Data protection law in the UK is currently governed by the Data Protection Act 1998 this legislation is from a time when Motorola, Nokia and Ericsson dominated the mobile phone industry, and Google was yet to be incorporated. The technological advances made since then mean the current legislation is out dated and in urgent need of modernisation. This modernisation is arriving in the form of the General Data Protection Regulation (GDPR).
What happens after the UK leaves the EU is still quite uncertain, however what is clear is that our data protection regime in the UK will need to largely resemble the GDPR.
If during Brexit negotiations the UK decides to become part of the European Free Trade Area then GDPR would continue after the UK leaves the EU. If we proceed with a “hard Brexit” then from the date the UK leaves the EU, the UK will become a “third country’.
What does this mean?
Territorial scope – any UK organisation that continues to do business with EU residents after the UK leaves the EU will have to comply with the GDPR. Such UK organisations will also be required to appoint a representative in an EU member state.
Not only does the GPDR apply to the processing of personal data by an organisation established in the EU, but it also applies to the processing of personal data of European residents by an organisation established outside of the EEA where the processing activities relate to:
the offering of goods or services to EU residents; or
the monitoring of their behaviour as far as their behaviour takes place within the EU.
One stop shop – Lead supervisory authority?
Multinationals operating throughout the EU are currently subject to a patchwork of approaches from various regulators. During the negotiations of the GDPR the “one stop shop” was viewed as a solution for such multinationals. The lead supervisory authority will act as the main regulator for such multinationals. Any multinationals who are currently headquartered in the UK for data protection purposes will need to consider moving their data protection headquarters to another EU Member State in order to secure the lead supervisory authority benefit.
Dublin could well be an attractive destination not only is the language favourable but the Irish regulator does take a similar approach to the ICO. With many of the world’s largest technology companies being Ireland headquartered it is likely to be a key jurisdiction in terms of data protection activity, the recent Facebook litigation being a prime example of this.
International data transfers – Adequacy decision?
Personal data can only be transferred to countries outside the EEA when an adequate level of data protection is guaranteed.
The EU Commission has the power to determine whether a particular jurisdiction provides an adequate level of data protection.
The UK government has stated that it intends “to make sure that we achieve a coherent data protection regime and that data flows within the EU are not interrupted after we leave”. The ideal scenario would be for the UK to obtain an adequacy finding however this is a lengthy process so the UK may well look to include data protection provisions as part of the Brexit trade agreement.
In the absence of an adequacy decision, transfers of personal data to the UK after the UK leaves the EU, would be allowed if the transfer is based on the EU Model Clauses, a new EU-UK Privacy Shield or a set of Binding Corporate Rules.
The GDPR provides for specific contractual changes. This will require both controllers and processors to review and amend any contracts which involve the processing of personal data. This is another area that will continue to affect companies doing business with the EU after the UK leaves the EU with specific data protection applying to their European activities only.
- Before the UK leaves the EU Continue to comply with the current data protection rules (Directive 95/46 and implementing national legislation): before its effective date, Brexit will not raise any barriers to personal data flows between the UK and other EU Member States.
- Continue efforts to become compliant with GPDR as from 25 May 2018.
- Identify transfers of personal data from the EU to the UK, which may be impacted by future changes to the applicable data protection rules as a result of Brexit.
- Consider your current business practices and determine if GDPR will apply to them post Brexit.
- After the UK leaves the EU
- Be prepared for transfer of data to a third country, which may include the UK.
- Review your contracts with UK third-party providers regarding EU data protection compliance.