January 2020 update - Firms should consider the implications of Brexit for the cross-border transfer of personal data

The free flow of personal data across borders between the EU has been a standard for many decades now. Brexit will however impact these arrangements.

UK will leave the EU on 31 January 2020 at 11 pm ("exit day"), unless the EU and UK agree to again extend the Article 50 period, which now seems less likely. The UK will likely leave with a deal and a transition period to 31 December 2020, if the UK and EU can complete the ratification procedures by exit day.

There remains a slim prospect of leaving without a deal if the government's withdrawal agreement is not ratified by exit day and there is no fourth extension. Note the Conservative Party's manifesto for the November general election stated that there will be no extension. Businesses should, therefore, be conscious of this risk of a no-deal Brexit.

Businesses should consider and plan for the eventual end of the transition period in the context of data protection compliance. This is of particular relevance to those businesses that intend to provide their products and services into the EU and that process the personal data of EU data subjects in the course of doing so.

What will be the position as regards data protection during the transition period?

The Withdrawal Agreement as agreed between the EU and UK (under Boris Johnson's leadership) allows for a transition period (running until 31 December 2020). During this period EU law would continue to apply in the UK; this includes the EU's General Data Protection Regulation 2016 ("GDPR"). References to EU "member states" in GDPR will therefore be deemed to include the UK. Specifically, the Withdrawal Agreement states that the EU will not treat personal data passing to or from the UK any differently from personal data passing between the remaining member states. Note that a similar draft withdrawal agreement also now exists for the European Economic Area (i.e. covering Norway, Island and Lichtenstein).

From exit day, when the UK leaves the EU, the European Union (Withdrawal) Act 2018 will repeal the European Communities Act 1972 and simultaneously transpose the EU GDPR onto the statute book, making it domestic legislation in the UK. Parliament has also passed the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419). These regulations amend GDPR, the UK's Data Protection Act 2018 and other data protection legislation with the aim of ensuring that the UK data protection legal framework functions correctly after exit day. This creates a legal framework in the UK for data protection once the UK leaves the EU and the EEA. In principle, this would mean that the laws will be equivalent to those of the EU (we refer to this as "UK GDPR").

What will happen at the end of the transition period?

The Withdrawal Agreement envisages that during the transition period an agreement will be negotiated between the EU and UK which will govern more formally how personal data can be transferred between the UK and remaining member states after the transition period ends. The most likely arrangement will be by way of an adequacy decision. This is a decision made by the European Commission that a country outside of the EU offers an adequate level of data protection. The European Commission has said that it will endeavour to adopt a decision regarding the adequacy of the UK's data protection laws by the end of 2020.

Former Prime Minister, Theresa May, also said during her premiership that there would be an opportunity for parliament to scrutinise, amend, repeal or improve any aspect of EU law in the future. Boris Johnson has made similar statements more generally that he favours a "looser arrangement" as regards laws and equivalence. However, we believe this to be unlikely or at least limited – namely because the UK will need to be able to demonstrate “equivalence” in its data protection laws in order to secure an adequacy decision that will cover transfers of personal data between the UK and the EU once the transition period ends.

What are the consequences of the UK being a "third country"?

If Boris Johnson's Withdrawal Agreement with the EU is not ratified (a "no-deal Brexit"), there will be no transition period. From 23.00 on 31 January 2020, the UK will no longer be a member of the EU and would become a "third country". If the Withdrawal Agreement is ratified, when the transition period ends on 31 December 2020, the UK would be deemed to be a "third country" for the purposes of GDPR.

Within the UK, UK's Data Protection Act 2018 as amended by Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 would continue to apply to create "UK GDPR". However, this would not address the issue of how easily UK and EU member state businesses can transfer personal data between their respective countries. Being a "third country" will have a direct impact on UK businesses who provide services in the EU and process the personal data of EU data subjects.

As referenced above, the expectation is that the UK will benefit from an adequacy decision by the end of the transition period and this will ensure that UK businesses can continue to process EU data subjects' personal data in the UK in the context of their business in the EU.

