Since our last update on the effects of Brexit on data privacy, we have seen an immense flurry of activity and controversy around Brexit. In our previous update, the Brexit deadline was looming – 12 April 2019 – but as you will know, this deadline came and went. We then braced ourselves for the next deadline – 31 October 2019. This deadline has now also been and gone. We now look towards a new deadline – 31 January 2020 – but before then, we also have the highly anticipated fun and games of a general election, just a month away, that could have a further significant impact on Brexit.
Over the past year, we have seen many speculative articles, press coverage, online discussions, you name it, about how Brexit will affect industries in the UK and globally. From a data privacy perspective, despite much discussion, the position for companies in the UK has not changed since our previous update (see below for further details). However, what has changed since then is the public engagement and guidance from the UK’s supervisory authority – the Information Commissioner’s Office (the “ICO”). Those working in the data privacy industry have benefitted in recent months from the ICO’s various directional emails and publications on the effects of Brexit (focused towards small and medium sized companies in particular), which have provided further information on certain topics and confirmation on what were previously grey areas. Whether there is a deal or not, and whether will be a transitional period or not, the ICO has confirmed what the data privacy position will be post 31 January 2020 so it is sensible, and indeed advisable, to work towards post-Brexit compliance now.
Legislative landscape post-Brexit
The General Data Protection Regulation (“GDPR”) has been, without doubt, the most influential piece of legislation ever to come into force in relation to data privacy. It seeks to protect the personal data of individuals and enhance the rights they have over their personal data. The GDPR also promotes free movement of personal data around Europe on the expectation that organisations within EU countries are all working to the same high level of security and compliance. It is therefore unsurprising that the UK government plans to incorporate the GDPR into UK law, alongside the Data Protection Act 2018, following the UK’s exit from the EU. Having legislation in place in the UK that mirrors the GDPR will ensure those organisations based in the UK continue to work to the same standard set by the GDPR as they are currently which will, in turn, satisfy other businesses in the EU and globally. UK organisations will therefore continue to be at the forefront of data privacy and security.
It is worth highlighting at this stage that if an organisation established in the UK offers goods or services to individuals in the EU, or monitors the behaviour of individuals in the EU post-Brexit, it will have to comply with both the UK legislation and the GDPR. A common example in this regard would be an online retailer based in the UK that offers its goods globally.
So what effects will Brexit have on data privacy?
We discuss below the key areas of data privacy compliance that will likely be impacted by the UK’s exit from the EU and suggest steps organisations can take to ensure continued compliance.
The biggest impact Brexit will have on data privacy is undoubtedly in relation to data transfers. As noted above, personal data can currently move freely around the European Economic Area (“EEA”) such that, for example, organisation A in the UK can send organisation B in France personal data for lawful processing without taking any additional steps to make the transfer lawful.
As many readers will know, this free movement of personal data to a country outside the EEA (known as a “third country”) is not permitted as a general principle under the GDPR, unless certain conditions are met. Any such transfer of personal data is known as an “international transfer”. Unless the personal data is being sent to a third country which has been deemed “adequate” by the European Commission (the European Commission having determined that the relevant transferee country handles personal data at a sufficient standard), organisations sending and receiving data must rely on one of the transfer mechanisms provided for under the GDPR for such international transfer to be lawful. Of the various available mechanisms (as provided in Article 46 of the GDPR), the most commonly used are:
- Standard Contractual Clauses (SCCs): Organisations may enter into the Standard Contractual Clauses. There are two sets depending on whether the receiving party is acting as “controller” or a “processor”. It is important to note that the SCCs cannot be amended by the parties entering into them: the parties therefore must ensure they are each able to comply with their respective obligations under the SCCs. SCCs are the most widely used method for transferring personal data outside the EEA and are often implemented to govern intra-group transfers as well as transfers of data outside an organisation’s group structure; and
- Binding Corporate Rules (BCRs): The submission to, and approval by, the relevant supervisory authority of Binding Corporate Rules. The supervisory authority is either the supervisory authority of the member state in which the EU entity is based or, if there are several entities in the EU, then it would be the lead supervisory authority (see below for further information on the lead supervisory authority). As the name suggests, BCRs are rules that legally bind those entities to which they apply. They are most commonly put in place for large multi-national organisations that regularly transfer data within the group. Whilst extremely beneficial when in place, Binding Corporate Rules are burdensome for a business as they can be expensive and time-consuming to prepare and have approved (with approval time often taking around 12 months).
