The immediate and direct legal impact of Brexit for data protection will be limited, as the terms of the Withdrawal Agreement mean that the status quo will be broadly maintained until the expiry of the withdrawal period.
The impact, and when it occurs, will vary according to whether there is a deal on the future relationship with the EU to come into effect at the end of the implementation period (currently 31 December 2020) , and the nature and extent of any such deal (e.g. what products and services are covered). The possibility of a no deal exit (i.e. no agreement on the future relationship) remains.
While the issue of the trade deal is attracting most press attention, progress is also being made with regard to data transfers. The European Commission’s Task Force for Relations with the United Kingdom has published slides on the internal EU27 preparatory discussions on the future relationship: “Personal data protection (adequacy decisions); Cooperation and equivalence in financial services”.
In the slides the Task Force establish that ‘the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal [i.e. 31 January 2019], endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met.’ Despite occasional contradictory posturing from the EU over the last 12 months, adequacy certainly now seems to be the aim of both the European Commission and the UK government given the ‘intended depth of future partnership with the UK in law enforcement and judicial cooperation in criminal matters would be facilitated by an adequacy decision’ (notwithstanding the benefits that would also be conferred on businesses in both areas). Indeed, the UK has already also committed to take unilateral steps to ensure the facilitation of transfers of personal data to the EU.
Subject to politics (!), we should therefore expect, assuming the continued goodwill of both parties, to have an adequacy decision in place by the end of this year. This would mean that data flows between the EU and UK could continue uninterrupted at the end of the implementation period on 31 December 2020, without the need for businesses to review their data flows and introduce alternative legal mechanisms where necessary. A day is a long time in politics, and a year even more so, but one hopes that international data flows between the EU and the UK will be able to continue unimpeded after the implementation period has ended.
Lead Supervisory Authorities and Representatives
From 1 February 2020, the ICO will no longer be able to act as a Lead Supervisory Authority (LSA) for the purposes of cross-border data issues under the GDPR regime. Businesses who currently regard the ICO as their LSA need to re-consider which EU supervisory authority will be their LSA going forward. If they cannot demonstrate a main establishment within the EU, they may not benefit from a EU-wide ‘one stop shop’ for their GDPR compliance.
Equally, UK-based controllers/processors without a suitable establishment in the EU may have to designate an EU-based representative for GDPR compliance purposes, and update documentation (e.g. privacy notices, records) as necessary (this would also apply to overseas businesses that had previously appointed an EU representative based in the UK).
What actions can be taken?
- Reword privacy notices where necessary to reflect the fact that the UK is no longer in the EU
- Wait to see if the UK secures an adequacy decision, and consider alternative transfer mechanisms if this appears unlikely
- Review your LSA and representative status and consider alternative locations