Brexit and data protection

Damien Welfare sets out what you need to know when it comes to Brexit and data protection.

Changes ahead

How will Brexit affect data protection, and what will happen to the GDPR? If the UK leaves the EU on 31 October this year without a 'deal', the law will change immediately. If there is a withdrawal agreement, which includes a transitional or 'implementation' period after the UK's departure, during which EU law (including data protection) is to continue to be directly applicable, the changes may be delayed (eg to the end of the transitional period), depending on the terms of any such agreement, or legislation implementing it.

The legislation for any immediate changes is already in place. While many of the more than 300 changes to the General Data Protection Regulation (the 'GDPR') and the Data Protection Act 2018 ('DPA 2018') are merely consequential on the UK's departure, some are significant; and a number of provisions are moved around. Organisations may wish to familiarise themselves with the more important of these changes in advance before the EU rules cease to apply directly.

What's new?

The snappily-named Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) - or 'DPPEC' Regulations for short – were made in February this year, in anticipation of an EU exit on 31 March. Most of the regulations are due to come into force either at the date of exit (if there is a 'no deal'), or subsequently (if there is a withdrawal agreement, and a transitional period applies to data protection). A handful are already in force (eg to align the meaning of 'consent' in electronic marketing with that under the GDPR).

The GDPR will remain in place after Brexit, and (after any transitional period, if one were to be agreed) will be incorporated into the country's domestic laws as 'direct EU legislation' under section 3 of the European Union (Withdrawal) Act 2018. The DPA 2018 will also continue after Brexit, as a separate statute, so that it will continue to be necessary to refer to both. The DPPEC regulations, when brought into force, will then amend both the GDPR and the DPA 2018; renaming the former as the 'UK GDPR'.

Some parts of the GDPR will be repealed by the regulations, when they are brought into force. The 'UK GDPR' will, however, have a broader scope than its predecessor; absorbing the present 'applied GDPR', which covers national security, the common foreign and security policy, and manual unstructured data in the public sector.

Some provisions will be moved from the Act to the GDPR (eg on unstructured manual data); or from the GDPR to the Act (eg part of the regime on cross-border transfers of personal data).

Data transfers across borders

The Regulations, when in force, will underpin data transfers from the UK into the EU (and other countries in the European Economic Area, or 'EEA'). Existing 'adequacy' decisions (which automatically allow transfers of personal data between EU countries and other countries or territories considered by the European Commission to have adequate data protection systems) will be deemed, in a new transitional Schedule 21 to the Act, to continue under UK law.

While these transitional provisions will cover transfers out of the UK to those countries, the same will not be true in reverse. The EU is not able to consider whether a member state should receive an 'adequacy' decision until after the member has left and become a 'third country'. As a result (after the EU rules no longer apply directly), transfers into the UK which are currently permitted automatically from other EU/EEA countries, or under the EU's adequacy rules, will need - until this country is granted an adequacy decision - to be transferred under an alternative GDPR mechanism such as Standard Data Protection Clauses (or a legal instrument), or Binding Corporate Rules; or made under a one-off derogation. Local rules may also apply to transfers from countries outside the EEA recognised as having 'adequate' systems.

Transfers from the UK which are currently made under either standard contractual clauses or binding corporate rules will also be covered by the new Schedule 21, once the regulations are brought into force. Transfers the other way under these mechanisms, for example from Germany or France, will continue (after the EU's rules are no longer directly applicable in the UK) to fall under the GDPR as applying in those countries; although detailed changes may need to be made to wording (eg to recognise the UK as a third country).

UK controllers trading or operating in other countries affected should establish with their partners how their transfers of data into the UK will continue to be made lawfully after the EU rules cease to apply directly in this country.

The Regulations will also create a new structure for decision-making on future rules in the UK for data transfers. This will be found partly in the UK GDPR and partly in new sections 17A-17C inserted into the Act.

In relation to transfers to the United States, a combination of the DPPEC regulations and parallel 'DPPEC (No 2)' regulations (SI 2019/485) will, once in force, deem any transfer from the UK to the US to fall within the UK's 'adequacy' regulations, provided the transferee is committed in its Privacy Policy to complying with the EU/US 'Privacy Shield' principles in respect of personal data transferred from the UK. This will support transfers from the UK to many US providers of 'Cloud' services, if the condition is met. Generally, UK controllers may wish to check the position applying to any transfers to an internet or Cloud provider outside the UK, after the EU's rules no longer directly apply.

Other changes

If Brexit proceeds, and once the EU rules no longer apply directly, other changes under the DPPEC Regulations will include:

  • Making the UK Information Commissioner responsible for promoting 'certification' in the future of data processing systems.
  • Ending most of the co-operation mechanisms between the Information Commissioner and EU data protection regulators (while leaving the Commissioner a limited power to develop new means of such co-operation).
  • Removing the 'one-stop shop' from UK controllers affected by data breaches, so that they can expect to have to liaise with data regulators in each country in which their customers or other individuals are affected.
  • Providing for international transfers of personal data for law enforcement processing.
  • Extending the jurisdiction of the UK GDPR to a controller based outside the UK, which is either selling into the UK, or monitoring the behaviour of individuals in the UK (eg by using 'cookies' on its website).

The new drafting

Help is at hand in terms of the expected amendments. So-called 'Keeling Schedules', for both the GDPR and the DPA 2018, show the changes which are intended to be made to the texts after the regulations come into force.

Conclusion

Given the uncertainties surrounding Brexit, the above picture could change, of course (eg if a different withdrawal agreement than its predecessor were to be reached). Controllers may wish to monitor the situation for further developments as to the future data protection regime.

Damien Welfare is a barrister at Cornerstone Barristers who specialises in Information Law.