Data Protection after Brexit

Author Furfur
Licence Creative Commons Attribution Share Alike 4.0 International

Jane Lambert

Because of the importance of its financial services industry, preserving an uninterrupted flow of personal data across national frontiers is particularly important to the UK.  At present, such flow is guaranteed by art 1 (3) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("the GDPR").  When the UK leaves the EU, the GDPR will cease to apply to  this country and the UK shall become a third country for the purposes of Chapter V of the GDPR.

Our exit from the UK will have no effect on the obligations of data controllers and processors in the UK or the rights of data subjects anywhere with regard to UK controllers and processors because s.3 (1) of the European Union (Withdrawal) Act 2018 will incorporate the GDPR into our law.  The Department for Digital, Culture, Media and Sport has confirmed in its guidance note Data Protection if there's no Brexit deal of 13 Sept 2018 that

"[i]n recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU"

though it adds that  the UK would keep this under review.  On the other hand, art 44 of the GDPR makes clear that data controllers and processors in the states that remain in the EU would be able to transmit personal data to the UK only in accordance with the provisions of Chapter V of the regulation.

Art 45 (1) of the GDPR provides:

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection."

The  Department for Digital, Culture, Media and Sport's guidance note notes that the "European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions." However it adds that while HM government wants to begin preliminary discussions on an adequacy assessment now, the Commission has stated that a decision on adequacy cannot be taken until the UK is a third country. 

Unless and until the Commission makes an adequacy assessment businesses in the UK must rely on one of the other provisions of Chapter V of the GDPR.  The guidance note suggests:

"For the majority of organisations the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner, and rights for the individuals whose personal data is transferred. In certain circumstances, your EU partners may alternatively be able to rely on a derogation to transfer personal data."

It recommends businesses proactively to consider what action they may need to take to ensure the continued free flow of data with EU partners.

If the British government and EU reach a withdrawal agreement in time for ratification before the 29 March 2019 there will be an implementation period in which the GDPR will continue to apply to the UK until 31 Dec 2020.  What happens after that will depend on the terms of the agreement on the future relationship between the EU and the UK.  At para 3.2.1 (8) of its while paper The Future Relationship between the United Kingdom and the European Union (Cm 9503) the government says:

"The UK believes that the EU’s adequacy framework provides the right starting point for the arrangements the UK and the EU should agree on data protection but wants to go beyond the framework in two key respects:

a. on stability and transparency, it would benefit the UK and the EU, as well as businesses and individuals, to have a clear, transparent framework to facilitate dialogue, minimise the risk of disruption to data flows and support a stable relationship between the UK and the EU to protect the personal data of UK and EU citizens across Europe; and
b. on regulatory cooperation, it would be in the UK’s and the EU's mutual interest to have close cooperation and joined up enforcement action between the UK's Information Commissioner's Office (ICO) and EU Data Protection Authorities."

It is still not clear whether the EU will agree to the white paper proposal or even whether there will be a withdrawal agreement that will allow a transitional period,

Anyone wishing to discuss this article or data protection generally should call me on 020 7404 5252 during office hours or send me a message through my contact form.