If the adequacy decision is not granted by the end of the transition period the implications for transfers of personal data from the EU to the UK will be much the same as a no-deal Brexit. The UK will be a third country with no adequacy decision in place, GDPR will apply to any UK firms seeking to do business in the EU. GDPR will also govern any transfers of EU data subject's data out of the EU, whether such transfers are by UK or EU businesses. Such businesses will need to ensure that "adequate safeguards" are in place to govern any transfer of personal data to the UK. This includes using either:

  • the standard contractual clauses, appropriate to the relationship between the entity in the EEA and the UK; 
  • binding corporate rules which cover the UK-based company as part of an international group of companies that share personal data across the group. If these were in place before the exit date, these will continue to be effective; but note that these would need to be updated to reflect that the UK would be a third country; or
  • one of the other limited derogations.

What about the reverse and the position as regards cross border transfers of UK data subject's personal data? The UK government has said that when the UK leaves the EU, it will still be permitted for UK data subject's personal data to be transferred from the UK to the EU (for example to EU service providers), although this will be kept under review. UK-based businesses looking to continue transferring personal data outside of the UK and the EU (for example to the USA) will have to implement "adequate safeguards", as previously. However, this would be governed by UK GDPR.

For transfers from a country that has the benefit of an EU adequacy decision (e.g. USA {for those businesses in the EU-US Privacy Shield program}, Canada and Israel and others), the position is not yet as clear. The UK's Information Commissioner's Office ("ICO") expects that the UK government will begin the process of making alternative arrangements for transfers between these countries and the UK. Until these are made, UK-based businesses will need to ensure that they comply with the requirements of those countries, in line with their laws on transferring personal data.

EU-US Privacy Shield

The EU-US Privacy Shield is an agreement between the EU and the USA. Once the UK leaves the EU, the UK will no longer be part of the EU. However, guidance has now been issued on the application of Privacy Shield in the event a transition period is entered into. During this period, Privacy Shield would continue to apply to transfers of personal data from the UK to US companies certified under the Privacy Shield program.

The US Department of Commerce has published FAQs which outlining the steps US participants in the EU-US Privacy Shield must take to continue to receive UK personal data after Brexit. In order to continue to receive personal data from the UK in reliance on the Privacy Shield, participants must update their Privacy Shield commitments by the exit date to specifically state that their registration extends to the UK. However, it should be noted that there are additional requirements if the data being transferred is HR data. UK businesses will need to check that all updates have been made before transferring personal data.

Risk of double the fines

When a UK organisation is carrying out cross-border processing (for example, a retailer that has a physical location in the UK, but sells via the internet to other EU countries) it currently benefits from the 'One-Stop-Shop' system under GDPR. This means that one supervisory authority will act as a lead on behalf of the other EU supervisory authorities. At present, if the UK business were in breach of the GDPR, it would be investigated by one authority and issued with one fine across the EU.

On expiry of the transition period (or in the event of a no-deal Brexit), the above example would not amount to cross-border processing and the 'One-Stop-Shop' system would no longer apply. In the event of any formal action by supervisory authorities, businesses would have to engage with the ICO and the relevant EU supervisory authority. More significantly, they would risk receiving more than one fine. For example, if the UK business sells in the UK and France and a data breach occurs, then the ICO could investigate and fine the business, as could the French supervisory authority. The ICO has confirmed that it is awaiting guidance from the European Data Protection Board on this type of scenario.

Transfers under UK businesses' current contracts and privacy policies

Businesses should identify existing relationships, including those with suppliers and group companies, which involve the international transfer of personal data. Companies should review any relevant international transfer provisions and/or mechanisms and assess whether any amendments may be needed to cater for Brexit.

In many contracts and privacy policies, there will be references to transfers of personal data within or outside the EEA or EU. Of course, once the UK leaves the EU at the end of March, personal data would inevitably be processed outside the EEA or EU and this would contradict any such provisions. Businesses should ensure that such documentation is updated in light of the Brexit arrangements.

The future?

The timescales and procedure for exiting the EU are now becoming clearer, particularly following the election with the current government having a significant majority in parliament.  However the "how" remains uncertain. Businesses should plan for the various eventualities and monitor the position as regards cross border transfers of personal data.

For further advice on this topic, please contact Tom Torkar, Partner in Michelmores' Commercial team.