So how does Brexit affect data transfers? Well, post-Brexit, the UK will be a third country for the purpose of international transfers. So, if an organisation based in the EEA wishes to transfer personal data to an organisation based in the UK, it will be like any other country outside the EEA such as the US of China: the organisations sending and receiving data will need to ensure there is a valid transfer mechanism in place. Be aware that this applies intra-group as well as to transfers between two different organisations – if, for example, the HR team of a multinational organisation is based in the UK and regularly sends HR files to the UK from France, a transfer mechanism will be required between the two entities. The hope is that in due course, the European Commission will determine the UK is an “adequate” country and personal data will be able to flow freely but as this has not been concluded to date, and will not be concluded by 31 January 2020: the need for transfer mechanisms stands.
With respect to transfers from a UK-based organisation to one based in the EEA, the ICO has confirmed that no immediate action is required. Personal data can continue to flow freely from the UK to the EEA.
If, however, an organisation in the UK wishes to transfer personal data to an organisation based outside the EEA, the current rules – and restrictions – apply as these will be mirrored in the UK legislation i.e. a transfer mechanism will need to be in place. If there is already a valid mechanism in place to deal with a specific transfer, that mechanism will remain valid post-Brexit.
The effects of each route of transfer can be seen in the following table:
||UK → EU
||EU → UK
||UK → Adequate
||UK → third country
|Post Brexit – No Deal
|Post Brexit – Deal during Transitional Period
|Post Brexit – Deal after Transitional Period
It is important to remember that a data flow can exist without it necessarily being completely obvious. A data flow need not be a mass transfer of data. A data flow can be incidental and sit alongside something “bigger” such as the provision of services. If, for example, an organisation in the EU appoints a service provider within the UK and the service provider is given access to data as part of the services (an IT services provider for example), or a transfer of data is required in order to provide the services (consider a courier in the UK delivering on behalf of the EU organisation), data will be flowing between the two organisations. It is not as obvious an example as provided above in relation to a HR department located in the UK but these all represent the kinds of data flows that need to be reviewed and accounted for. Data flows regularly occur within business operations and all too often organisations are not fully cognisant of what they are and the legal implications that follow.
At this stage, if not already completed, organisations subject to the GDPR and with a UK establishment and/or third party data recipients in the UK should review their data flows immediately to identify whether or not they will be affected by Brexit and whether any transfer mechanisms are required.
Under the GDPR (Article 3(2)), an organisation not established (with no offices, branches or other establishments) in the EU but offering goods or services to individuals in the EU, or monitoring the behaviour of individuals in the EU, must designate, in writing, a representative in the EU. The appointed representative is intended to act as a local points person for individuals and data protection authorities in the EU. Post-Brexit, many UK organisations will satisfy this requirement under the GDPR and therefore such organisations should be acting now to select an appropriate EU representative for their business.
The selected representative must be positioned in an EU member state where some of the individuals whose personal data being processed are located. You may recall in the run up to GDPR that appointing an EU representative was a very common task for organisations based outside the EU – and a number of new companies seemed to emerge as offering such “EU representative services” upon payment of a fee. The EU representative can be such a service provider or an individual or another company but it cannot be the same as an appointed data protection officer (“DPO”) (for example an organisation may use an external service provider as the DPO) or a processor of the UK company.
Post-Brexit, the UK legislation will, per the current government’s intention, state that a controller or processor located outside the UK – but which must still comply with the UK legislation and has no UK establishment – will also have to appoint a UK representative.
