What is this about?
For many businesses one of the most critical areas of compliance post-Brexit will continue to be data protection. It is still a hot compliance topic and Brexit does add complexities.
Will Brexit have an impact?
Brexit clearly will have an impact on data protection. It should also be stressed that maintaining personal data flows between the UK and the EU and data protection standards have a high profile under the Brexit process. Key issues that need to be addressed and developed include the following:
- Top of the list will be whether the EU can award so-called “adequacy” status to the UK (to add to the dozen or so countries that have this e.g. Canada). Whilst it is hoped that the UK has a strong chance of getting this status there will be some challenges and obstacles, not the least being the UK’s sweeping surveillance legislation (the Investigatory Powers Act 2016). This process could therefore still take years. It is important to stress though that to be adequate, UK data protection law does not need to be identical to EU law. The UK Data Protection Act 2018 (see our alert here: http://www.corderycompliance.com/client-alert-uk-data-protection-bill/) effectively mirrors GDPR so would likely be good enough. In addition, for an adequacy decision, but some in the European Parliament see surveillance as an issue just as they object to Privacy Shield for the same reasons. The fact that Theresa May, who pushed some of these surveillance laws through the UK Parliament when Home Secretary, is now leading the UK’s end of the Brexit negotiations could add complexity.
- Although GDPR is part of UK law and the UK now has the Data Protection Act 2018 in place, meaning that the UK should be in a good data protection position following Brexit, a number of issues will nevertheless need to be resolved between the UK and the EU. See here for a previous article that we wrote about this topic: http://www.corderycompliance.com/client-alert-eu-uk-brexit-data-protection-positions-update/.
- Will the UK continue to participate in the activities of the European Data Protection Board (the successor to the WP29) and if so how, especially as regards the so-called One-Stop-Shop? There is more on this below.
- What will be the status of personal data processed before the UK leaves the EU (i.e. what principles will apply as regards what data can be kept and what must be erased etc.)?
- What will be the status of other issues post-Brexit concerning the UK and data exports e.g. existing Binding Corporate Rules?
- How will the UK’s own post-Brexit data protection regulatory regime develop within the prism of GDPR, e.g. will the UK adopt its own Model/Standard Contractual Clauses, or, will the UK try and adopt a UK-US Privacy Shield, or will Data Protection Representatives continue to need to appointed in the UK and/or for UK entities in the EU?
- Last but not least, will the European Court of Justice continue to have jurisdiction over data protection matters and the UK for a period post-Brexit, e.g. whilst an adequacy application for the UK is processed?
These issues are a bit of a constant moving target but the latest developments on some of them from a UK perspective were set out in the UK Prime Minister’s July 2018 White Paper “The Future Relationship Between the United Kingdom and the European Union” (“the White Paper”). Two key statements of the UK’s intentions in the White Paper are as follows:
- “3.2.1 The continued exchange and protection of personal data – The UK believes that the EU’s adequacy framework provides the right starting-point for the arrangements the UK and the EU should agree on data protection but wants to go beyond the framework in two key respects: a. on stability and transparency, it would benefit the UK and the EU, as well as businesses and individuals, to have a clear, transparent framework to facilitate dialogue, minimize the risk of disruption to data flows and support a stable relationship between the UK and the EU to protect the personal data of UK and EU citizens across Europe; and b. on regulatory co-operation, it would be in the UK’s and the EU’s mutual interest to have close co-operation and joined up enforcement action between the UK’s Information Commissioner’s Office (ICO) and EU Data Protection Authorities. […] The UK is ready to begin preliminary discussions on an adequacy assessment so that a data protection agreement is in place by the end of the implementation period at the latest, to provide the earliest possible reassurance that data flows can continue”;
- “3.2.2 Ongoing cooperation between Data Protection Authorities – In the context of globalised data flows, cross-border co-operation between domestic data protection authorities is important in monitoring data protection standards and enforcing standards effectively. The ICO is an internationally respected, influential and well-resourced regulator in this regard. As a result, the future UK-EU arrangements on data protection should provide for ongoing co-operation between the ICO and the EU data protection authorities. This would avoid unnecessary complexity and duplication, and overcome barriers for EU citizens and UK nationals in enforcing their rights across borders and accessing effective means of redress. A continuing role for the ICO would also reduce administrative burdens for businesses and provide for co-operation on resolving disputes. Under the new EU data protection regime, this is achieved through the ICO’s participation in the One Stop Shop mechanism. The UK believes its proposals on regulatory cooperation between data protection authorities are in line with the EU’s developing thinking on co-operation with third countries on data protection. The GDPR recognizes that the European Commission and EU Data Protection Authorities shall take steps to develop international co-operation mechanisms to facilitate effective enforcement of data protection legislation. The Commission’s January 2017 Communication recognised that “enhancing co-operation with relevant primary enforcement and supervisory authorities of third countries is increasingly necessary” and that cooperation between these authorities could make the protection of individuals more effective. The Commission also noted that “economic operators would benefit from a clearer legal environment where common interpretation tools and enforcement practices are developed at a global level. On this basis, the Communication states that “the Commission will develop international co-operation mechanisms with key international partners to facilitate effective enforcement.”
How the EU responds to this and how it might work out in concrete terms remains to be seen.
What about BCRs and the EDPB?
It is too early to say whether the UK will still have a seat at the table at the European Data Protection Board (EDPB). Much may depend on any adequacy decision. There may however be a glimmer of light in a recent decision by the EEA Joint Committee. On 6 July 2018 the Committee agreed to the admission to the EDPB of DPAs of EFTA countries. They can “participate fully” in EDPB meetings. However, they cannot vote or stand for election as Chair or Deputy Chair.
This may be the best the UK could hope for. Participation in the EDPB in this way may still allow the ICO to be the lead DPA for BCRs and to participate still in the One-Stop-Shop aspects of GDPR. At this time however, that is by no means guaranteed.
Resources
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our EU Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary. We’ve also written on other Brexit topics here – http://www.corderycompliance.com/category/brexit/. Cordery’s Brexit task force includes lawyers experienced in dealing with UK & EU authorities on a wide range of compliance issues.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance – for more on GDPR Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/. GDPR Navigator includes the following resources:
- A Guidance Note on accountability and audit;
- A Guidance Note on appointing processors;
- A Guidance Note on determining who is the data controller and data processor;
- A comprehensive Glossary of data protection terms;
- A Guidance Note on fine determination; and
- A 35-minute film on key aspects of GDPR.
For further information
You can also find our alerts on other Brexit topics here (http://www.corderycompliance.com/?s=brexit). We also have a Brexit Newswire. If you are interested in our Brexit Newswire please email André Bywater on the address below.
See also our short film here on Brexit and Compliance where André Bywater & Jonathan Armstrong discuss how compliance might change post-Brexit. They look at a number of distinct areas of compliance including modern slavery, sanctions and data protection and walk through what businesses might want to do now to make sure they comply.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
André Bywater
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com