The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.
Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms.
Current landscape
In the UK, the GDPR is supplemented by the Data Protection Act 2018, which enables the GDPR to properly function as national law. The GDPR and the Data Protection Act 2018 are both enforced by the ICO. The ICO and the UK government have, to date, maintained that the GDPR will remain in force (albeit through adoption into national law) in the UK post-Brexit and will continue to be enforced by the ICO. In fact, the draft agreement on the withdrawal of the UK from the EU published on 14 November 2018 confirms that GDPR “shall apply in respect of legal proceedings instituted before the end of the transition period”. If this draft agreement is accepted by the UK government and ratified by the EU member states, the status quo shall at least remain until the end of the “transition period” which is currently being touted to end on 31 December 2020.
Possible implications of Brexit on GDPR
The GDPR allows “personal data” to be shared between European Economic Area (EEA) member states but prohibits the transfer of “personal data” to “third countries” outside the EEA unless such third countries are deemed to have adequate laws in place to safeguard “personal data”. Following Brexit, and any transition period, in the absence of a finding of adequacy by the European Commission (see below), the UK will become a “third country” to which the transfer of “personal data” will be prohibited under the GDPR. This would mean that “data controllers” and “data processors” in the EU would be prevented from transferring “personal data” to the UK, even between group companies, unless a solution is put in place.
The GDPR includes provisions that enable the European Commission to issue a decision of adequacy where a country demonstrates that it has adequate data protection laws, and an independent data protection authority. An adequacy decision means that “data controllers” in EU member states can freely transfer “personal data” to the approved third country as though it were another member state. Theoretically, the UK should satisfy the criteria of an “adequate country” if it adopts the GDPR into domestic law. However, there are political reasons why it is by no means a foregone conclusion.
UK Adequacy Application
If the UK is required to seek a finding of adequacy from the European Commission, the possible outcomes are as follows:
1. Application rejected: The UK becomes a third country, to which EU member states may not transfer “personal data” unless they can rely on other legal data transfer solutions. This could cause significant disruption as currently, personal data may flow freely between the UK and EEA member states.
2. Application results in an adequacy decision: The UK is recognized as an approved country, to which personal data may be transferred freely from EU member states. However, the ICO would not be entitled to participate in the European Data Protection Board. This could result in an inconsistent approach taken by the ICO and European regulators in relation to the administration and enforcement of the GDPR.
3. Application results in an enhanced adequacy decision: The UK is recognized as an approved country and the ICO would be entitled to participate in the European Data Protection Board.
What to do next
The GDPR will not become irrelevant after Brexit.
Whether the UK would, following Brexit and any transition period, receive a favorably adequacy decision is hard to predict, much like the outcome of the Brexit negotiations themselves. It is advisable to plan for the worst and assume that the UK becomes a “third country”. This includes considering which data transfer solution under the GDPR is best and how to implement it should the need arise.
For further information regarding GDPR and the impact that it may have on businesses (including US businesses) see our previous post here.