Nearly three years after Great Britain began its exit from the European Union (EU), the original departure deadline of March 29, 2019 has passed. A two-week extension was originally granted when a withdrawal agreement was not approved by the House of Commons, but once again, that time allowance was not long enough for the British Parliament to ratify an agreement. An emergency European Council summit was held in April to consider another extension request from British Prime Minister Theresa May. European leaders offered October 31, 2019 as the ultimate deadline to find a solution.
Ultimately, the United Kingdom (UK) will leave the EU, unless a motion from Labour party leaders supporting another public Brexit referendum is successful. With that outcome being unlikely, the big question is whether or not this extension will allow for a successful “soft” Brexit. The EU will not let the UK leave easily (i.e., it won’t be able to keep all the luxuries it benefitted from as an EU Member State), making it an example for all other countries considering a separation (like Italy and Spain). Yet, Prime Minister May’s goal is to achieve a seamless deal and an orderly exit from the EU, but many Brexiteers are furious at the idea of another delay, and many British government leaders are eager to have this act finalized. As time passes, deals have been vetoed, tensions risen, and Great Britain has found itself in limbo.
But what do all these changes mean for data protection? October is not far away, leaving little time to make significant changes or new referendums. In addition, data protection is not a main concern at this point, leaving privacy leaders and organizations to speculate on the future. Regardless of the final outcome, the UK will no longer be governed by the GDPR after Brexit. Of course, Great Britain has been operating under the GDPR and has data protections in place, so obtaining an adequacy agreement is possible. But there are still many questions. What does Brexit mean for organizations using the ICO as their DPA? When will adequacy be granted? How can companies start preparing for these changes? In this post, we’ll look at how Brexit may impact data protection around the globe, the likelihood of an adequacy deal, and how to start preparing for these changes.
Will the UK Achieve an Adequacy Agreement after Brexit?
With this six-month extension, how the UK will leave the EU is still largely unknown, leading to increased concerns around data protection. Regardless of the details of the final deal, an adequacy agreement will be required to maintain the flow of data between the EU and UK. While the UK is currently GDPR-compliant, an adequacy agreement will not automatically be established after Brexit takes effect. Adequacy will only be granted if the EU deems Britain’s data protection standards equivalent to the standards of the GDPR and other EU legislation, a process that could eventually take months to years to finalize.
Unfortunately, achieving adequacy will not be a quick process after Brexit. A handful of countries have been considering a split from the European Union, and the European Commission intends to make an example out of Brexit to prevent any further separations. Instead, the UK’s data protection laws will be subjected to the same high level of scrutiny as any other third-country.
However, the effects of Brexit on data protection will likely not be felt immediately after October 31st. If the EU and the UK settle on an amicable Brexit deal, the UK will enter a transition period (set until December 31, 2020, as of now) to establish a new long-term trade deal. During this shift, the UK will continue to abide by all EU data protection rules and personal data will continue to flow freely between the two. The EU will also use this time to determine if the UK’s data protection practices are equivalent enough to achieve an adequacy agreement. Unfortunately, in a “no-deal” Brexit scenario, there will not be a transition period to achieve adequacy. In this situation, businesses will need to have a have safeguards in place to transfer such data appropriately, like standard contractual clauses (SCCs), binding corporate rules (BCRs), or other consent mechanisms in place with data subjects.
Potential Solutions Following a "No-Deal" Brexit
Personal data has flowed freely from the EU to the UK under the GDPR, but if the UK leaves without a deal, this transfer of personal data will require a cross-border data-transfer mechanism. While UK residents’ data would be able to leave the UK without any problems, transferring EU residents’ data to the UK will be more difficult. Potential solutions include:
Standard Contractual Clauses (SCCs)
Standard Contractual Clauses (SCCs) are an alternative safeguard set out by the GDPR to allow for the continued transfer of data without an adequacy agreement. They are standard sets of terms and conditions that both the sender and the receiver of the personal data agree to in business contracts. These clauses can be used to protect personal data when it travels into the UK. The ICO offers a SCC tool for small- to medium-sized businesses looking to maintain the flow of personal data between the EU and the UK.
