No-deal Brexit: data protection consequences for UK businesses - Part 1

This article looks at how UK businesses will be affected by changes in data protection law arising from a no-deal Brexit.

 

UK becomes a ‘third country’

The headline point is that once we’re out without a deal, the UK becomes a ‘third country’ for the purposes of all EU laws, including EU data protection law.  This is EU-speak for any country that isn’t a member state of the EU or EEA.

As a third country, the UK will suddenly find itself outside of the mutually-beneficial internal market that enables the unrestricted movement of, and free trade in, personal data between members of the EU/EEA club.  Unless and until the European Commission makes an ‘adequacy decision’ in respect of the UK’s legal framework for the protection of personal data, the UK will take its place on the EU naughty list of third countries that don’t provide an adequate level of protection for personal data and obtain the unenviable colloquial label of ‘non-adequate country’.  It will be unlawful for any organisation based in the EU or EEA – and therefore subject to the GDPR – to send personal data to any organisation based in the non-adequate UK unless one of the ‘transfer mechanisms’ listed in the GDPR can be put in place (see more on transfer mechanisms below).  

The GDPR isn’t just about protecting individuals from misuse of their personal data: it’s as much about allowing personal data to flow freely without restriction between EU/EEA members – to the benefit of all organisations established in member countries.

All organisations based in the EU/EEA effectively benefit from an assumption that they are ‘adequate’ because they are all subject to the same EU laws pertaining to personal data.  UK organisations have benefitted from, and possibly taken for granted, this assumed adequacy and free trade in personal data for decades, but will suddenly find themselves in the same position as their US, Indian, Chinese and Australian competitors – looking enviously in from the outside at the EU/EEA club whilst having to expend considerable resources to put transfer mechanisms in place and comply with additional obligations imposed on third country organisations under the GDPR if they want to tap into the EU personal data market.

The need for transfer mechanisms and the additional obligations for third country organisations under the GDPR effectively act as barriers to global free-trade, with ‘outsiders’ seeing the GDPR as a key tool of European protectionism. 

 

A new data protection legal regime for UK businesses

Currently, UK organisations are subject to:

  • the GDPR, an EU regulation with direct effect in all EU and EEA member countries (‘EU GDPR’)
  • the UK Data Protection Act 2018 (‘DPA 2018’), which replaced the UK Data Protection Act 1998 and currently supplements and tailors the EU GDPR within the UK

After a no-deal Brexit, UK organisations will:

  • continue to be subject to the DPA 2018 (as amended to reflect the UK’s newly-acquired third country status)
  • no longer automatically be subject to the EU GDPR, except where their activities are ‘caught’ by its extra-territorial provisions (see ‘How will this affect my business’ below) – in which case all those activities will continue to be subject to the EU GDPR
  • Become subject to the new UK GDPR: this is essentially the EU GDPR but with EU references changed to UK references, with the same core data protection principles, rights and obligations found in the GDPR.  The UK is basically adopting the GDPR as its main domestic data protection law, with technical amendments to make it work in a UK-only context from exit day.  The UK GDPR and DPA 2018 will operate alongside each other in the same way that the EU GDPR and DPA 2018 currently do.

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 is the law which will bring the UK GDPR into effect and amends the DPA 2018 and other data protection-related laws: https://www.legislation.gov.uk/uksi/2019/419/contents/made.

Various other data protection-related laws will continue to apply post-Brexit, including:

  • Privacy and Electronic Communications Regulations 2003 (PECR): The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR), which is not yet agreed and is unlikely to be finalised before Brexit.  This means the ePR will not form part of UK law if we no-deal Brexit.
  • Network and Information Systems Regulations 2018 (NIS): If your business is a UK-based digital service provider offering services in the EU, on exit date it may need to appoint a representative in one of the EU member states in which it offers services and will need to comply with the local NIS rules in that member state.  If it also offer services in the UK, it will also need to continue to comply with the UK rules regarding your UK services.
  • Freedom of Information Act 2000
  • Environmental Information Regulations 2004

 

How will these changes affect my business?

Becoming a third country for data protection law purposes presents a number of challenges and hurdles for UK organisations hoping to continue their business-as-usual activities after Brexit, whether this be providing or receiving services, collaborating on international research projects or any other activity that involves the sharing or use of personal data.

The consequences for any particular organisation will depend on its interactions with EEA organisations and individuals.  The table below summarises the applicable laws and practical effects for organisations depending on these interactions:

EEA interactions

Laws that will apply

Practical effects/obligations

No clients / collaborators / partners / other contacts in the EEA AND doesn’t process personal data relating to people in the EEA

DPA 2018

UK GDPR

Little change, as the DPA 2018 and UK GDPR contain the same basic principles, rights and obligations as the EU GDPR.

BUT will have to comply with UK GDPR restrictions and conditions on transferring personal data outside the UK.

Will be regulated solely by the ICO.

Has an office, branch or other established presence in the EEA

EU GDPR in respect of any processing of personal data in the context of the activities of the EEA establishment (even where the processing actually happens in the UK).  This is due to the extra territorial effect of Art 3(1) EU GDPR.

DPA 2018 + UK GDPR in respect of all its data processing activities, including those also subject to the EU GDPR.

Not all the organisation’s data processing activities will be subject to the GDPR, only those in the context of the activities of the EEA establishment.  However, in practice, it’s unlikely to be beneficial or workable to apply EU GDPR requirements to some but not all of the organisation’s activities.

Will need to identify a new ‘lead supervisory authority’ to replace the ICO as its regulator for the purposes of the EU GDPR.

Will also be regulated by the ICO in respect of its UK activities.

Offers goods or services to individuals in the EEA or monitors the behaviour of individuals in the EEA

EU GDPR in respect of any processing of personal data relating to offering goods or services to, or monitoring the behaviour of, individuals in the EEA.  This is due to the extra territorial effect of Art 3(2) EU GDPR.

DPA 2018 + UK GDPR in respect of all its data processing activities, including those also subject to the EU GDPR.

Not all the organisation’s data processing activities will be subject to the GDPR, only those relating to offering goods or services to, or monitoring the behaviour of, individuals in the EEA.  However, in practice, it’s unlikely to be beneficial or workable to apply GDPR requirements to some but not all of the organisation’s activities.

Will need to appoint an EU representative under Art 27 EU GDPR.

May need to deal with local supervisory authorities in every EEA country in which it carries out these activities, via its EU representative.

Will also be regulated by the ICO in respect of its UK activities.

Receives personal data from organisations in the EEA

(regardless of whether it offers goods or services to individuals in the EEA, monitors the behaviour of individuals in the EEA or has an office, branch or other established presence in the EEA)

 

In addition to the interaction-dependent applicable laws listed above:

EU GDPR Chapter V restrictions and conditions on transferring personal data outside the EEA.

Although these provisions may not apply directly to the UK organisation, its EEA-based clients, collaborators, partners and other contacts will have to comply with these restrictions and conditions because they are subject to the EU GDPR.

DPA 2018 + UK GDPR in respect of all its data processing activities, including those also subject to the EU GDPR Chapter V restrictions and conditions

Will need to take extra steps to ensure that it can continue to receive personal data from its EEA-based contacts – i.e. put ‘transfer mechanisms’ in place, such as standard contractual clauses.

 

 

 

 

This article was written by Hannah Kirby, a technology commercial solicitor at Clayden Law. Hannah can be contacted for more information on 01865 953542 or hannah@claydenlaw.co.uk.