01 September 2017

Brexit: Impact on data protection

As negotiations for the UK’s withdrawal from the EU are now well underway, we look at what this process could mean specifically for the business-critical asset of data and the compliance space around data protection.

The European Union (Withdrawal) Act 2018 repeals the European Communities Act 1972 (ECA) incorporating all EU laws into UK domestic law ‘where practical’ to ensure no unintentional gaps are left by the repeal of the ECA.

This will allow for gradual adjustment of each piece of incorporated EU law on a topic-by-topic basis following the Brexit date of actual separation, rather than the impractical task of requiring every adjustment to be completed by that deadline date. This will also mean a focus can be brought to bear on the issues which need new legislation immediately upon the Brexit date, such as customs or immigration rules to meet the negotiated position.

In the UK, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) provide the legislative framework data protection. EU Regulations are forms of European legislation which are directly applicable, having an automatic status of law applicable in each Member State, as such GDPR is applicable in the UK until 11pm on 29 March 2019. GDPR allows data to be transferred freely within the EEA but imposes restrictions on transfers outside that area.

So what does Brexit mean for these latest changes in data protection laws?

The Information Commissioner, who leads the regulatory body governing data protection compliance in the UK, has made it very clear that her expectation was always for the UK to adopt something very much aligned to GDPR for our post-Brexit approach to data protection. Her argument is that anything less would hinder the UK’s international trade and global activities. The DPA essentially weaves the GDPR into the UK’s laws, in order to ensure a consistent approach for UK organisations and businesses and enable continued European trade in data and associated services as smoothly as possible.

If there are no arrangements in place regarding future arrangements for data protection come March 2019, there would be no immediate change in the UK’s data protection standards given that the EU Withdrawal Act would incorporate GDPR into UK law to sit alongside it. Day-to-day compliance requirements in how personal data is used within the UK would therefore not be changed.

There would be more impact on international flows of data. A business’ ability to transfer personal data from the UK to the EU would remain unchanged initially (although this would be kept under review by the UK regulators) but the flow of personal data from the EU to the UK is more problematic.

Ideally, the UK is looking for an “adequacy decision”, which is an established EU mechanism whereby the EU would deem the UK’s level of personal data protection as equivalent to that of the EU, allowing transfers of personal data to continue with no additional formalities. Given that UK law will continue to be based on GDPR, there is a good argument that this standard is met. The European Commission, however, have indicated that a decision on adequacy cannot be taken until the UK is a ‘third country’ i.e. post 29 March 2019. If this position is maintained, organisations will need to use other mechanisms for legitimising transfers from the EU to the UK during the interim period before a decision is taken. This will also help to protect against the risk that an adequacy decision is never made.

In absence of an adequacy decision, a business wanting to transfer personal data from the EU to the UK will need to identify a legal basis for such transfer. UK businesses receiving data will need to work with their European partners to put in place appropriate protection. In many cases, the most appropriate legal basis would be the standard contractual clauses, model data protection clauses which have been approved by the European Commission. These need to be embedded into any contract between a UK and EU business to enable the free flow of data and UK businesses could proactively offer to include them in contracts involving data transfers from the EU.

In addition to GDPR and the DPA, the Privacy and Electronic Communications Regulations (PECR) cover issues such as cookies and telephone and email direct marketing. The law in this area is currently under review at European level and it is unclear whether the amended version (the e-Privacy Regulation) will become law before Brexit and whether it will be incorporated into UK law. However, it is likely that the UK will adopt the same or similar standards as part of its argument that an adequacy decision should be made, and as such our advice continues to be to monitor developments relating to the e-Privacy Regulation.

If you would like some assistance in considering the steps your business should be taking to review its data and its compliance strategy in this space, please contact a member of our Commercial team.

© Shulmans LLP 2017

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. Shulmans LLP is not responsible for any activity undertaken based on this information.