The UK government published on its website an explanatory note outlining the possible scenarios in the field of data protection in case no Brexit deal is reached.[1]
Based on this note, the following document offers a summary of the prospects presented by the UK government regarding the data protection situation after Brexit. In order to provide a more complex overview, we also used other sources to complete and add information.
The government firstly makes it clear that there will be no immediate change in the data protection standards in the UK. The Data Protection Act 2018, which sets the current standards, will remain in force and together with the EU Withdrawal Act it will incorporate GDPR in the UK legal order.
Nevertheless, due to the UK leaving the EU, there will be changes regarding the ways in which personal data transfers take place between the UK and the EU. The ultimate solution has not been agreed yet but, in line with our recommendations in our recent Study concerning data protection aspects after Brexit[2], there are a few possibilities:
1. An adequacy decision
Based on Article 45 of Regulation (EU) 2016/679, the European Commission can determine whether a third country guarantees “an adequate level of data protection” to that of the EU. A country can provide such data protection level by its domestic legislation or the international commitments it has entered into. Issuing an adequacy decision for the UK would greatly facilitate the exchange of personal data between the EU and UK as no further safeguards would be required. The transfer of personal data would take place the same way as intra-EU exchange.
It seems that at least for the initial period following the EU’s withdrawal from the EU, the adequacy decision will not be an option. This is because the European Commission has not yet indicated a timetable for the assessment process and the decision on adequacy cannot be taken before the UK becomes a third country.
Additionally, as we have pointed out in our Study[3], an adequacy decision will not be sufficient for public sector personal data exchanges. A multitude of legal instruments exists beyond general data protection law that determine which countries may participate in information exchanges, and on which basis. An adequacy finding would thus need to be complemented by a broader legal basis in the form of a legal agreement that would authorise the UK and EU to continue to participate in information exchanges.
However, it seems that this would be the option preferred by the UK government. The White Paper published in July 2018 encourages an “adequacy-plus” style agreement (meaning a unique situation allowing the ICO to be a member of the European Data Protection Board and to serve as a lead supervisory authority under the GDPR, even though the UK will be a third country) between the EU and UK following Brexit.
The UK government also considers other potential solutions:
2. Standard contractual clauses
Model data protection clauses are ready sets clauses prepared by the European Commission, which can be implemented between individual companies rather than on the state-level (and hence can take effect the moment the UK leaves the EU without further delay). Such clauses would also enable the free flow of personal data between the EU and UK companies, when embedded in a contract. The European Commission prepared a number of sets of clauses for transfers between data controllers in the EU and data controllers / processors outside the EU, which can be included in the contracts and which ensure the adequate protection. A full set of rules provided by the EC has to be incorporated in the contract – the provisions may not be split or modified in any way.
3. Privacy shield
Another option which is discussed with regard to the EU-UK relationship in the area of data protection after Brexit, is an agreement similar to the EU-U.S. data protection shield. The EU-U.S. Privacy Shield subordinates U.S. companies to strict rules in order to protect EU citizens’ personal data. The Privacy Shield requires the U.S. to cooperate closely with European Data Protection Authorities, as well as to monitor and enforce relevant rules and safeguards, including written commitments and assurance regarding access to data by public authorities. The privacy shield is jointly administered by the U.S. Department of Commerce and the European Commission. On 12/06/2016, the EC declared the EU-U.S. Privacy Shield adequate to enable data transfers under the EU law.
Although in the media this scenario has been widely discussed as a possible option, nothing has been decided in the negotiation process that would suggest this style agreement will be implemented any time soon.
4. Binding Corporate Rules
Within a multinational company, an adequate mechanism to transfer personal data may also be established by incorporating Binding Corporate Rules. These are basically strict rules, approved by the Lead Supervisory Authority[4] and legally binding, enforced by the company itself, which guarantee the same level of data protection as within the EU.
The BCR need to cover all the rights and obligations included in the GDPR, for instance all the data subject’s rights need to be observed and there needs to be an efficient monitoring system in place. In case of the UK as the third country, BCR would be introduced by the offices of a given company located in the EU in order to cover its UK branches.
—————————————————————————————————————————————————————
[1] Guidance: Data protection if there is no Brexit deal; 13/09/2018; https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal#before-29-march-2019; last accessed 17/10/2018.
[2] The future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes; European Parliament, Policy Department for Citizens’ Rights and Constitutional Affairs Directorate General for Internal Policies of the Union, August 2018, available at http://www.europarl.europa.eu/RegData/etudes/STUD/2018/604976/IPOL_STU(2018)604976_EN.pdf, last accessed 17/10/2018.
[3] Ibidem.
[4] Lead Supervisory is the supervisory authority of the main establishment or of the single establishment of the controller or processor, as per Article 56 GDPR.