The United Kingdom’s future relationship with the European Union remains an ever-shifting unknown, causing uncertainty and anxiety for organizations operating within and outside of the UK.
Despite the British Parliament passing a new law requiring the Prime Minister to request Brexit be postponed, Boris Johnson has vowed to go forward with a divorce deal by the October 31 deadline.
With the threat of a No-Deal Brexit looming, organizations should evaluate the potential impact such an exit would have on their data use and protection operations.
Current Governing Regulations
Currently, the EU’s General Data Protection Regulation (GDPR) governs data protection law in the UK. Under GDPR, all organizations in the EU are responsible for any personal data that they process.
GDPR defines personal data as any information that relates to an identified or identifiable living individual, such as a name; an identification number; location data; an online identifier; or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. GDPR Art. 4(1).
GDPR broadly defines processing data as any operation that is performed on personal data, such as collection; recording; organization; structuring; storage; adaptation or alteration; retrieval; consultation; use, disclosure by transmission; dissemination or otherwise making available; alignment or combination; restriction; or erasure or deletion. GDPR Art. 4(2). “Processing data” captures acts as simple as entering personal data onto a website or social media account.
The UK implemented GDPR with domestic legislation via the Data Protection Act of 2018 (UK DPA).
Both GDPR and UK DPA prohibit transfers of personal data from the EU to countries lacking “adequate” data protection rules. GDPR Art. 44, 45; UK DPA § 37. While the UK remains a part of the EU, other EU-countries may freely transfer data to organizations within the UK, as the UK is considered to have “adequate” data protection rules based on its status as an EU member-state. Come a No-Deal Brexit, however, this will change.
Governing Regulations Post-No-Deal Brexit
In a No-Deal Brexit, the UK would fall out of the EU without any agreed-upon arrangements covering data protection requirements. In such a scenario, conducting business or allowing any data transfers to UK-based entities will become more challenging, requiring organizations to conduct additional analysis and implement more risk reduction measures to protect against regulatory non-compliance and to potentially mitigate any accompanying fines and sanctions.
A. EU to UK Data Transfers
i. Transfers Prior to an Adequacy Assessment
When the UK exits the EU and becomes a “third country,” the EU will not have officially determined that the UK “ensures an adequate level of protection” for data transfers and processing. Until the EU makes an “adequacy assessment” of the UK’s data processing regulations, personal data transferred from EU organizations to UK organizations will be subject to the data transfer rules set forth in GDPR Arts. 46-49.
These rules require data transfers to be subject to appropriate safeguards or covered by an exception:
- A legally binding and enforceable instrument between public authorities or bodies;
- Binding corporate rules;
- Standard data protection clauses adopted by the Commission;
- Standard data protection clauses adopted by a supervisory authority and approved by the Commission;
- An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;
- Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;
- Contractual clauses authorized by a supervisory authority; or
- Administrative arrangements between public authorities or bodies that include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorized by a supervisory authority.
- The individual has given his/her explicit consent to the transfer of his/her data;
- The organization has a contract with the individual and the transfer of data is necessary to perform that contract;
- The organization is about to enter into a contract with the individual, and the transfer is necessary for the organization to take steps requested by the individual to enter into that contract;
- The organization has a contract with an individual that benefits another individual whose data is being transferred, and that transfer is necessary for the organization to either enter into that contract or perform the contract;
- The organization needs to make the transfer for important reasons of public interest;
- The organization needs to make the transfer to establish if it has a legal claim, to make a legal claim, or to defend against a legal claim;
- The organization needs to make the transfer to protect the vital interests of an individual who is physically or legally incapable of giving consent;
- The organization is making a transfer from a public register; or
- The organization is making a one-off transfer that is in its compelling legitimate interests.
ii. Adequacy Assessments
In order for data transfers to the UK to be free from the restrictions set forth above, the European Commission must conduct an “adequacy assessment” of the UK’s data protection policies, which can take months or years to complete. EU regulators and courts have adopted a strict interpretation of “adequacy,” effectively requiring non-EU countries to have substantially equivalent data protection standards as the EU to be deemed adequate.
