The UK’s pending exit from the European Union on March 29, 2019, will have far-reaching effects on many business activities, including the processing of personal data. While the ultimate legal implications are subject to political decisions that are still unresolved, any company doing business in the UK should start preparing itself for changes in both the UK and the EU.
This alert sets out the steps businesses should consider taking to get ready for Brexit.
What is Brexit and What Are Its Implications?
“Brexit” stands for “British exit from the European Union“, which is the United Kingdom’s (UK) impending withdrawal from the European Union (EU). The UK decided to leave the EU following a June 2016 referendum. For now, the UK remains an EU Member State, meaning that it is still subject to all EU laws (including EU data protection laws). This will change on March 29, 2019—the scheduled date for Brexit—unless the EU and the UK can agree on a transition period prior to March 29.
The EU and the UK have been negotiating an agreement since the UK triggered the withdrawal procedure in 2017. On November 14, 2018, after lengthy and intense negotiations, the parties finally agreed on 1. the terms of the UK’s withdrawal from the EU (the “Withdrawal Agreement”, available here), which respectively provides that, even though Brexit is scheduled to take place in March 2019, EU law will apply in the UK until December 31, 2020, and on 2. a political declaration which sets forth a range of aspirational goals for after December 31, 2020.
The Withdrawal Agreement will only come into effect if it is approved by the UK House of Commons. The vote was scheduled for December 11, 2018 but was postponed on December 10 because it was apparent that a majority would not support the Agreement. It is currently unclear how this impasse will be solved. If the UK Parliament approves the Agreement, the European Parliament and EU Council would then need to give their approval.
If the Withdrawal Agreement is not approved and adopted by the UK, then EU law will cease to apply with immediate effect on March 30, 2019. This scenario is commonly described as the “no deal” or “cliff edge” Brexit scenario. To complicate things further, on December 10, the European Court of Justice found that the UK could unilaterally revoke its invocation of the withdrawal procedure if it wanted to.
Legal Regime in a Withdrawal Agreement Scenario
If the Withdrawal Agreement is approved, companies will face two consecutive legal regimes: 1. first, an implementation period of 21 months; and 2. second, a new post-Brexit legal regime which still needs to be determined.
- Implementation period (March 29, 2019 to end 2020). The Withdrawal Agreement includes a 21-month implementation period during which EU law will continue to apply to personal data in the UK. This period expires on December 31, 2020. Consequently, the General Data Protection Regulation (GDPR) will continue to apply to all personal data which has been collected and processed in the UK until December 31, 2020 (Art. 71 Withdrawal Agreement), and personal data will be able to freely flow between the EU and the UK. Even so, during this period, the UK will have exited the EU and will no longer be an EU Member State. This means that the UK Information Commissioner (ICO) will no longer be a member of the European Data Protection Board, and will not be able to serve as the lead regulator for companies under the GDPR (for the one-stop-shop and Binding Corporate Rules (BCRs), see below).
- After the implementation period (as of January 2021). What the legal regime after the implementation period will look like is still unclear. However, on November 14, 2018, the EU and the UK agreed on a political declaration which sets out the aspirational goals for an agreement between the parties after the end of the implementation period. The political declaration provides that the EU will aim to adopt an adequacy decision for the UK by the end of the implementation period which would allow data to flow freely from the UK and to the EU.
How Can Brexit Affect Your Business?
The following are some of the main effects of Brexit on business with regard to data protection:
- The greatest impact will occur if data flows to and from the UK are restricted under both EU and UK data protection law. The EU has put a regulatory framework in place which allows the free flow of personal data within the European Economic Area and to certain other jurisdictions. When the UK leaves the EU, it will no longer be part of this framework. If the Withdrawal Agreement does not come into force, then EU legal restrictions on data transfers will apply for transfers from the EU to the UK the same as to any third country; if it does come into force, then data will be able to flow to the UK as it does now as long as the Agreement is in place.
