Are UK businesses ready for post Brexit GDPR?
There are some significant consequences to Britain leaving Europe from a data protection point of view. Depending on the type of exit the politicians finally decide, if at all :), this will have significant impacts on UK companies. The impact will be disproportionately felt by smaller to medium-sized companies both in the UK and EU. Some of the questions that will need to be addressed:
- The validity of data transfer agreements for the processing of data of EU citizens?
- Adequacy of data protection rules in the UK to receive data from the EU and vice versa?
- End of one-stop-shop for regulatory approval?
- Role of the European Court of Justice jurisdiction post-Brexit?
- Relations with law enforcement and a potential issue with adequacy agreement approval.
In the case where the UK ends up leaving with a deal then there will be a transition period where GDPR will continue to apply. It will likely mean that UK and EU data protection laws will run in parallel. This will give UK companies and government time to work out the practical implications of the legislation and move towards an orderly transition from the EU.
In this scenario where the UK leaves without a deal then, in theory, GDPR will no longer apply however if a UK company is processing data for EU nationals then it will still need to be GDPR compliant.
The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will continue to apply. To all intents and purposes the DPA Act 2018 is a mirror of GDPR. The challenge will be how Uk companies can lawfully transfer and process the personal data of EU citizens.
1. Data transfer agreements raise the question not only about how A UK company Is going to be able to import the data from the EU for processing but how consent will be obtained from the customer.
Firstly how data transfers will occur legally will need to be addressed. A hard Brexit will leave UK in the same position as countries like China, Nigeria or Russia. A transfer agreement will need to be agreed with the EU for UK companies.
In a hard Brexit scenario there will be in an implicit legal limbo, the border will effectively go up and UK companies won’t be able to legally process the data of EU residents. So a UK company would need to have some means of legally importing the data from the EU. For smaller to medium-sized organisations, this could be dealt with by Standard Contractual Clauses (SCC). For larger multi-national companies this could be through a framework agreement that all the different operating companies sign up to.
In the longer term, Binding Corporate Rules (BCR) could be agreed by the ICO. But this will take months or years to put in place and not many UK companies would have done this as before Brexit most UK companies would already be covered in the current law.
Secondly, there are practical implications of how a company updates its terms and conditions and obtains consent from the customer on a website. So there would need to be a communication campaign to get the explicit consent of the change of data transfer agreements from each and every customer.
This would generate additional administrative costs for UK companies in obtaining consent from customers on data transfer and data processing. As well as the angst and frustration of the customers being bombarded with another round of emails or changes on websites to accommodate these requirements.
2. The adequacy of data protection decisions between the EU on UK post-Brexit and vice versa?
This refers to Article 45 of GDPR where data is transferred to a country that ensures an adequate level of data protection. This should be the first responsible step for ICO to agree on equivalency between EU and UK. As UK law and EU implementation of GPDR closely resemble each other this should just be a formality. But it is nevertheless an important legal/political agreement that needs to be passed.
This also poses a problem for EU companies wishing to do business with the UK post-Brexit. In that case, EU companies under article 27 of UK GDPR will need to have a representative in the UK to do business.
Furthermore, there would need to be a discussion with all countries that wish to share data that they meet the principle of adequacy. The assumption being that countries like Canada that already meet this requirement would be accepted.
This would mean negotiation on adequacy not only from the UK to EU but for any country that wants to share data with the UK post-Brexit. Which is going to require a lot of negotiation and administration at a governmental level.
3. End of One Stop Shop approach to dealing with regulatory authorities.
One of the useful things about GDPR was the one-stop-shop principle whereby multi-national companies could benefit from the fact of having to deal with only one supervisory authority. The aim was to have a uniform application of GDPR related decisions by supervisory authorities
Unless UK companies have a representative in the EU they will need an article 27 representative. Which for most FCA regulated companies will usually already have this as they are in Europe. But for smaller UK companies they would need to go to the expense of setting up the appropriate offices and representatives.
Companies will need to go to the local regulatory authority in each of the countries they are doing business to apply for regulatory approval. Which is a huge administrative hurdle for a lot of companies working in multiple countries across Europe, as it will be different for each country.
4. Role of the European Court of Justice (ECJ) jurisdiction post-Brexit and European Data Protection Board (EDPB).
Would UK judges follow the ECJ decision post Brexit? as any decision would not be legally binding once the UK was out of the EU. This is one of the most intensely debated issues surrounding Brexit, as to the effect of the ECJ on post-Brexit Britain. However, the decisions of the ECJ would certainly be useful for the UK GDPR practitioners to refer to the body of European case law. It remains unclear if that is going to be imported into UK case law?
Equally after Brexit, the European Data Protection Board (EDPB) whilst not legally binding for the UK Will remain but will be reduced in persuasiveness in influencing UK companies. For UK businesses there is no practical benefit in diverging from the EDPB. It will be interesting to see if the UK government will follow it and depends on the current political climate. Hopefully, EDPB would remain politically independent.
5. Relationship with law enforcement and potential conflict with the adequacy agreement.
The use of law enforcement surveillance powers affecting EU citizens data protection is the big elephant in the room. This was tested in the Schrems case in 2015 and has been a long standing bone of contention between the EU and US. Both have quite different approaches to data protection and the collection of citizen’s personal information.
In the Schrems case, a Facebook user Mr. Schrems challenged the transfer of data to the US by Facebook which is incorporated in Ireland. The Patriot act in the US gives law enforcement access to European data for security reasons and so there is an issue here of US security having unfettered access to EU citizens personal information. As such the Court of Justice of the European Union on October 6, 2015 invalidated the safe harbour arrangement which governed data transfers between the EU and the US.
Over night the data transfer to the US became technically illegal, although nothing practically changed to prevent these illegal data transfers.
Law enforcement and commercial interests are currently considered together in the adequacy discussion. Perhaps one solution would be to treat them separately.
So this could be a problem for the UK government if the EU took the view that it was over-friendly in handing over data to the US law enforcement agencies. Unless there could be some agreements separating the law enforcement needs for data and commercial uses of data.
What can U.K. Companies do to prepare for a hard Brexit?
While it is clear there are no simple answers to these questions. It would be prudent for UK companies to be thinking about practical solutions for at least the first three. It has proven to be a tumultuous three years so far and the current political climate does not show any sign of abating.
The irony will be that the decision of 52% of the population in the Uk to leave the EU will create more bureaucracy for Businesses and reduce British companies ability to compete on an equal footing with their European and international counterparts.
One thing is for sure that this a very interesting time to be working in data protection!
My thanks to the GDPR Now podcast for addressing these key questions, it is well worth a listen if you have not done so before.