No-deal Brexit: data protection consequences for UK businesses - Part 1
This article looks at how UK businesses will be affected by changes in data protection law arising from a no-deal Brexit.
UK becomes a ‘third country’
The headline point is that once we’re out without a deal, the UK becomes a ‘third country’ for the purposes of all EU laws, including EU data protection law. This is EU-speak for any country that isn’t a member state of the EU or EEA.
As a third country, the UK will suddenly find itself outside of the mutually-beneficial internal market that enables the unrestricted movement of, and free trade in, personal data between members of the EU/EEA club. Unless and until the European Commission makes an ‘adequacy decision’ in respect of the UK’s legal framework for the protection of personal data, the UK will take its place on the EU naughty list of third countries that don’t provide an adequate level of protection for personal data and obtain the unenviable colloquial label of ‘non-adequate country’. It will be unlawful for any organisation based in the EU or EEA – and therefore subject to the GDPR – to send personal data to any organisation based in the non-adequate UK unless one of the ‘transfer mechanisms’ listed in the GDPR can be put in place (see more on transfer mechanisms below).
The GDPR isn’t just about protecting individuals from misuse of their personal data: it’s as much about allowing personal data to flow freely without restriction between EU/EEA members – to the benefit of all organisations established in member countries.
All organisations based in the EU/EEA effectively benefit from an assumption that they are ‘adequate’ because they are all subject to the same EU laws pertaining to personal data. UK organisations have benefitted from, and possibly taken for granted, this assumed adequacy and free trade in personal data for decades, but will suddenly find themselves in the same position as their US, Indian, Chinese and Australian competitors – looking enviously in from the outside at the EU/EEA club whilst having to expend considerable resources to put transfer mechanisms in place and comply with additional obligations imposed on third country organisations under the GDPR if they want to tap into the EU personal data market.
The need for transfer mechanisms and the additional obligations for third country organisations under the GDPR effectively act as barriers to global free-trade, with ‘outsiders’ seeing the GDPR as a key tool of European protectionism.
A new data protection legal regime for UK businesses
Currently, UK organisations are subject to:
|
After a no-deal Brexit, UK organisations will:
|
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 is the law which will bring the UK GDPR into effect and amends the DPA 2018 and other data protection-related laws: https://www.legislation.gov.uk/uksi/2019/419/contents/made.
Various other data protection-related laws will continue to apply post-Brexit, including:
|
How will these changes affect my business?
Becoming a third country for data protection law purposes presents a number of challenges and hurdles for UK organisations hoping to continue their business-as-usual activities after Brexit, whether this be providing or receiving services, collaborating on international research projects or any other activity that involves the sharing or use of personal data.
The consequences for any particular organisation will depend on its interactions with EEA organisations and individuals. The table below summarises the applicable laws and practical effects for organisations depending on these interactions:
EEA interactions | Laws that will apply | Practical effects/obligations |
No clients / collaborators / partners / other contacts in the EEA AND doesn’t process personal data relating to people in the EEA | DPA 2018 UK GDPR | Little change, as the DPA 2018 and UK GDPR contain the same basic principles, rights and obligations as the EU GDPR. BUT will have to comply with UK GDPR restrictions and conditions on transferring personal data outside the UK. Will be regulated solely by the ICO. |
Has an office, branch or other established presence in the EEA | EU GDPR in respect of any processing of personal data in the context of the activities of the EEA establishment (even where the processing actually happens in the UK). This is due to the extra territorial effect of Art 3(1) EU GDPR. DPA 2018 + UK GDPR in respect of all its data processing activities, including those also subject to the EU GDPR. | Not all the organisation’s data processing activities will be subject to the GDPR, only those in the context of the activities of the EEA establishment. However, in practice, it’s unlikely to be beneficial or workable to apply EU GDPR requirements to some but not all of the organisation’s activities. Will need to identify a new ‘lead supervisory authority’ to replace the ICO as its regulator for the purposes of the EU GDPR. Will also be regulated by the ICO in respect of its UK activities. |
Offers goods or services to individuals in the EEA or monitors the behaviour of individuals in the EEA | EU GDPR in respect of any processing of personal data relating to offering goods or services to, or monitoring the behaviour of, individuals in the EEA. This is due to the extra territorial effect of Art 3(2) EU GDPR. DPA 2018 + UK GDPR in respect of all its data processing activities, including those also subject to the EU GDPR. | Not all the organisation’s data processing activities will be subject to the GDPR, only those relating to offering goods or services to, or monitoring the behaviour of, individuals in the EEA. However, in practice, it’s unlikely to be beneficial or workable to apply GDPR requirements to some but not all of the organisation’s activities. Will need to appoint an EU representative under Art 27 EU GDPR. May need to deal with local supervisory authorities in every EEA country in which it carries out these activities, via its EU representative. Will also be regulated by the ICO in respect of its UK activities. |
Receives personal data from organisations in the EEA (regardless of whether it offers goods or services to individuals in the EEA, monitors the behaviour of individuals in the EEA or has an office, branch or other established presence in the EEA)
| In addition to the interaction-dependent applicable laws listed above: EU GDPR Chapter V restrictions and conditions on transferring personal data outside the EEA. Although these provisions may not apply directly to the UK organisation, its EEA-based clients, collaborators, partners and other contacts will have to comply with these restrictions and conditions because they are subject to the EU GDPR. DPA 2018 + UK GDPR in respect of all its data processing activities, including those also subject to the EU GDPR Chapter V restrictions and conditions | Will need to take extra steps to ensure that it can continue to receive personal data from its EEA-based contacts – i.e. put ‘transfer mechanisms’ in place, such as standard contractual clauses.
|
This article was written by Hannah Kirby, a technology commercial solicitor at Clayden Law. Hannah can be contacted for more information on 01865 953542 or hannah@claydenlaw.co.uk.