On December 13, 2018, the Information Commissioner’s Office (“ICO”) in the United Kingdom issued guidance on the state of UK data protection law should the country leave the European Union (“EU”) without having reached an agreement on the terms of its withdrawal. Much of this latest guidance is consistent with the ICO’s earlier guidance on the topic, published in September 2018. But as the UK’s expected withdrawal from the EU on March 29, 2019, inches closer, organizations that process the personal data of individuals resident in the UK or in other countries in the European Economic Area (EEA) should now take steps to prepare themselves for the possibility of a “no-deal” scenario.
One key takeaway from the guidance is that UK data protection law will in many respects remain undisturbed by Brexit, regardless of whether a deal is reached. Under the European Union (Withdrawal) Act 2018, the General Data Protection Regulation is scheduled to enter into UK domestic law upon the country’s exit from the EU, although it will need to be modified in certain respects to serve as UK law (referred to as the “UK GDPR” in the guidance). Because the GDPR, along with the UK Data Protection Act 2018, already provides the substantive standards for data protection in the UK, those standards are not expected to change.
Furthermore, the ICO’s guidance indicates that the UK plans to take a number of steps to ensure that data transfers from the UK to countries in the EEA can continue without disruption. First, the UK will declare that EEA countries ensure an “adequate level of protection” for personal data under Article 45 of the GDPR, thereby allowing for the free flow of personal data to those countries. Second, the UK will transitionally adopt the European Commission’s adequacy determinations with respect to Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. As for the United States, discussions are currently underway for a bilateral arrangement comparable to the EU-U.S. Privacy Shield. Third, the UK will continue recognizing the validity of the Standard Contractual Clauses (“SCCs”) issued by the European Commission, as well as the Binding Corporate Rules (“BCRs”) thus far approved by the ICO. If implemented, these measures would ensure that data with a lawful basis to leave the UK under existing law would have a lawful basis to do so even under a no-deal Brexit.
However, a no-deal Brexit would likely affect data transfers into the UK, at least in the short term. If the UK leaves the EU without a deal, the free flow of personal data from EEA countries into the UK currently permitted under the GDPR would be halted until the European Commission makes an adequacy determination as to the UK. According to the ICO, the Commission has signaled its intention to begin conducting this adequacy determination only after the UK has already left the EU, thus prolonging the period during which the UK would be deemed an “inadequate” third country.
Accordingly, organizations that plan on importing data from EEA countries into the UK will need to establish an alternate lawful basis for doing so, until such time as the UK receives a formal adequacy determination from the European Commission. For the relatively small number of organizations that have had BCRs approved by the Commission, those BCRs (pending confirmation from the Commission) should enable intra-company data transfers into the UK. For the majority of companies without approved BCRs, the most appropriate step is likely to involve reliance upon SCCs. The ICO currently offers a tool that assists organizations in determining which SCCs are best suited to their needs and has expressed its intention to offer a similar tool in the future to assist companies in auto-generating such SCCs.
The ICO has also made available a six-step checklist, a statement from the ICO Commissioner Elizabeth Denham, and a frequently asked questions page to serve as resources for UK organizations. These materials shine further light on practical issues facing organizations that process the personal data of individuals in the UK or EEA, including that, while such organizations may be able to use the same individual to serve as their Data Protection Officer in both the EU and UK, they may have to designate separate individuals to serve as their personal representatives in those jurisdictions. These materials note that organizations that are currently benefiting from the one-stop-shop regime under the GDPR using the UK as their lead supervisory authority should determine whether they are eligible to designate a new lead authority within the EU. One expected consequence of a no-deal Brexit for companies engaged in pan-European data processing is that they will find themselves under the oversight of more data privacy regulators than at present. The ICO guidance describes a number of breach scenarios where this will be the case.
Affected organizations should consult the ICO’s website periodically to see whether new guidance has been issued on the topic of post-Brexit data protection in the UK.