Lead supervisory authority
A supervisory authority, like the ICO, is an independent public authority in each EU Member State, tasked with regulating the GDPR and other applicable data protection legislation. Organisations that operate in more than one EU Member State can benefit from the “One-Stop-Shop” principle meaning a single supervisory authority will act as lead on behalf of the other EEA supervisory authorities. An organisation in this scenario must identify their lead supervisory authority. The lead supervisory authority has primary responsibility for co-ordinating investigations involving multiple Member States, the idea being, businesses only have to deal with one lead regulator. To date, there has been some controversy around the “One-Stop-Shop” principle and the electing of a lead supervisory authority, with certain elections having been challenged or, quite simply, ignored and organisations being investigated or even sanctioned by an entirely different supervisory authority to that which had been elected as lead. Time will tell whether or not the “One-Stop-Shop” principle will continue to operate as intended.
Following Brexit, the UK will no longer be an EU Member State and the ICO will therefore not be a supervisory authority for the purposes of the GDPR. So, if the ICO has been identified as the lead supervisory authority under the GDPR for your organisation, you will need to appoint a new lead supervisory authority in the EU. This will likely prove difficult for organisations whose operations, particularly in relation to personal data, are heavily supported or led by the UK establishment. In such a scenario, it is likely the ICO was chosen as the lead supervisory authority due to the organisation’s processing of personal data in the UK being more substantial than in any other EU member state. It may be, for example, that the remaining entities in EU Member States do not process a high volume of personal data, or that it is difficult to distinguish between the levels of processing amongst the entities such that there is no clear lead supervisory authority. A full analysis should therefore be carried out in relation to the data privacy operations of each establishment within the EU and the determination documented. Given that a lead supervisory authority is only required when there are interactions with the regulators, this is arguably a slightly less urgent task than preparing for data transfers but one that must be addressed soon thereafter nonetheless.
Data protection officer
The GDPR requires certain organisations appoint a DPO to carry out specific tasks and the UK legislation will have the same requirement. For multinational organisations who have appointed one DPO to service the group, the ICO has confirmed that, post-Brexit, the same DPO can continue to cover both UK and EU. This came as a welcome relief to many organisations that believed they would have to appoint / resource (and finance) two DPOs. It remains to be seen, however, whether this position stays the same and we suggest being cautious of the requirement under each of the GDPR and the UK legislation that the tasks of a DPO should not be conflicted. If, for example, there is a data breach reportable to the ICO and a supervisory authority in the EU, a scenario could arise in which the appointed DPO finds himself/herself in a conflicting position due to tight timeframes imposed by each regulator and internal pressures.
Personal data breach
If an organisation based in the UK which is subject to the GDPR or a group organisation with entities in the UK and the EU suffers a personal data breach post-Brexit, they may find themselves having to report the personal data breach to two authorities i.e. the ICO and a supervisory authority in the EU. The reporting requirements will be the same under the UK legislation as under the GDPR, namely that the personal data breach should be reported within 72 hours unless it is unlikely to result in a risk to the rights and freedoms of individuals. Reporting should always be considered on a case by case basis as not every personal data breach will satisfy the reporting test. However post-Brexit, in addition to considering the reporting test, it will be vital for any organisation described above finding itself in such a situation, to analyse whether a notification is indeed required under both pieces of legislation, as opposed to just one. In this analysis, the nature of personal data affected by the breach will be key to determining which notifications need to be made and to whom. If the personal data breach triggers the notification requirements under both the GDPR and UK legislation, the organisation may be subject to sanctions, including financial penalties, by multiple authorities. It is unknown, however, the extent to which the ICO and the EU supervisory authority would consider personal data that is arguably outside the remit of their legislation as they are they viewing the breach as a whole or whether they would separately look at the UK and EU data.
It would therefore be useful to consider whether segregation of the UK vs EU personal data is possible – this could lower the chances of a personal data breach affecting both sets of data and triggering both pieces of legislation.
Our key message and advice at this stage is as follows: if not already completed, organisations currently subject to the GDPR with a UK establishment or UK third party data recipients should carry out a data privacy compliance review exercise to confirm where action is required in the business and implement an action plan accordingly. Brexit provides the perfect opportunity to review data privacy compliance
With the next deadline being 31 January 2020, this does not leave a long time to prepare. However it should be enough time to identify the key risk areas, and organisations should be working towards this deadline to implement actions and avoid potentially breaching two pieces of legislation.