This includes guarantees that:
- Data is only processed for the purpose for which it is legally transferred from the EU;
- Data is processed only to the extent necessary for this purpose;
- Data is kept for no longer than necessary for this purpose;
- Data is kept accurate and up to date;
- Data is never further transferred to individuals or entities that do not guarantee an adequate level of protection;
- Processing is done under appropriate security measures to protect against unauthorized or unlawful processing and accidental loss, destruction or damage;
- Additional safeguards are applied to sensitive data revealing health conditions, sexual orientation, political opinions, etc.;
- Individuals are informed about the purpose of processing his/her data;
- Individuals are allowed access to his/her data and can request correction/deletion of his/her data if it is inaccurate; and
- Enforcement mechanisms are in place to ensure compliance with the above, including an independent public authority and avenues for judicial and administrative redress.
During an adequacy assessment, the EU will also evaluate the UK’s general rule of law and legal protections for human rights and fundamental freedoms.
Adequacy Decisions are subject to periodic reviews at least every four years. The Commission can repeal, amend or suspend Adequacy Decisions for jurisdictions no longer ensuring an adequate level of data protection. (GDPR Art. 45).
Until the UK is granted adequacy status, EU-based organizations must be mindful of the stricter data protection requirements and work to ensure compliant transfers of personal data between the UK and EU. At a minimum, organizations should:
- Review contracts and amend as necessary to delineate the obligations of both parties to protect individual rights of those whose data is being transferred.
- For new contracts, contractual clauses based on European Commission-provided model language should be added.
- For existing contracts, a data protection appendix should be added and existing terms should be reviewed to avoid ambiguity.
- Review and update all references in governance records and transparency notices to reflect the post-Brexit position of the UK. This may require changes to:
- Privacy Notices;
- Data Protection Impact Assessments; and
- Third-Party Contracts.
B. UK to EU Data Transfers
When the UK leaves the EU, GDPR will no longer have a direct effect in the UK. However, the UK’s domestic laws and regulations implementing GDPR will remain in place, including the UK DPA and the Privacy and Electronic Communications Regulations of 2003, which prohibit automated, recorded telemarking calls without the prior consent of the subscriber. Because EU member-states must abide by GDPR, they will meet the requirements under the UK DPA. This means data transfers from the UK into the EU will be unaffected by a No-Deal Brexit.
C. UK to US Data Transfers
The EU and US established a regulatory framework under the EU-US Privacy Shield to govern transatlantic exchanges of personal data for commercial purposes. The Shield enables US companies to more easily receive personal data from EU entities subject to EU privacy laws, without the US having to go through a full adequacy assessment. Post Brexit, organizations seeking to rely on the Privacy Shield for UK/US data transfers must:
- Update their Privacy Shield commitments to specifically state that the commitment extends to personal data received from the UK in reliance on Privacy Shield;
- Continue to maintain a current Privacy Shield certification, recertifying annually.
D. Dual Regulatory Exposure
If an organization conducts data processing activities in both the EU and the UK, or it targets customers or monitors individuals in the EU from the UK, or vice versa, the company may be subject to regulations under both the EU and UK versions of GDPR.
For UK organizations offering goods and services to EU citizens or monitoring the behavior of EU citizens post-Brexit, they must nominate a representative in one of the EU member-states and identify this representative in all privacy notices. GDPR Art. 27. This designated representative is a third party that agrees to act on behalf of the UK organization, including serving as a direct contact for government authorities and users/customers. The designated representative will be the authorized agent to receive legal documents for the UK organization, and it will be tasked with maintaining records of processing activities and cooperating with supervisory authorities upon request. Importantly, the designated representative is also legally accountable for the actions of the UK organization, and it can be subject to enforcement proceedings itself in the event of non-compliance by the UK organization.
Given the bedlam surrounding the UK’s departure from the EU and the upcoming October 31 deadline, organizations with data protection concerns should also:
- Identify applicable EU and UK lead supervisory authorities;
- Evaluate and potentially relocate data center locations serving EU customers;
- Appoint a separate data protection officer for both the UK and EU; and
- Ensure the organization is registered with the ICO for processing activities in the UK.
Organizations should consult the European Data Protection Board, the UK’s Information Commissioner’s Office and the UK Government’s Department for Digital, Culture, Media & Sport for further guidance on managing the impact of Brexit on data protection.