- Brexit No-Deal: Data Protection Impacts
Brexit No-Deal: Data Protection Impacts
Brexit No-Deal: Data Protection Impacts16 Jan 2019
Yesterday (15 January 2019), MPs voted against Theresa May’s proposed Brexit deal and the PM today faces a vote of no-confidence. If May survives the vote, she will have three working days to come up with and present to MPs a “Plan B”. Failure to receive backing for Plan B could result in a “no-deal” Brexit. If the no-confidence vote succeeds, there is likely to be a general election and time continues to tick towards 29 March and a “no-deal” Brexit.
Here, data protection experts from commercial law firm Kuits set out the potential implications of this for data protection and explain why it is imperative that businesses now identify where personal data is being transferred between the UK and the EU.
Currently, the key laws governing data protection in the UK are the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. The GDPR is directly applicable in the UK as a result of the UK’s membership of the EU. Following Brexit, it is intended that the GDPR will continue to apply by virtue of the Government passing laws to implement this directly into the UK. This means there will be no real difference to the data protection laws with which businesses need to comply as a result of Brexit. However, how these apply to UK businesses will change.
What will change?
The key area which will be affected by Brexit is international transfers of data. Personal data is freely transferrable within the European Economic Area (“EEA”) (which currently includes the UK). Appropriate measures need to be in place when transferring personal data to countries outside of the EEA, the most common of which are:
1. that country has been determined by the European Commission to provide adequate protection;
2. standard contractual clauses are in place between the parties; and
3. binding corporate rules are in place between the parties (this generally only applies to group companies).
In the event of a no-deal, on 29 March 2019 any transfers between the UK and EU will be unlawful unless appropriate measures have been put in place. The government has indicated that it will apply for an adequacy decision, but there is no certainty that this will be awarded and no definitive timeline for any grant of adequacy. Accordingly, following 29 March, most lawful international transfers will be reliant on the application of standard contractual clauses.
The government has already indicated that it will deem EU member states ‘adequate’ and therefore no further protections will be required. However for transfers from the EU to the UK, the same will not apply (and so contractual provisions will need to be in place).
What does this mean in practice?
Businesses should now be identifying where personal data is transferred between the UK and the EU. This will include where any software providers/cloud storage providers are located outside of the UK. Businesses will need to implement standard contractual clauses with such providers prior to 29 March 2019 to avoid any disruption to data transfers.
In practice, given that it is transfers back to the UK which are most affected, service providers are likely to issue standard contractual clauses to their customers to avoid any disruptions to service. However, customers will still retain ultimate responsibility for their service providers and should not take this for granted. Equally, there are other parties which will be reliant upon the UK counterparty in taking the lead on this project.
One Stop Shop: International businesses will no longer be able to benefit from the One Stop Shop principle set out in the GDPR (which seeks to prevent multiple parallel investigations) and could, if any breach of the data protection laws affects individuals in the UK and an EU member state, be subject to parallel investigations from both the ICO and the relevant supervisory authority in that member state. It is worth businesses considering and identifying which supervisory authorities could have jurisdiction over its activities.
Contracts: Businesses should be reviewing their documentation (including their contracts) to review references to the EU and update these as necessary.
US Transfers: The US Department of Commerce has confirmed that the UK will still be able to benefit from the provisions of the Privacy Shield, provided that the relevant US organisation updates its public commitment statement to include reference to the UK and continues to comply with the Privacy Shield in the usual way.
If you require any advice in respect of implementation of standard contractual clauses and the impact of Brexit on your data protection compliance, please contact us or call our data protection team on 0161 838 7986.