With a ‘no-deal’ Brexit on the horizon, many could be forgiven for thinking we won’t now need to care too much about GDPR and other data protection legislation once we leave the EU fully. Sadly, this isn’t the case.
Stringent data protection will still need to be a high priority for all UK businesses transferring data to the UK and other parts of the world. And, the punishment for not taking the appropriate action will remain severe. Deal or no-deal, you must be Brexit ready.
British Airways data protection ICO fine sends a warning
The UK will still adopt a data protection framework. While the GDPR itself will be restricted to the EU, the UK’s Data Protection Act 2018 (DPA) became UK in May 2018 and is just as stringent.
In fact, the DPA came into law two days ahead of the GDPR and both legislations have run side by side until now. When the EU transition period ends, we still have to comply, and this included updating Privacy Notices to detail the change in legal frameworks.
So, what things should businesses be looking out for?
Get a free half-hour privacy consultation
Data transfers between the UK and EU countries
At the moment, the free flow of personal data is permitted between the UK and the EU, as we are all part of the GDPR ‘bubble’. If we leave without a deal, this free flow of personal data will come to an end. So what next?
Well, In the event of a ‘no-deal’, the UK will become what’s referred to as a Third Country. This means we have no adequacy agreement in place with the EU.
While this means UK companies can send personal data to organisations/individuals in the EU, as the EU is judged to be a safe environment, it’s not as simple as getting data transferred the other way.
Any EU company sending personal data to the UK will be unlawfully transferring data, unless Standard Contractual Clauses (SCCs) have been written into existing data sharing agreements.
These SCCs require both parties to make sure the personal data is subject to a level of protection upon arrival into the UK that matches or exceeds the requirements of the GDPR.
While the good news is that the DPA 2018 framework does satisfy the EU’s GDPR legislation, the bad news is that until we are granted official “adequacy” by the EU, this will not be formally recognised. This could also mean EU based might simply stop working with the UK in favour of companies in the EU. Or they pass any legal costs for new contracts to the UK business.
In the event of a ‘no-deal’, it may take several years to achieve adequacy. It wouldn’t be a quick process anyway, the EU have already said the UK will have to join the back of the queue, and there will be no special favours.
There are a number of ways to mitigate this though, the main way will be for each business to appoint a data protection representative who has experience of appropriate data protection legislation and located in the main location of their operation.
If the UK manages to agree a deal with the EU, then the free flow of personal data is likely to be included in the agreement. That means most companies will be unaffected, but a representative may still be required within the UK/EU.
Data transfers between the UK and USA
Earlier this year, the Court of Justice of the European Union (CJEU) ruled in the Schrems II case that Privacy Shield (the US data protection framework) is invalid. This is mainly down to US surveillance culture, which allows for any personal data hosted and/or processed in the US to be intercepted and/or monitored by the security services. As far as the EU and UK are concerned, this is an invasion of privacy.
This means that any businesses transferring data to or from the US to the UK/EU must rely on Standard Contractual Clauses (SCCs) in contracts to legalise this transfer.
Without appropriate SCCs in place, the transfer is unlawful, and the sender of the data would be held responsible in the event of a breach/security issue.
When factoring Privacy Shield into the mix, a ‘no-deal’ Brexit may seem more favourable. This is because, ff the UK fails to achieve adequacy with the EU, the UK may go against CJEU’s decision and consider Privacy Shield appropriate.
Hopefully that goes some way to help decipher the impact of a deal/no-deal Brexit on data protection and data transfers across borders. It’s a complicated beast so if you need some support in drafting your own SCCs, reviewing data flows or even handling the UK representation work, give us a call.