Amidst the long-term uncertainty of Brexit, what do we know about the impact of Brexit on UK-based GDPR (Regulation (EU) 2016/679) programs?
Without speculating on the outcome, the recent focus is on the potential of a No Deal Brexit.
In the event that the UK is no longer a member state of the European Union, the UK will, as a matter of law, be considered inadequate for the protection of European resident’s data. This is irrespective of what’s really the case.
In simple terms, this means that European data cannot be processed in the UK unless a mechanism for the legal transfer of personal data is utilised by the entity processing the European data.
The UK Data Protection Regulator, or Information Commissioner (ICO) and the European Data Protection Board (EDPB) recently issued guidelines on what companies should do in the event of a hard Brexit when there are data flows between the EEA (EU and Norway, Liechtenstein and Iceland) and the UK.
One option available would be to establish data transfer contracts between UK and EEA-based companies, which would be the likeliest transfer mechanism chosen by many UK companies.
It consists of contractually agreeing to apply GDPR principles when the country of importation of personal data is not subject to GDPR. These contracts are standard forms available from regulators that cannot be modified.
In view of the UK-EEA volume of trade, one can expect a number of such transfer contracts to be concluded after a hard Brexit. This could be an arduous exercise, with very limited actual value.
The UK implemented GDPR on 25th of May 2018 along with other EU Member States and the UK Commissioner has exercised significant regulatory oversight of how companies comply with data protection rules with high profile cases like “Cambridge Analytica” and an impressive arsenal of external communications on how to apply GDPR.
In the same month, a new UK Data Protection Act was adopted. The UK joined the first few countries having officially complemented GDPR through national legislation.
Furthermore, the UK has announced it will essentially copy the GDPR into UK law by virtue of the European Union (Withdrawal) Act 2018 if and when the UK exits. The UK version of the GDPR will be called the UK GDPR.
Therefore, the above-mentioned process would merely be a burdensome paper exercise as data protection rules will remain the same post-Brexit. The UK is a country in which the fundamental right to privacy is enforced and protected. Data protection standards in the UK are among the highest in the world. Post Brexit, the high standards of UK data protection will remain.
By rendering the UK an “inadequate” country of protection, the Brexit legal operation seems rather artificial in this case. But there are ways to fix this.
The European Commission has the power to determine, on the basis of article 45 of the GDPR, whether a country outside the EU offers an adequate level of data protection. This process can however be drawn out as the EC must first propose the UK to join that list, obtain an opinion of the European Data Protection Board, and an approval from all representatives of EU countries.
The effect of such an adequacy decision is that personal data will flow freely from the EEA to the UK without any further safeguard or transfer mechanism.
In a hard Brexit scenario, there may no longer be free movement of people, capital, goods and services, but there could still be free movement of data.
Blog author: Christel Cao-Delebarre, Global Privacy Officer, CWT.