In July of this year, British Prime Minister Theresa May released a draft withdrawal agreement, detailing the United Kingdom’s (UK) exit from the EU (commonly known as "Brexit"). The draft includes provisions on UK citizens’ rights post-Brexit and the GDPR’s continued applicability throughout this transition period.
The draft, however, does not address how the UK will implement data protection policies equivalent to the GDPR or the responsibilities assigned to the UK’s data protection authority (DPA), the Information Commissioner’s Office (ICO). The ICO is viewed as a leader on the European Data Protection Board (EDPB) because of its expertise, thorough guidance, and strict adherence to the GDPR. Because of the UK’s position in global business, it is critical that non-EU organizations are aware of the data protection requirements that may go into effect when the Brexit transition ends on January 1, 2021. This post looks at possible data protection outcomes of Brexit, how Brexit may affect the ICO’s EDPB role, and what options are available to U.S.-based organizations who chose the ICO as their DPA.
The Impact of Brexit on Data Protection
While discussions are still ongoing, privacy experts around the globe are speculating about the post-Brexit outcomes for UK data protection legislation. The following are all possible scenarios, ranked by likelihood of occurrence:
Most Likely: Soft Brexit
The UK remains in the European Economic Arena (EEA) and abides by the GDPR to its fullest extent. For this to be possible, the UK must accept the vast majority of EU legislation outside of the GDPR. This would ensure the ICO stays in its current role on the EDPB. This outcome would be the most beneficial to organizations, because it would provide seamless accessibility across the European marketplace. In this scenario, organizations outside the EU may opt to transfer personal data under contractual clauses and binding corporate rules (BCRs), which are essentially adequacy agreements for non-EU organizations (provided they have the required levels of data protection in place), or to comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, if adopted.
Less Likely: "Semi-Soft" Brexit
The UK withdraws from the EEA and remains a member of the European Free Trade Agreement (EFTA). This arrangement would ensure the free flow of personal data between the EU and UK, and a role for the ICO on the EDPB, though significantly reduced.
Unlikely: Hard Brexit
The UK moves to make all prior arrangements with the EU obsolete. In this scenario, the UK adopts a more business-friendly version of the GDPR, dubbed “GDPR-lite” by many, which would ease compliance requirements and lower non-compliance penalties. Though some privacy experts believe this situation is possible, Elizabeth Denham, the ICO Commissioner, has stated that “although Brexit will occur, data protection standards with the GDPR will continue to align,” leading many to think this outcome unlikely. In this scenario, the UK Parliament would be charged with establishing individual agreements with EU Member States in order to continue legal data transfers between them. This will affect non-EU organizations who selected the ICO as their DPA under the GDPR, as the ICO will no longer be able to enforce or assess GDPR compliance.
Scenarios 2 and 3 outline the possibility of the UK separating from the EDPB, which gives non-EU organizations significant cause for concern as they may have to alter their compliance programs in the event another DPA takes the ICO’s leadership position.
Brexit’s Impact on the ICO
The ICO is a central actor in EU data protection legislation, ensuring safe data transfers outside the EEA under BCRs, providing implementation guidance, and investigating complaints. The ICO also conducts reviews and approvals for over 25% of non-EU organizations seeking adequacy status. As Brexit nears, the ICO’s role is subject to change. Once Brexit becomes effective on March 29, 2019, it will significantly limit the ICO’s influence regarding data protection initiatives and responsibility for managing GDPR compliance across the EU.
Considerations for Organizations with the ICO as their DPA
Because Brexit will go into effect in less than four months, many privacy experts believe that the UK will not completely reject the GDPR. Nevertheless, organizations outside the EU that have selected the ICO as their DPA should begin to consider these possible outcomes and how they may impact their compliance programs.
The European Commission has announced a Brexit transition period from March 29, 2019, to December 31, 2020, creating a window for companies to prepare and make a decision on whether or not to change DPAs. Organizations in this predicament should focus on the following:
- Remaining up-to-date on current data protection modifications related to Brexit,
- Maintaining GDPR compliance, and
- Considering the possibility of appointing a new EU-member DPA.
Non-EU organizations processing and collecting EU data subjects’ personal data must still comply with GDPR and select a DPA that ensures accountability and compliance. Because organizations select their DPAs based on the locations where they organization offers goods and services or where its data subjects reside under the GDPR, a “hard Brexit” could force a major shift on how the EDPB handles compliance and may affect U.S. organizations that have selected the ICO as their DPA. Many organizations may decide to select a new DPA for continued access to the European market.
It is important to note as the UK transitions out of the EU, the GDPR will continue to apply until the Brexit transition is completed on January 1, 2021. Brexit may change the UK’s data protection policies, but its central goal will remain the same as the GDPR: to provide citizens and residents with the confidence that their personal data is secure. Non-EU organizations should closely monitor the UK’s data protection plans to keep their privacy and security programs aligned and avoid significant adjustments down the road.
Stay On Top of Global Privacy Trends
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.