This communication provides an overview of the consequences of the Exit Regulations if the UK leaves the EU in a no-deal scenario.
The UK Government has published the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“Exit Regulations” with the purpose of ensuring the continuous application of the relevant regulatory frameworks when the UK leaves the EU. In short the UK will transpose the GDPR into UK law which we will refer to as the UK GDPR.
The Exit Regulations are a Statutory Instrument that amend the GDPR so that it still makes sense for the UK in a post-Brexit world. This communication provides an overview of the consequences of the Exit Regulations if the UK leaves the EU in a no-deal scenario.
Data transfers from EU Member States to the UK
In the event of a No-Deal Brexit the UK will be treated as third country under the EU law and transfers from the European Economic Area (EEA) to the UK are subject to title five of the GDPR which covers international transfers to third countries.
The UK Government has made it clear it intends to seek an adequacy decision to ensure personal data can continue to flow without restrictions between the UK and the EEA. However, the UK will not have adequacy status on Brexit-day and organisations need to select an alternative mechanism to lawfully continue to transfer data from EU Member States to the UK. If your organisation is in the UK and receives data from an EEA country you may want to consider putting in place standard contractual clauses prior to the UK’s exit from the EU.
Data Transfers from the UK to the EEA (SCCs, BCRs and Adequacy)
Currently transfers of personal data from the UK to countries outside of the EEA are only permitted if one of the transfer mechanisms of article 46 GDPR is applied (i.e. binding corporate rules or standards contractual clauses) or to countries that have received adequacy status from the European Commission. The Exit Regulations maintain that transfers to countries outside of the EEA or within the EEA are restricted. However, part 3 of the Exit Regulations provides adequacy status to:
- all of the remaining EEA countries as well as Gibraltar
- non-EEA countries which have already been granted adequacy status by the EU Commission or granted adequacy status prior to exit day
- EU institutions and bodies
The UK will be able to make its own adequacy decisions regarding third countries through the UK Supervisory Authority (the ICO). Furthermore, transfers subject to appropriate safeguards provided by standard data protection clauses (Standard Contractual Clauses) and approved BCR can continue as potential mechanisms for transfers from the UK to third countries. The ICO will continue to approve BCRs and will also be able to provide UK only standard contractual clauses. Lastly, article 49 GDPR which contains the derogations will still be available.
Territorial scope & representation
There will be no change to the territorial effect of the GDPR as the UK GDPR will apply to any controllers and processors based in the UK as well as those outside the UK but which offer goods and services in the UK or monitor the behaviour of UK residents. Organisations outside of the EU that are subject to the GDPR may be familiar with the concept of having to appoint an EU representative as one of their obligations under the GDPR under article 27 GDPR. They may now also have to appoint a UK representative if the UK GDPR applies to them. Furthermore, the UK GDPR creates a new obligation from organisations within the EU to appoint a UK representative if they are subject to the UK GDPR.
The ICO retains the same level of power as it has under the GDPR when it comes to imposing administrative fines as the Exit Regulations simply amend article 83 GDPR to fines of “up to £17,500,000, or [...] up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher”.
Position of the Supervisory Authorities
The Irish Data Protection Commission (DPC) has issued preliminary guidance which is relevant for any Irish entities that have data processing operations that involve transfers of personal data to the UK. Additionally, the ICO has issued guidance to UK entities who both transfer personal data to and from the UK.
Actions to take
In reality a large number of organisations will be non-compliant. The DPC is unlikely to have the necessary resources to identify and/or investigate all incidences of non-compliance with respect to UK data transfers. However, should the DPC have cause to investigate an organisation in the event of a breach or complaint it may be difficult to avoid the scrutiny. It is recommended to take steps to ensure the lawful flow of data between the UK and the EEA. The following 8 steps should be considered by organisations:
- Consult the DPO and document the current position of the organisation
- Map the personal data being transferred to the UK currently
- Determine if the transfers will need to continue beyond 30th March 2019
- Reflect on whether transfers could be suspended temporarily?
- Consider additional technical and organisational measures that could be temporarily adopted
- Assess the various transfer mechanisms to decide what if any can be put in place before 30th March 2019. Standard Contractual Clauses are the most feasible considering the short amount of time available pre-Brexit.
- Inform key stakeholders in the organisation of the consequences of Brexit on data flows to and from the UK
- Update the risk register
Further information and additional guidance is available from both the Irish DPC and the UK Information Commissioner’s Office.