On 23 June 2016, the UK voted, by a narrow margin, to leave the European Union (EU). Nine months later, prime minister Theresa May invoked Article 50 of the Treaty of the European Union, thus commencing formal negotiations for the UK’s departure from the EU. Assuming there are no extensions, the possibility of which has been...
discussed, the UK is expected to leave the EU on 29 March 2019 at 11pm.
During the negotiation period, the EU’s General Data Protection Regulation (GDPR) was enshrined in UK law with the Data Protection Act 2018. Broadly welcomed by the majority, GDPR was brought about because existing data protection laws had become woefully outdated. The previous version of the Data Protection Act was enacted in 1998; a time when there were no smartphones, social media or widespread internet.
GDPR brought massive changes to data protection legislation and expanded what was expected of data controllers and data processors. One of the biggest changes brought about by GDPR is that organisations must now have technical measures that enforce their data sharing policy.
“You used to have a contract that said you would not misuse data, but GDPR says you now must have technology in place that prevents the misuse of data,” says Gary Lefever, CEO of Anonos.
As the internet has become an integral part of our society, data protection has become a legislative necessity to ensure the sharing of personal information is conducted in a fair, secure and responsible manner. The requirements for data storage, sharing and processing have been articulated in the GDPR, which is necessary reading for any company with any form of online presence.
According to both the GDPR and the UK Data Protection Act 2018, when a country leaves the EU, it will cease to be covered by the GDPR, and as such will be considered as a third country, which is any country or territory other than an EU member state.
A third country designation means EU countries will be unable to share data with that country, unless an adequacy assessment has been undertaken, legislative measures have been put in place, or each transfer of data is covered by a data sharing contract that has been approved by the European Commission.
Read more about Brexit and data protection
- Members of Parliament should back EU Withdrawal Agreement, says industry.
- Lords urge Brexit negotiators to reach agreement on security.
- UK surveillance laws a potential ‘sticking point’ post-Brexit.
- The EU General Data Protection Regulation will still apply to UK companies dealing with the EU, regardless of whether the UK remains in the union.
We have already witnessed the possible repercussions of this. Shortly after GDPR became fully enacted, some US websites began blocking access to their pages to EU-based visitors, as those websites had not adequately prepared and did not wish to fall foul of GDPR.
With less than half a year to go before the deadline, the UK government is still negotiating the withdrawal bill with the EU. However, much of the focus is on “hot topics”, such as what will happen to the Irish border when the UK leaves the EU, rather than on the technical details.
A spokesperson for the Information Commissioners Office (ICO) says: “The ICO is planning for a number of scenarios, including ‘no deal’. We are preparing practical advice for organisations should that be needed, to ensure the free flow of personal data.”
On the evening of 14 November 2018, prime minister Theresa May announced the draft withdrawal agreement. Despite the flurry of ministerial resignations that followed, we finally had a glimpse of what the UK’s future data protection policies are anticipated to be like.
Article 71 of the draft withdrawal agreement states: “Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom.”
The draft withdrawal agreement suggests there will be a transitional period from when the UK leaves the EU until 31 December 2020. At that point, it is envisioned the protection of personal data will become “essentially equivalent” to that of EU law.
“It looks like there will be business as usual during the transitional period, and by the end of which some other basis for data sharing could be in place, such as an adequacy decision,” says Anthony Lee, data protection expert and partner at DMH Stallard.
“The withdrawal agreement also talks about ‘essentially equivalence’ to give the European Commission the flexibility to grant adequacy status even if there are some differences between the laws of the country in question and the GDPR.
“In this regard, the GDPR allows member states to introduce local rules in a number of areas (known as derogations) and the UK Data Protection Act 2018, which brings in the GDPR, has taken advantage of this.
“Under the essential equivalence principle, I would hope that the differences which are inherent in the derogations would not be fatal to an adequacy assessment,” he says.
The optimal solution would be that, as part of the negotiations, the UK gains an adequacy assessment before the conclusion of the transition period. This would mean data sharing between EU and UK organisations would continue as before and require no further contractual or legislative measures to be undertaken. Countries that have gained an adequacy assessment include Argentina, Israel and New Zealand.
Article 45 of GDPR states that: “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.”
Currently, an adequacy assessment can take place only when a country is classed as a third country. Thus, for the UK to gain an adequacy assessment, it would first need to leave the EU, although this could be incorporated into the transition phase.
In the UK’s favour is that the GDPR has been enshrined into UK law, as part of the Data Protection Act 2018, thus the UK already meets many of the legislative requirements for the adequacy assessment.
“Our argument is that we have implemented the regulation lock, stock and barrel, by dint of the Data Protection Act 2018,” says Lee. “If our data protection laws are considered sufficiently robust as to give us the adequacy status, we would be on the same basis as other approved countries, such as Argentina.”
