It seems like yesterday everyone was amending their contracts to comply with the General Data Protection Regulation (GDPR). However, Brexit (assuming it happens!) is likely to bring with it yet more changes – and if the UK leaves without a deal, these changes are coming up fast.
Parliament passed a motion rejecting a “no deal” Brexit on Wednesday 13 March. However, unless the government takes action to prevent it (i.e. agrees a deal with the EU, agrees an extension to the Article 50 notification (requiring unanimous approval by the remaining EU member states), or revokes Article 50), the UK will nevertheless leave the EU by automatic operation of law on Friday 29 March 2019.
If a deal is reached before then, on the current terms there would be a transition period until December 2020 (which could be further extended until December 2022) during which EU laws will continue to apply to the UK. While it is possible that the 29 March Brexit date will be extended to avoid “no deal”, this will only happen if the remaining EU member states vote in favour. It is therefore prudent to plan with a “no deal” Brexit on 29 March in mind.
The GDPR will continue to apply to the UK post-Brexit. This is because, in the event of a “no deal” Brexit, the UK government plans to make the GDPR directly part of UK law (with some amendments so that it makes sense in the context of the UK as a non-EU country). This amended version is being called “UK GDPR”. If there is a deal, the application of this will be delayed, as EU law will be interpreted as if the UK was still a member state.
The UK will recognise European Economic Area (EEA) countries and Gibraltar as “adequate” to allow data to continue to flow from the UK to the EU. EEA countries are the EU member states plus Iceland, Liechtenstein and Norway – these countries are all subject to the GDPR.
However, the EU has confirmed that the UK will be a “third country” once it leaves the EU. This means that unless and until the EU adopts an adequacy decision in relation to the UK, the EU will not automatically consider the UK “adequate” to allow personal data to flow from the EU to the UK. If there is a deal, it is possible the EU will make an adequacy decision before the end of the transition period (but this is not definite as such decisions take time, e.g. the recent Japan adequacy decision took around 2 years to negotiate).
We therefore suggest that data controllers and processors consider the following:
Whose personal data you are processing, and where it is being transferred
EEA to UK transfers
If there is no adequacy decision in respect of the UK, you will need to comply with the requirements under the GDPR for sending personal data outside the EEA. In many cases the simplest way of doing this will be to include the Standard Contractual Clauses in your contracts in relation to this data processing.
This applies both to the transfer of personal data to third parties and between companies in a group structure.
UK to EEA transfers
The UK government has confirmed that no additional measures will be required to send personal data from the UK to the EEA.
UK to non-EEA country transfers
The UK GDPR will impose broadly the same requirements as under the GDPR if you transfer personal data outside the UK to non-EEA countries.
The UK government has confirmed that it will consider “adequate” the countries which the European Commission has made a finding of adequacy about.
UK organisations wishing to continue to make transfers to US organisations under the Privacy Shield will need to check that the US organisation has made the necessary update to its commitment to compliance with the Privacy Shield, to expressly state that those commitments apply to transfers of personal data from the UK.
Intra-UK transfers
The UK GDPR will impose broadly the same requirements as under the GDPR if you never transfer personal data outside the UK or receive personal data from outside the UK.
Updates to existing documentation (e.g. privacy policy, privacy notices and the data protection provisions in your contracts)
Under the GDPR, your privacy notice must include details of personal data transfers to countries outside the EEA or international organisations.
Depending on how the data protection provisions in your contracts have been drafted, they may not make sense once the UK has exited the EU. For example, your contracts may state that personal data will not be transferred outside the EU.
Data Protection Officer
If you have a Data Protection Officer (DPO), they can continue in this role in relation to the UK and the EU provided that they have expert knowledge of both UK and EU data protection law and are “easily accessible” from both. As the two data protection regimes will continue to be very similar post-Brexit, this should not be an issue.
Representatives in the UK and/or the EU
Controllers and processors not established in the EU who process personal data of EU data subjects are required to appoint a representative within the EU, unless an exception applies. Any enforcement proceedings which the regulator could bring against the relevant controller or processor for non-compliance may be brought instead against this representative.
Controllers and processors based in the UK processing personal data of EU data subjects will therefore be required to comply with this requirement.
Likewise, if the current draft regulations are implemented, controllers and processors not established in the UK but processing personal data of UK data subjects will be required by UK law to appoint a representative within the UK. Such representative would have the same potential liability in the event of a claim.
In each case, there must be a written document to appoint such representative – this should generally take the form of a services contract between the parties.
Lead supervisory authority
The one-stop-shop means some organisations operating across more than one EU member state, or engaging in processing likely to substantially affect individuals in more than one member state, can usually deal with one European supervisory authority, who would take action on behalf of the others. However, once the UK leaves the EU, the UK’s Information Commissioner’s Office cannot be an organisation’s lead supervisory authority in the EU. If the UK is currently your lead supervisory authority, you will need to review whether you can have a new lead authority to benefit from the one-stop-shop.
The Information Commissioner’s Office (“ICO”) has made a provisional decision to fine a software provider more than £6 million. If the provisional decision is confirmed, it would mark the first case where the ICO impose a monetary penalty notice on a processor under the UK General Data Protection…
Data breaches: Is personal data held in your systems secure?
European Commission launches process on personal data flows to UK
In these working from home days, where weekdays seem to blend into weekends which melt into weekdays again, most of us don’t have the luxury of offices at home. Space is at a premium. Desks or dining room tables are shared. Papers are strewn across the floor. We…