[co-author: Francesco Palma]
With the end of the Brexit transition period rapidly approaching and the United Kingdom (UK) poised to become a “third country” after it leaves the European Union (EU), the UK and the EU have yet to reach any “deal” on how the transfer of personal data should be dealt with starting January 1, 2021. With the negotiations deep into their final phase, the advice from regulators, including the UK’s Information Commissioner’s Office (ICO), is that organisations should be taking steps to prepare for the UK becoming a third country (for the EU data protection regime) after Brexit.
This update covers five questions companies should consider to prepare for Brexit from a privacy and data security perspective. As the post-Brexit landscape becomes more transparent, we will publish a deep dive on each of these five questions to address privacy-related legal and operational challenges posed Brexit’s impact.
1. Does the General Data Protection Rule (GDPR) still apply in the UK post-Brexit? Do I have yet another privacy law to consider?
- From January 1, 2020, the GDPR will be retained in UK domestic law. This “new” law will be known as the “UK GDPR.” The UK GDPR will sit alongside an amended version of the UK Data Protection Act 2018.
- While the UK GDPR will contain the same legal standards and obligations as the GDPR-proper on January 1, 2021, the UK will theoretically be able to change the UK GDPR and so diverge from the GDPR. Whether that happens or not will largely depend on how closely aligned the UK wishes to be with the EU.
- In practice, this means that while you need to do your privacy housekeeping (see point 5 below), you will not need to make substantive changes to your privacy program now because, in the short term, UK GDPR is unlikely to diverge from the GDPR. Keep an eye out for any future changes to UK GDPR as the UK has made noise about its intention to diverge from EU standards in the future.
2. Who is my Lead Supervisory Authority
- Post-Brexit, organisations that operate in the UK and the EEA will have two data protection regimes to consider: the EU regime (governed by the GDPR) and the UK regime (governed by the UK GDPR).
- Technically, under the GDPR no one has to “do” anything regarding identifying/appointing a Lead Supervisory Authority (LSA) in the EU. Businesses need to understand who they consider to be their LSA for several reasons (e.g., reporting a personal data breach).
- Unfortunately, you cannot choose your LSA to prevent “forum shopping.” The location of your LSA reflects the administrative and decision-making reality for data processing activities within your organisation.
- Your LSA will be the data protection authority (DPA) in your “main establishment.” Your main establishment will most likely be the place of central administration in the EU unless the critical decisions about the processing of personal data are taken in another EU establishment.
- If no such establishment exists (for example, where these decisions are taken entirely outside the EU), there will be no main establishment in the EU for the GDPR. In that case, you will not be able to take advantage of the one-stop-shop mechanism.
- Just because you determine that a particular member state’s data protection authority is likely to be your LSA, this does not bind any EU data protection authority. Any EU national data protection can determine that it has a residual right to enforce the GDPR where an infringement impacts that country’s data subjects (see CNIL v Google).
- Under UK GDPR, if you continue to process personal data in the UK or process data of UK citizens from January 1, 2021, in addition to the EU regime, you will need to register or stay registered with the ICO. The ICO will remain the independent supervisory body regarding the UK’s data protection legislation and UK data subject’s rights.
- In practice this means that there are two regimes. If you fall within the remit of GDPR you will need to consider which EU DPA is likely to be your LSA in the future. To do this, you should consider whether you have another establishment in the EU that would now be considered your “main establishment.” If you fall within the remit of the UK GDPR, you will likely need to be registered with the ICO.
3. Do I need to appoint an EU and/or UK representative?
- If your business is based outside the UK and your current EU representative is (i) based in the UK and (ii) you sell to or monitor individuals in the EU, you may need to appoint a new EU representative in an EU member state to comply with the GDPR.
- If your business is based outside the UK and your current EU representative is (i) based in another EU member state and (ii) you sell to or monitor individuals in the UK, you may need to appoint a UK representative to comply with UK GDPR.
- In the case of a UK representative, that may be an individual, a company or an organisation established in the UK, and it must be able to represent you regarding your obligations under the UK GDPR.
- In practice, if you do not have an establishment in the UK or the EU, you need to think about where you need to appoint a representative to act on your behalf under both UK GDPR and GDPR. These appointments should be carefully documented to make sure that the role of the representative, and the extent to which they can/cannot act without instruction, is tightly controlled.
4. Do I need to do anything regarding international transfers to/from the UK?
- If a deal is reached between the EU and the UK, the EU may determine that cross-border data transfers from the EU to the UK, or onward transfer from or to the UK, are permitted without further authorisation (often referred to as an “Adequacy Decision”). An Adequacy Decision essentially means that the EU has determined that the third country (i.e. the UK) has an adequate data protection level.
- If an Adequacy Decision is made, organisations can continue to lawfully transfer data from the EEA to the UK without the need for additional legal or contractual measures.
- If there is “no deal” or any deal does not contain an Adequacy Decision, this will result in an additional layer of complexity when it comes to international data transfers between the UK and the EU.
- The UK government has already adopted the position that no additional transfer mechanism is required to allow for the lawful transfer of personal data from the UK to the EEA post-Brexit.
- If this happens, you will need to identify an appropriate “transfer mechanism” for data transfers from the EEA to the UK. In most cases, the simplest transfer mechanism will be Standard Contractual Clauses.
- Following the Schrems II decision, you should have updated your data mapping and have begun to think about the extent to which it is necessary to transfer data from the EEA to the UK. Where transfers are necessary, organisations need to identify what safeguards they need to have in place to lawfully transfer this data. Post-Brexit, in the absence of an Adequacy Decision, the same analysis will need to be conducted regarding transfers from the EEA to the UK.
- In practice, unless there is an Adequacy Decision, you will need to devise a plan to ensure that personal data flows between the EEA and the UK (prioritising critical, sensitive or high-volume data transfers) can continue lawfully on January 1, 2021. Consider entering into Standard Contractual Clauses to govern both intra-group and external data transfers from the EEA to the UK.
5. Have you done your “privacy housekeeping”?
In addition to thinking about the more substantive issues set out above, there are some general “housekeeping” issues that will require your attention over time:
- Update your privacy notices to refer to the UK GDPR and any appointed UK representative.
Update your Record of Processing Activities to reflect the transfer mechanism used for transfers from the EEA to the UK (unless an Adequacy Decision is reached).
- Review any relevant Data Protection Impact Assessments to reflect the appropriate additional safeguards that are in place for transfers to the UK.
- Update the data protection sections of contracts between the group companies and with external third parties.