Introduction

On 29th March 2017, the UK government gave formal notice to the President of the European Council of its intention to leave the EU and triggering Article 50 of the Treaty on the European Union (TEU) which began the process of the UK’s withdrawal from the EU. The UK is now set to leave the EU on 31st October 2019, or “Exit Day”, as defined in section 20 of the European Union (Withdrawal) Act 2018. All EU treaties will cease to apply to the UK from this date.

However, given the current uncertainty in Parliament, in particular the recent passing of the “Benn bill” (which requires the UK Prime Minister to seek an extension from the EU in order to avoid a no deal Brexit) this date is very much subject to change.

At the time of writing the UK government and the EU have expressed a common interest and purpose in concluding a withdrawal agreement, which would include a “transition period” during which the parties would seek to agree a comprehensive free trade agreement and the UK would continue to be subject to EU law, including the GDPR.

It is assumed that a “transition period” agreed as part of any “new” withdrawal agreement would be a two year period beginning on Exit Day  (the same transition period agreed as part of the previous withdrawal agreement negotiated by former Prime Minister Theresa May and rejected by the UK parliament).

In the absence of a (very unlikely) political decision to revoke Article 50 the UK will leave the EU either without a withdrawal agreement in place (“Exit Day” e.g. a no deal Brexit) or at the end of an agreed transition period defined within a withdrawal agreement on (“Withdrawal Date”).

However, it is important to understand that whether Brexit occurs on the later of the either the Exit Date because a withdrawal agreement could not be achieved or at the end of an agreed transition period, the EU GDPR will cease to apply and the GDPR will be incorporated into UK law (“UK GDPR”).

Although the UK GDPR will seek to maintain the fundamental principles, rights and obligations of the EU GDPR, its implementation into UK Law will require controllers of personal data to consider a number of issues including the following:

International Data Transfers

GDPR restricts the transfer of personal data to third countries outside of the EEA unless the conditions and appropriate safeguards specified in Chapter V of the regulations have been met and/or implemented.

Should the UK leave without a withdrawal agreement, then from the perspective of the EU the UK will become a third country. From a UK GDPR perspective the EU/EEA would also become a third country to which the transfer of UK personal data theoretically at least would be prohibited. However, the UK government has indicated that it will legislate to transitionally recognise the EU/EEA as adequate. At this time it appears unlikely that the EU is prepared to do the same.

Controllers and processors should therefore re-examine the mechanisms they use to legitimise international transfers to and from the EU. Mechanisms used to legitimise any “onward transfers” of personal data originally transferred from the EEA to the UK (and vice a versa) should also be reviewed.

Compliance with UK and EU GDPR

UK based organisations that process personal data in the UK and the EEA should review their cross-border data processing operations to understand how these will be affected by Brexit. For example:

  • Organisations based in the UK, but with offices/branches in the EEA or which (if not so established) are offering goods or services in the EEA or monitoring the behaviour of EEA individuals will need to comply with both the UK and EU GDPR; and.
  • Organisations based in the EEA, but with offices/branches in the UK or which (if not so established) are offering goods or services in the UK or monitoring the behaviour of UK individuals will also need to comply with both the UK and EU GDPR.

Supervisory Authorities

From the Exit Date (remember that this is the date the UK exits the EU without a withdrawal agreement) the UK Data Protection Authority, the ICO, will no longer be a part of the “one stop shop” for resolving cross-border data protection issues. Controllers or processors of personal data that engage in cross border processing currently only have to deal with a single lead EEA supervisory authority for their “main establishment” i.e. the EU member state where its head office is situated. Following the Exit Date businesses operating across the UK and EEA may have to deal with the UK ICO and as well as multiple EEA supervisory authorities. It goes without saying that should the UK exit the EU with a withdrawal agreement in place then one would expect this particular issue to be discussed and resolved during the transition period.

Consents and Transparency

Consents obtained prior to the Exit Date should be reviewed to determine their continuing validity. Given the change in the UK’s status from a member of the EU to a third country, consents obtained prior to Exit Day may no longer be specific and/or informed as required by the GDPR.

Regulatory Fines

It was mentioned above that from the Exit Date, the UK and EEA will each have separate data protection regimes. Each regime will have its own system of administrative fines. Currently up to the greater of €20m or 4% of annual worldwide turnover (whichever is greater). Post Exit Date both the ICO and EEA supervisory authorities could levy separate fines in respect of the same data protection breach, thereby in theory doubling the potential exposure of controllers and processors.

Summary

The above are just some of the issues controllers and processors of personal data will have to address following the UK’s withdrawal from the EU, particularly if the UK’s departure is without a withdrawal agreement. Organisations should prepare by reviewing their: international contracts (to identify any provisions that may need to change), data flows, international transfer mechanisms, record of consents, privacy policies and data protection impact assessments to ensure that they remain compliant from either the later of the Exit Date or the Withdrawal Date.

However, as with all things Brexit no one can really predict what could happen next and circumstances can change in a matter of hours, days or weeks so stay prepared and watch this space!