- Brexit may also interfere with companies’ existing data protection arrangements (such as the status of the ICO as lead regulator for the one-stop shop and BCRs, see below).
Key Business Priorities
In anticipation of Brexit, business operating in the UK should consider the following steps:
1. Mapping and Identifying Data Transfers at Risk
The most important impact for businesses relates to data transfers outside of and to the UK:
- Data transfers from the UK: Data transfers out of the UK could be significantly restricted as most existing data transfer mechanisms are enacted under EU law (e.g., decisions about the adequacy of protection in third countries, such as the EU-US Privacy shield, and the Commission-approved standard contractual clauses), and would thus no longer be applicable to the UK after the transition period. The UK government has indicated that even in case of “no deal” Brexit, companies may continue to send personal data from the UK to the EU, but there is uncertainty around data transfers from the UK to non-EU countries. Similarly, Brexit will mean the UK’s departure from the EU-US Privacy Shield and the EU-US Umbrella Agreement, which will have an impact on data transfers from the UK to the U.S.
- Data transfers from the EU to the UK: There is significant uncertainty related to data transfers from the EU to the UK. If there is no agreement, the UK will—to all effects—be considered a third country and data transfers from the EU to the UK would be prohibited absent adequate safeguards or an adequacy finding. Therefore, businesses should start planning to ensure they have the necessary mechanism(s) in place to transfer personal data from the EU to the UK (e.g., by signing contractual clauses between the data exporter and data importer).
Practically, if a company is conducting business from or with the UK which involves the processing and import/export of personal data, it should consider identifying any “at risk transfers” (i.e., any transfers which will be impacted by Brexit), and be sure to implement a valid data transfer mechanism for each data transfer identified as being at risk.
2. Review and Revise Third Party Agreements and Intra-Group Agreements
The GDPR requires companies to regulate data transfers in their data processing agreements. As a consequence, many data processing agreements with EU customers or EU service providers restrict or prohibit the transfer of data outside of the EU. Practically, this means that any third party data processing agreements which cover data transfers at risk will need to be reviewed to ensure that such transfers will be allowed post-Brexit and, where applicable, appropriate data transfer mechanisms will need to be implemented. The same exercise will have to be carried out for intra-group data flows.
3. Review UK Lead Authority for One Stop Shop and BCRs
One of the main benefits of the GDPR has been the introduction of a “one stop shop”-mechanism, which allows companies based in multiple EU countries to deal with one regulator at the pan-EU level. There are a number of factors that determine which regulator will be the “lead supervisory authority”, the main factor being the location of a company’s or a group of companies’ main European establishment. As stated above, after Brexit, the UK data protection regulator (the ICO) can no longer be a “lead supervisory authority” for EU data protection purposes. This means that many companies that expected the ICO to be their lead authority will now need to review their situation. This also applies to companies with BCRs who have planned or were planning to have the ICO as their lead authority under the EU legal framework.
4. UK Businesses May Need to Appoint a Representative in the EU
After Brexit, the UK will become a third country from the perspective of the EU. As such, any UK-based companies or companies whose only European establishment is in the UK will need to assess whether they are still subject to the GDPR, and if so, appoint a representative on EU territory. Under the UK Data Protection Act of 2018, the requirement to appoint a representative has been deleted. This means that there will be no reverse obligation to appoint a UK representative for EU data controllers without an UK establishment but who are subject to the DP Act 2018.
Next Steps and Conclusion
There is a high level of uncertainty around Brexit and, in particular about the legal framework for data protection applicable post-Brexit if it happens. However, companies doing business in the UK should start planning ahead, and consider identifying data flows at risk, and defining a data transfer strategy to cover data flows post-Brexit.
We will continue monitoring the data protection developments related to Brexit and keep you informed of significant updates.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and cybersecurity issues, including data transfers restrictions. For more information, please contact Cédric Burton, Lore Leitner, Christopher Kuner, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and data protection practice.
Compliments of Wilson Sonsini Goodrich & Rosati , a member of the EACCNY