To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.
The UK government’s aim
Even before the referendum, it was patently obvious that as far as data protection was concerned, it was in the UK’s best interests to align itself with the ongoing legislative reform in the EU affecting this area. For that reason, the UK government did not hesitate to make it clear at the outset that while Brexit meant Brexit, UK data protection meant the GDPR. With this in mind, in September 2017, the government introduced in Parliament the Data Protection Bill, which is intended to replace the current Data Protection Act and primarily aimed at implementing the GDPR into UK domestic law.
The reason for this stance is and has always been eminently practical: by implementing the GDPR into the new UK data protection framework, the government believes that the UK will be able to maintain its ability to share data with other EU Member States and internationally after Brexit. This optimism is not entirely ill-founded: if today the UK is regarded as a safe jurisdiction for personal data, by retaining the EU’s legal framework irrespective of Brexit, the outcome should not change. However, this logic has already been challenged by the European Commission which in a Notice to Stakeholders of 9 January 2018, indicated that in view of the considerable uncertainties surrounding Brexit, companies were advised to consider how to prepare for the transfer of personal data to a “third country”. In other words, it should not be assumed that the UK will be granted an ‘adequacy decision’ allowing the free flow of personal data from the EU by default.
Transfers of data to and from the UK
Therefore, despite the clear intentions of the UK to adopt the GDPR as its new data protection law by May 2018 – the Bill is scheduled to receive royal assent in March 2018 – the issue of international data flows remains an uncertainty. To make matters worse, the UK may miss an opportunity to strongly argue in favour of its adequacy for EU data. The current version of the EU Withdrawal Bill passed by the House of Commons states that the Charter of Fundamental Rights of the EU will no longer be part of the UK legal framework following Brexit. So unless this is amended by the House of Lords, by doing away with the Charter, the UK will also be removing the status of data protection as a fundamental right, which may in turn affect the country’s status as an “adequate” jurisdiction for the purposes of data transfers from the EU.
Taking this into account, both the UK government and those seeking to import EU personal data into the UK will be focusing on the options available. Whilst adequacy is not out of the question yet, other mechanisms envisaged by the GDPR to provide “appropriate safeguards” for data may need to be deployed. These include:
- contractual arrangements between EU exporters and UK importers,
- Binding Corporate Rules (BCR) for transfers within corporate groups with a UK connection, or
- other newer alternatives such as Codes of Conduct or certification mechanisms once these become available.
Conversely, UK data exporters will need to consider the level of data protection adequacy of other jurisdictions, including those in the EU. It would be inconceivable for the UK not to automatically recognise the EU as adequate for UK data, but at the same time, the political willingness to do so may be affected by the attitude of the EU towards the UK. Something that is likely to happen is that as part of the UK’s special relationship with the US, a new UK-US Privacy Shield – possibly mirroring the existing one with the EU – will be agreed before Brexit happens, which will be of great assistance to avoid a legality vacuum affecting UK-US dataflows.
At least, one certainty affecting international data transfers which has been confirmed by the UK Information Commissioner’s Office (ICO) is that no BCR authorisation will be cancelled because of Brexit. This is certainly reassuring as it will allow UK companies covered by existing sets of BCR to be regarded as safe recipients of data irrespective of the UK’s adequacy status post-Brexit.
The crucial role of the ICO
And speaking of the ICO, it must also be reassuring for the UK regulator that under the new Data Protection Act, the Commissioner will be granted the same powers as their EU counterparts. The ICO has always been a very influential figure among the international regulatory community and it would be hugely damaging to all if that influence was lost at a time when deploying the right approach to privacy and data protection is so crucial for the future of the digital economy.
However, whilst no one will work harder than the UK ICO to try and demonstrate its global leadership credentials, it is by no means clear what role it will play in the context of the all-powerful European Data Protection Board (EDPB). Under the GDPR, the EDPB will enjoy significant pre-eminence as a regulatory body, but as currently envisaged, it will only comprise members from the supervisory authorities of each Member State. A non-EU country like the UK post-Brexit will not be entitled to form part of the EDPB or contribute to its activities. So unless a special arrangement is skilfully negotiated and agreed, UK companies operating across the EU will not be able to benefit from the One Stop Shop provisions.
Does this mean that UK-headquartered international companies should be considering an alternative lead authority to the ICO? As with many other Brexit-related matters, it is still too early to tell, but the most prudent thing to do is probably to work as closely as possible with the ICO while exploring which other European regulator would be the most suitable to act in that capacity. What is clear is that Brexit is testing the strategic thinking of not only the UK government but of those who, being subject to the GDPR, are getting ready to handle personal data in a compliant, effective and ultimately productive way.
Eduardo Ustaran is a partner in the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email firstname.lastname@example.org. Twitter @EUstaran.