Binding Corporate Rules (BCRs)
Organizations can use Binding Corporate Rules (BCRs) to transfer EU data subjects’ personal data to countries outside of the EU, provided that they comply with a set of privacy principles and additional rules under the GDPR. They ensure all data transfers to a specific organization are aligned with the standards of the GDPR. BCRs are supervised by a data protection authority (DPA). Companies currently using the ICO to manage their BCRs should consider a switch post-Brexit. Although this is a mechanism that can solve the totality of an organization’s processing activities globally, it is extremely burdensome and not often used.
Consent in Cross-Border Data Transfers
In the absence of an adequacy agreement or appropriate safeguard (like SCCs and BCRs), consent can be provided by a data subject for the transfer of data across borders (e.g., EU to UK post-Brexit). An individual can give explicit consent to authorize the proposed data transfer, but they must be informed of the possible risks that can occur to their personal information without adequate protections in place, though. This type of consent requires detailed record-keeping of the obtained consent, along with the relevant internal processes and procedures put in place. The individual can withdraw this consent at any time, as well, which makes this the option a last resort for most organizations. Because consent can be withdrawn at any time and a consent management program can be a hefty burden, consent is not a practical option in many situations.
Privacy Shield Updates for Brexit
Through participation in the Privacy Shield program, U.S. companies certify that they maintain privacy standards on the same level as the EU; therefore, gaining the ability to receive personal data transfers from the EU. Following Brexit, the UK will no longer be a part of the EU, which would make the Privacy Shield invalid for U.S.-UK data transfers; however, the U.S. Department of Commerce has made provisions for this outcome. There are two possible scenarios depending on if there is or isn’t a Brexit deal.
- Brexit Agreement: As said before, should the EU and the UK reach a deal, a transition period will be put in place, and the existing program will remain intact and unchanged until that time is over. At such date, U.S. companies must have updated public commitments to specifically state that their privacy agreements extend to data received from the UK as well.
- No-Deal Brexit: U.S. companies will only be able to import data from the UK if they have updated their Privacy Shield commitments by the final leave date, which is October 31, 2019, as of now.
Considerations for Organizations with the ICO as their DPA
The ICO has warned companies for months to prepare for a Brexit “no deal” to ensure the unrestricted flow of data. But with a new, generous deadline in place, both the UK Parliament and organizations operating in the UK and EU have additional time to plan accordingly. Although Prime Minister May has refused to leave the EU without a deal, businesses should begin planning for this possibility, mapping their data flows, and determining which adequacy measures will be the best practice for proper legal data transfers.
Currently, the Brexit transition period is set from October 31, 2019 to December 31, 2020, but this 2020 date is likely to be extended as well. During this period, the GDPR will continue to apply, creating a window for companies who have used the ICO as their DPA to determine whether or not to switch. Organizations facing this dilemma should focus on the following:
- Remaining up-to-date on current data protection modifications related to Brexit;
- Maintaining GDPR compliance; and
- Considering the possibility of identifying a new EU Member State DPA as lead supervisory authority.
Since the UK is currently committed to meeting the high standards of data protection of the GDPR, its government has already incorporated requirements into law as necessary under the GDPR. However, as mentioned earlier, the UK will not receive immediate adequacy status, so preparing for change will be necessary. UK and US businesses who have been operating in the UK will need to review their organization’s data flows and begin to prepare for a significant change.
Parallel Compliance Regulations
If the UK ends up leaving the EU, the move will create two parallel privacy compliance requirements. So, even if an organization is complying with the GDPR, they must also ensure their organization is complying with any UK requirements if any personal data belongs to UK residents. Although the compliance measures created for the GDPR will suffice for UK compliance, requirements (like identifying the organization’s DPO) will be necessary at the EU DPA level and to the ICO in the UK.
Although the new extension will go for another six months, Prime Minister May does not want the Brexit discussion to go on that long. The European Parliament elections are coming in May, and the UK is required to participate as a member of the EU, so May wants a decision to be reached before then. In the meantime, a deal, no deal, and no Brexit are all within the realm of possibility. But, while the future of Brexit is still up in the air for another few months, organizations should take advantage of this extra time to prepare for an inevitable change in the data protection landscape.
Stay On Top of Global Privacy Trends
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.