level of protection” for personal data, in the same way that Switzerland and Canada (amongst others) have such status. If the UK were to be given that status (and it seems very likely if the UK continued to apply the DPA or enhanced laws based on GDPR requirements), transfers of personal data from the EU to the UK could continue to flow as they do now.
If the UK was not subject to a determination of adequacy by the Commission, and at any rate during any interim period after Brexit in which any such determination was being made by the Commission, EU businesses wanting to transfer personal data to the UK will need to otherwise make transfers to the UK compliant.
If the UK was not in the EEA, and before it is listed as an “adequate jurisdiction”, businesses transferring data from the EU to the UK will need to consider what alternative options could be put in place to provide comfort that there is adequate protection for the personal data being imported. There are various means of doing this, such as the use of Commission approved model clauses, implementing Binding Corporate Rules or using a consent based model.
It is possible that processing within corporate groups that is currently considered fair and lawful now may not be considered to be fair and lawful after Brexit. For example:
- Processing based on a UK legal obligation - the EU view that only legal obligations applicable in the EU are valid justification for processing may mean that this processing is no longer fair and lawful.
- Disclosure of data to authorities / security services - EU bodies and countries have shown heightened concern over acquisition of data by non-EU authorities / security services. The collection and use of data by UK authorities / security services post-Brexit may generate some additional concern than is currently the case.
- Legitimate interests - it may be that some processing undertaken in the UK for a pan-EU operation, for example, may have fallen under the “legitimate interests” justification. That may not remain the case post-Brexit but each instance of data processing would need to be considered by reference to the nature of the data processing and circumstances.
Businesses will have to review their processing activities and the justification for that processing to see whether the post-Brexit environment changes the fairness and/or lawfulness of the processing.
Although Brexit is confirmed, the implications for data protection compliance are uncertain and could take some time to materialise. However, it seems very likely that the current UK data protection regime will continue to apply at the very least.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.