As we wait for the UK to decide what arrangement it will seek with the European Union (the "EU") when it leaves, it may be useful to focus on what Brexit may mean for data protection.
Two months after the European Parliament voted on the new EU General Data Protection Regulation (“GDPR”, available here), the UK voted to leave the EU. This has generated much uncertainty, as many companies that were preparing to comply with the GDPR are now wondering what they should do, especially with regard to transfers of personal data between the remaining 27 EU countries and the UK after Brexit.
The key points as regarding the impact of Brexit on businesses in the UK appear to be the following:
1. Likely, the GDPR will apply before the UK actually leaves the EU. On 16 September 2016, Donald Tusk, President of the European Council, said that British Prime Minister Theresa May had told him it is quite likely that the UK will trigger the EU exit procedure in January or February 2017. In that case, pursuant to Article 50(3) of the Treaty on the EU (available here), in principle the UK would leave the EU two-years later, in January or February 2019. Since the GDPR will apply as from 25 May 2018, it would then already be in force in the UK for several months before Brexit.
We should note, however, that this is not yet clear. It is possible that the two year period could be extended by agreement between the UK and the EU. It is also possible that matters could go faster. Notably, on 22 September 2016, British Foreign Secretary Boris Johnson said that negotiations could be shorter and that the UK may not need two-years to leave the EU (statement available here). Others are also starting to talk about the need for a Transitional Agreement (see below). So, while this remains uncertain, we note simply that the GDPR may well apply in the UK before Brexit.
2. The GDPR will apply to many UK companies even after Brexit. Because of the GDPR's wide jurisdictional reach, it will apply to any businesses which are incorporated in the UK and have an establishment processing personal data within the European Economic Area (the “EEA”). The GDPR will also apply to the processing of personal data of individuals who are in the EEA, by businesses which are incorporated in the UK, but do not have any establishment in the EEA, where such processing is related to the offering of goods or services to such individuals or the monitoring of their behavior.
3. If the UK joins the EEA, the UK would have to adopt the GDPR. In principle, the UK might leave the EU and join the EEA, which currently includes all the EU Member States, plus Iceland, Liechtenstein and Norway. Joining the EEA would enable the UK to be part of the EU Single Market but, pursuant to Article 7 of the EEA Agreement (available here), the UK would have to comply with relevant EU laws relating to the four freedoms of the EU Single Market, including the GDPR. However, since in its Brexit Referendum the UK appeared to be against what is perceived as a continuing loss of sovereignty and in particular the free movement of people, in practice, it appears rather unlikely that the UK would decide to join the EEA.
4. A possible Brexit scenario would be that the UK might seek to agree a “Swiss style solution” with the EU, meaning a specific UK-EU framework Free Trade Agreement (“FTA”) allowing for access to the EU Single Market in all or part. To ensure that UK-based companies would be able to benefit to the fullest extent possible from access to the EU Single Market, the FTA likely would need to include a commitment by the UK to adopt the GDPR or, alternatively, the UK could decide to enact legislation in line with the GDPR.
Notably, even though Switzerland was not bound by the EU Data Protection Directive (available here), Switzerland implemented very similar provisions into its national law and then received an “adequacy decision” from the Commission in 2000, meaning a Commission decision accepting that Swiss law provided an adequate level of protection of personal data (available here). This enables companies to freely transfer personal data to and from Switzerland.
Switzerland has already indicated its intention to retain its adequacy status under the GDPR, which involves adopting provisions similar to the GDPR. The UK could attempt to follow the same path, although as discussed below, there may still be some other issues to overcome.
5. Another Brexit scenario could be that the UK would try to obtain an “adequacy decision” from the Commission for its own data protection laws, whether or not it seeks a broad-based FTA with the EU. In this case, the UK would apply for an “adequacy decision” from the Commission for its own legislation (rather than adopting the GDPR), so that businesses could freely transfer personal data from the EU to the UK.
However, this might not be an easy task. Notably, in the October 2013 Schrems judgment regarding the Commission's Safe Harbor decision (a decision enabling companies to freely transfer personal data from the EU to the United States, subject to certain conditions) the Court of Justice of the EU limited the Commission's possibility in this respect where the powers of intelligence services go beyond what is necessary and proportionate (the judgment is available here).
With this in mind, data protection authorities in the EEA might raise criticism of the powers of the UK's security services. For example, Jan Philipp Albrecht, the European Parliament rapporteur of the GDPR, indicated in his official Twitter account that he doubted whether the UK could obtain adequacy as there would be “less safeguards for intelligence services [in the UK] than in the [United States]”. This issue would be examined by the Commission if the UK applies for a Commission adequacy decision. EU data protection activists are also bound to monitor that process closely.
6. “Mind The Gap!” Historically, it has taken three to four years to obtain an EC “adequacy” decision. If the Commission does not treat the UK as an exception, likely it will take three to four years after the UK leaves the EU until the Commission issues an adequacy decision on the UK system.
In the interim, this may mean that companies will have to look for alternative solutions in order to transfer personal data from the EEA to the UK in compliance with EU data protection rules. Such solutions include concluding Standard Contractual Clauses (“SCCs”), i.e. model contracts approved by the Commission for the transfer of personal data outside the EEA (available here), or adopting Binding Corporate Rules (“BCRs”), i.e. binding commitments on transfers of personal data within the same group to entities located outside the EEA (see here).
The issue of a “gap” between Brexit and any future FTA is developing as a hot topic now, not just for data protection, with many arguing that a transitional agreement must be concluded before the end of the two year period referred to above, pursuant to Article 50 of the Treaty on the EU (See, e.g. Martin Wolf in the Financial Times, 20 September 2016, here).
In any event, in practice, companies should plan to “bridge the possible gap”.
7. There is also uncertainty as to the UK Information Commissioner's Office (“ICO”)'s continuing role as the “lead authority” in reviewing UK-headquartered companies' BCRs applications (i.e. the authority handling the co-operation procedure amongst the other European Data Protection Authorities). Businesses in the UK which are currently contemplating whether they would apply for approval of BCRs to the ICO should bear in mind that there is uncertainty about the role of the ICO in the BCRs approval process, if such approval is not granted before the UK leaves the EU, and the transition of the “lead authority” role to a different data protection authority in the EEA. These topics should be discussed early with the ICO and other relevant DPAs.
In any event, businesses in the UK should continue to prepare for the GDPR for three reasons.
First, it is likely that the GDPR will apply to them before the UK actually leaves the EU.
Second, it appears likely that either the UK will adopt the GDPR itself in the end, or at least similar data protection laws in order to secure the continued flow of personal data with the EU.
Third, there will be many instances where the GDPR will apply to UK businesses even after Brexit, either because such businesses have establishments in the EU/EEA, or because processing of personal data of EU/EEA residents is related to the offering of goods or services to such individuals or the monitoring of their behavior