An adequacy assessment takes into account the country’s rules of law, the existence and effectiveness of the independent advisory authorities, and other relevant legislation. It is this latter aspect that may prove a potential hurdle for the UK.
However, a subsequent high court case brought by Liberty concluded some aspects of the IPA were also unlawful and that these issues would need to be addressed by 1 November 2018. Lord Justice Singh concluded the hearing, stating: “Part 4 of the Investigatory Powers Act 2016 is incompatible with fundamental rights in EU law.”
It has been posited that an adequacy assessment could require a softening of the IPA before the adequacy status is granted.
“My personal view is that we may well have a strong hand in being able to achieve adequacy status by having a well-regarded Information Commissioner’s Office and implementing the regulation, but I think the Investigatory Powers Act will be the sting in the tail,” says Lee.
An alternative solution could be a regulatory framework for exchanges of personal data between the EU and the UK, similar to the EU-US Privacy Shield. This has allowed EU countries to freely share data with the US, without an adequacy assessment taking place.
“If we do not achieve full adequacy status after we become a third country,” says Lee, “a middle ground might be that we negotiate an equivalent to the Privacy Shield that the United States has with Europe.”
This would not be an ideal solution, as there are concerns as to the legality of this framework. The previous version of Privacy Shield, the International Safe Harbour Privacy Principles, was declared invalid by the European Court of Justice in the Max Schrems versus Data Protection Commissioner case in 2015.
The subsequent Privacy Shield should provide a stricter set of ground rules, but points criticised by the court during the Schrems ruling persist in this new arrangement, which is currently under scrutiny by the European Data Protection Authorities.
Furthermore, such a regulatory framework for data sharing would first need to be put in place. At the time of writing, there has been no indication of any such legislative measures being prepared.
In the worst-case scenario, the UK would crash out of the EU with no deal, not meet the requirements for an adequacy assessment for data sharing and not have a regulatory framework in place for the purposes of sharing data. Were this to happen, then organisations in EU countries would no longer be able to share data with organisations in the UK, without specific contracts.
Data sharing contracts incorporating model clauses would need to be enacted for each and every type of data sharing. Model clauses stipulate the expected requirements for sharing data outside of the EU.
“Model clauses, which are approved by the European Commission, are one of the ways to overcome the adequacy requirements,” says Lee.
“Model clauses are quite detailed, but Article 28 of the GDPR also stipulates that if you are going to appoint a third party to process data then you need to have, in the contract between the data controller and the data processor, a bunch of additional clauses that were not mandatory under the old regime.”
The current model contracts are based on the EU’s previous data protection regime. They are still used for exporting data outside of the EU economic area, as they have not yet been updated. They also do not currently incorporate GDPR. New model clauses are currently being written to incorporate GDPR requirements.
Binding corporate rules
Large multinational companies can also utilise binding corporate rules for internal data transfers. Such rules are similar to a code of conduct. They are especially useful for allowing the transfer of personal data internationally, within the same corporate group, to countries that do not otherwise provide an adequate level of protection.
Such binding corporate rules must ensure all data transfers within a corporate group are safe. These rules must address the following requirements:
- Privacy principles, such as transparency, data quality and security;
- Tools of effectiveness (such as audit, training, or complaint handling systems);
- Proof that the rules are binding.
However, binding corporate rules take far longer to put into place than a data sharing contract between a data controller and a data processor, and do not cover data sharing with external organisations.
Hope for the best, prepare for the worst
The draft withdrawal agreement gives some indication of what will happen when the UK leaves the EU, provided that the UK Parliament agrees. Once the UK leaves the EU, it will enter a transition period for 21 months, at which point an “essentially equivalent” system for data protection should be in place.
This is by no means a certainty, given the recent parliamentary resignations. Should the UK Parliament vote against the agreement, the UK could well leave the EU without a deal in place. “A no-deal Brexit will probably mean that we have not got an adequacy status,” says Lee.
“The chances are we would be a third country, in the position of India, until such time as we can get adequacy status, or, failing that, some kind of Privacy Shield arrangement is put in place.”
This uncertainty presents a unique challenge for UK organisations, especially small to medium-sized enterprises that typically have tighter budget and resource constraints than larger companies.
Until further direction is given by the government indicating the shape of the UK’s data sharing agreement with the EU, organisations should keep abreast of the situation and have plans in place for each eventuality.
“You need to have a plan, as well as a Plan B, and even a Plan C, for if we crash out of the EU, do not have adequacy status and do not have a Privacy Shield equivalent in place,” says Lee. “It will not stop the business, but it will be more difficult.”