What does leaving Europe mean for GDPR - an EU law? Gillian Scribbins, of Muckle LLP, examines the effects of Brexit on data protection.
There will be no substantive changes to the current data protection rules, but UK companies importing data from the EU or sharing data under the EU-US Privacy Shield will need to take contingency action in preparation for Brexit, deal or no-deal.
GDPR will still apply after Brexit
The GDPR is an EU law, so is directly applicable to all EU member states. It is not illogical therefore, to think the GDPR won’t apply at all if and when the UK ceases to be an EU member state. But due to GDPR’s extra-territorial reach, it already applies to all organisations that offer services to, or process the personal data of, EU residents – regardless of whether they are based in the EU. Furthermore, the government and the ICO have made it clear that whatever the outcome of Brexit, the GDPR and current data protection laws must, and will, continue to apply to all UK organisations.
The GDPR will be absorbed into domestic law at the point of exit. This is because of the EU (Withdrawal) Act 2018, already in force, which retains existing applicable EU legislation in UK domestic law. Proposed further UK legislation, the Data Protection, Privacy and Electronic Communications Regulations (Amendments etc.) (UK Exit) 2019 (still in draft), will ensure that the current data protection laws continue to function correctly after the UK leaves.
International data transfers
However, because of the way the GDPR is written, once the UK ceases to be an EU member state, the international transfer of personal data will be hindered, if not prohibited in some circumstances. This is because the UK will become a ‘third country,’ in GDPR terms, which means our data protection laws are not automatically recognised as equivalent to the EU’s. This means transferring personal data will only be permitted if there is an ‘appropriate safeguard’ in place.
Consequently, data protection has been something of a political pawn in the Brexit negotiations, as the free flow of data between the UK and the EU is a critical part of many UK business models.
The Department for Digital, Culture, Media & Sport (DCMS) has issued a guidance notice on data protection in the event of a no deal Brexit, stating: “The free flow of personal data between the UK and the EU is critical in underpinning an ambitious economic relationship and ongoing security cooperation, and both sides are committed to high data protection standards.”
This is despite the European Commission’s declaration in November last year that automatic adoption of what is called an ‘adequacy decision’ is not part of its contingency planning in a no-deal scenario.
An adequacy decision is a ruling made by the EU about non-EU territories, i.e. third countries, authorising data transfer to those territories in the same way as between Member States. As the name suggests, such rulings are authorised only when the territory provides equivalent data protection to that of the EU and GDPR.
And even if we do leave with a deal, an adequacy decision will not be considered before the date the UK leaves.
Action to take now – appropriate safeguards
What this means in short, is that organisations sharing or importing data from the EU or the US, will need to make contingency preparations. Assess your organisation’s data flows, and identify any that involve international transfer. In most cases this will mean incorporating EU drafted model clauses into any applicable contracts in the short term. Unless individual organisations have set up an EU approved appropriate safeguard to validate that transfer, EU data exporters to the UK could find themselves in contravention of the GDPR, which will hinder data flow, and general business cooperation.