If the United Kingdom (UK) leaves the European Union (EU) on the basis of a withdrawal agreement – ‘Brexit with a deal’ – data transfers between the EU and the UK will be much easier than without a deal … at least for a while. Our data protection guide specifically for the Brexit with a deal scenario explains the most important facts you’ll need to know moving forward (see this article for the no-deal Brexit scenario).
In case the UK and EU agree to sign the withdrawal agreement as negotiated by the end of 2018, or if a new deal is approved, a so-called transition period is likely. During this timeframe, the General Data Protection Regulation (GDPR) will continue to have a direct effect, and data flows will not be immediately affected. Nevertheless, by the end of the transition period, the UK will become a ‘third country’ according to the GDPR, with far-reaching implications for data protection.
Scope of application of the GDPR
The GDPR has an extraterritorial effect on both private and corporate data protection. It stipulates the rights of data subjects and applies to all businesses that process the personal data of people in the EU within the scope of offering goods or services or monitoring behaviour. As stipulated in Article 3, GDPR compliance is mandatory for all such businesses, irrespective of their physical location.
After leaving the EU, Articles 44–50 of the GDPR will regulate data flows with the UK as a third country (see our guide on Brexit and the GDPR).
With a withdrawal agreement, a transition period is expected, which is meant to ensure that data flows between the UK and the EU remain undisrupted. During this specific timeframe, the UK is committed to applying EU data protection laws, thus leaving UK-EU data transfers unaffected. Consequently, from a data protection perspective, the UK will continue to be treated as an EU Member State until the end of the transition period.
After the UK’s status changes to that of a third country, transfers will require a specific legal basis in order to exchange data with the EU. The most feasible solution for this will be an adequacy decision, which the Commission grants if it decides that the third country can ensure a sufficient level of data protection, as envisaged in article 45 GDPR. As a result, the transition period will provide the UK with the necessary time to establish an international data transfer policy and for UK businesses to ensure they are GDPR compliant.
The situation after the transition period might remain the same as in a no-deal scenario. However, a transition period will give the UK and EU more time to negotiate a legitimate basis for data transfers with the aim of protecting UK businesses from facing immediate data transfer restrictions. After the transition period, the GDPR will no longer directly affect the UK. Instead, the UK’s data protection policy will be based on the ‘UK GDPR’, i.e. amended UK data protection legislation to implement the GDPR and the Data Protection Act 2018, and the extraterritorial effect of the ‘EU GDPR’. In order to ensure continued compliance with the GDPR after transition period, UK businesses will be required to appoint an EU representative in the Member States where they wish to operate.
The Information Commissioner of the United Kingdom (ICO) is the UK’s independent supervisory body responsible for monitoring compliance with the GDPR and will maintain its mandate during the transition period. It will retain representation rights on the European Data Protection Board (EDPB) for matters affecting the UK but will no longer have any voting rights.
In the post-transition period, the UK will have third-country status within the EU, and its role within the EDPB will cease. However, as the UK data protection policy is expected to be in line with the GDPR, current regulations and recommendations will remain in effect. Thus, UK businesses may continue to follow guidelines provided by the ICO, which will also review and update specific recommendations where necessary (click here for the details).
Recommendations for UK businesses
We recommended UK businesses to carefully follow developments in the Brexit negotiations and prepare for all scenarios. Whether the UK and the EU sign the withdrawal agreement or agree on a new deal, a transition period will provide sufficient time to negotiate and decide on an adequacy decision, which should allow for data transfers as with any other EU/EEA Member State.
On this basis, the ‘‘UK GDPR’’ and the ‘‘EU GDPR’’ will comprise the applicable data protection laws for UK businesses that exchange personal data with the EU. We also advise UK businesses operating inside the EU to ensure that adequate, GDPR-compliant data protection safeguards be prepared now. In addition, guidelines and recommendations made by the ICO will continue to be a useful resource for UK businesses to remain GDPR compliant.
Lastly, the EU Court of Justice is currently examining the legality of EU Standard Contractual Clauses (SCC) –and the EU-US Privacy Shield – as a legal basis for data transfers outside the EU. The outcome is uncertain, but there is a substantial risk that SCC may no longer be considered a sufficient legal basis. We recommend all UK businesses to follow the developments of this subject matter very closely.