Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
UK and EU businesses that share personal data must take appropriate steps to keep their operations running smoothly after Brexit, whether the UK leaves the EU with or without a deal.
Continuing GDPR compliance may or may not be top of your Brexit agenda. But processing personal data underpins many of your business activities. Failing to prepare for Brexit could lead to you breaking data protection law.
We're going to separate some myths from reality and consider what steps you should take to mitigate the impact of Brexit on this aspect of your business.
After Brexit, the UK will no longer be directly subject to EU regulations. However, there are confirmed plans to bring the General Data Protection Regulation (GDPR) into UK law. Therefore, the GDPR will still apply in the UK after Brexit.
The UK also has a national law called the Data Protection Act 2018, which implements parts of the GDPR into UK law and sets exemptions from particular aspects of the GDPR. There are no plans to amend or repeal the Data Protection Act after Brexit.
This means that data protection standards in the UK will not change after Brexit.
Let's briefly look at the three most likely Brexit scenarios. Then we'll consider how these scenarios might affect UK businesses in terms of data protection.
The UK could leave the EU with a deal. The UK and the EU have agreed on a deal, but it hasn't yet been ratified by the UK Parliament. The UK Parliament must ratify any Brexit deal before it can be put in place.
The EU has agreed to extend the Brexit deadline until January 31st, 2020. Therefore, unless there is a further extension, the UK must leave the EU on this date, with or without a deal in place.
The UK could leave earlier January 31st, 2020 if a deal is ratified by the UK Parliament before this date.
The UK could leave the EU without a deal, also known as a "no-deal" Brexit. This would mean leaving the EU without any formal arrangements in place to regulate the UK-EU relationship.
No-deal Brexit is unlikely to occur before January 31st, 2020.
It's still possible that Brexit won't happen at all.
There will be a general election in the UK in December of 2019. This could completely change the political landscape of the UK and could even lead to Brexit being reversed.
There are also calls for a second referendum, meaning that the UK public would be asked to reconsider its decision to leave the EU.
However, it seems increasingly likely that the UK will leave the EU. On this basis, you should plan for Brexit.
Here's some of the terminology we'll be using throughout this article:
Certain UK and EEA businesses should put safeguards in place to ensure they can continue transferring personal data after Brexit.
There are two types of businesses that need to put data protection safeguards in place to prepare for Brexit:
In other words, Brexit will affect personal data transfers from the EEA to the UK.
Here are some examples:
There are several types of businesses that will not need to put data protection safeguards in place to prepare for Brexit. For example:
Brexit will not affect personal data transfers from the UK to the EEA. The UK government has stated that it will not restrict personal data transfers to the EEA after Brexit.
These new rules don't apply where you're collecting personal data directly from customers or other individuals. Collecting personal data directly from the "data subject" is not considered a transfer of personal data.
UK businesses with customers in the EEA should already be processing their EEA customers' personal data in compliance with the GDPR. There shouldn't be any change to this requirement after Brexit.
Similarly, EEA businesses with customers in the UK should already be processing their UK customers' personal data in compliance with the GDPR. Again, there shouldn't be any change to this requirement after Brexit.
If the UK leaves the EU with a deal, data transfers from EEA businesses to UK businesses should remain as normal until at least the end of 2020.
Throughout this transition period, the European Commission will be deciding whether the UK should be an "approved third country." Being an approved third country would mean UK and EEA businesses could continue transferring personal data into the UK as normal.
So, if the UK leaves with a deal, one of two things should happen towards the end of 2020:
Note that there is no guarantee that the UK will become an approved third country. Certain aspects of UK data protection law are controversial within the EU.
If the UK leaves the EU without a deal, which could happen as soon as January 31st, 2020, there will be no transition period. The UK will cease to be an EEA country, and it will not be an approved third country.
In the event of a no-deal Brexit, UK businesses will need to have safeguards in place on Brexit day to continue receiving personal data from EEA businesses.
Therefore, affect UK and EEA businesses should put safeguards in place as soon as possible.
The GDPR identifies several types of safeguards that allow EEA businesses to transfer personal data to non-EEA businesses. Affected businesses should ensure they are using one of these safeguards to continue transferring personal data into the UK.
Technically, the onus is on EEA businesses to put safeguards in place in time for Brexit. However, UK businesses should also take proactive steps to ensure that data transfers from the EEA remain lawful after Brexit.
Standard Contractual Clauses (SCCs) are specific terms that can be included in a contract between two businesses to make third-country data transfers lawful.
SCCs are legally binding. They ensure businesses receiving personal data will only process it in accordance with the GDPR.
For most businesses, SCCs will be the most appropriate safeguard. UK and EEA businesses need to:
To ensure you're using the correct set of SCCs, you need to understand the concepts of data controller and data processor.
SCCs are officially approved by the European Commission and must not be altered.
Binding Corporate Rules (BCRs) are another type of safeguard for facilitating third-country personal data transfers.
BCRs are only suitable for multinational corporations and enterprise groups. Therefore, they are not suitable for most businesses.
Further guidance about BCRs is available from the ICO.
There may be one-off situations in which a UK business needs to receive personal data from the EEA, or an EEA business needs to send personal data to the UK.
The GDPR does allow for "occasional" third-country transfers that are not covered by SCCs or BCRs. However, certain conditions need to apply. Let's look at the three exceptions most likely to apply to your business.
If an EEA business needs to transfer an individual's personal data to a UK business without any safeguards in place, the transfer can still take place if the individual consents to it.
Consent under the GDPR is subject to very strict rules. The rules are even stricter when it comes to third-country transfers.
You must provide a lot of information to the individual when asking them if they consent to the transfer. Here's a list of all the relevant information, from the ICO:
If the individual explicitly consents, then the transfer can take place. Make sure you keep a record of the consent.
An EEA business might need to transfer an individual's personal data to a UK business in order to fulfill contractual obligations to that individual, or in order to enter into a contract with that individual.
This exception is designed to avoid breach of contract. If the transfer is truly necessary to fulfill the terms of the contract, then the EEA business can make the transfer without any safeguards in place.
This exception can also cover other beneficiaries of a contract.
As an absolute last resort, an EEA business may be able to argue that it's in its legitimate interests to transfer personal data to a UK business. This would require the business to carry out a Legitimate Interests Assessment.
The EEA business must inform its Data Protection Authority if it plans to make a transfer covered by this exemption.
Here's an excerpt from YouGov's Privacy Notice, which explains how the company uses SCCs:
It's hard to predict exactly how data protection arrangements will look after Brexit. Here are some of the possibilities:
The UK is due to leave the EU on January 31st, 2020. The UK could leave the EU with or without a deal.
The following types of business should put safeguards in place to prepare for Brexit:
Most businesses should use Standard Contractual Clauses (SCCs) to safeguard personal data transfers after Brexit.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022