Maintaining data flows between the UK and the EU can be a key business issue. This issue is subject to further questions and uncertainties when Brexit is factored in – not least when we are no longer in the EU, will the GDPR still apply?
First, it is worth remembering that the GDPR is an EU regulation and directly applicable to all Member States. Therefore, for as long as the UK is still a Member State (which will be the case until 31 October 2019 at the earliest), the GDPR will apply to UK businesses.
The Withdrawal Agreement
The UKEU Withdrawal Agreement published a few days ago allows for a transition period (ending on 31 December 2020) during which EU law, including the GDPR, will continue to apply. The agreement also provides that EU data protection law (again, including the GDPR) will continue to apply in the UK in relation to the processing of personal data of individuals based outside the UK, where either the data was processed under EU law before the end of the transition period, or where it is processed after the transition period on the basis of the Withdrawal Agreement.
The leaders of all the Member States have signed off on the Withdrawal Agreement. However, the all-important UK parliament vote in favour of the deal (followed by a vote of the EU Parliament) is required before the Withdrawal Agreement can come into effect. Given the current volatility of the UK political scene, there is every possibility of the Withdrawal Agreement being voted down and there being a no-deal Brexit.
GDPR is here to stay
Despite the above, the GDPR is here to stay in the UK post-Brexit regardless of the deal (or lack of deal) between the UK and the EU. This is due to UK legislation having already implemented the GDPR into the statute book. This is because the European Union (Withdrawal) Act 2018 (which received Royal Assent on 26 June this year) will, on the day the UK leaves the EU, convert into UK law essentially most of the EU law (including the GDPR) which applied prior to the UK leaving.
Also, the new Data Protection Act 2018 (“DPA 2018”) came into force on 23 May 2018. The DPA 2018 supplements the GDPR. Therefore for the time being one or both of the GDPR and the DPA 2018 will continue to apply in the UK.
What is less clear is the issue relating to EU-to-UK personal data transfers.
EU-to-UK data transfers
Prior to the Withdrawal Agreement being published, there was little direction on how Brexit will impact on personal data transfers from the EU to the UK. This has left many businesses in a state of uncertainty.
Under the GDPR, businesses within the European Economic Area (“EEA”) are not permitted to transfer personal data to countries outside the EEA (referred to as “third countries”) unless:
- one of a number of legal safeguards prescribed by the GDPR (such as using standard contractual clauses or binding corporate rules) is established by the transferring organisation; or
- the third country has been deemed “adequate” by the European Commission (which we explore in more detail below).
As a result of Brexit, the UK will become a third country in due course.
Up to this point, there has been uncertainty as to what legal safeguards businesses in the EEA will need to establish post-Brexit in order to transfer personal data to the UK in a GDPR-compliant manner.
The draft Withdrawal Agreement effectively provides that the EU will treat the UK in the same way as the other Member States during the transition period. This would mean that the UK would not be deemed a third country in respect of data transfers during this period.
Certain third countries (like New Zealand and Canada) have previously applied, with success, for “adequacy” status. This means that the European Commission has decided that those countries’ data protection laws are adequate and therefore no additional legal safeguards are required when transferring personal data to organisations based in those countries.
The Draft Political Declaration (which is a short summary of a possible future relationship between the EU and the UK) commits to a commencement of the UK’s adequacy assessment by the European Commission and suggests that it will aim to make an adequacy decision before the end of the transition period. However, there are doubts (and no guarantees) as to whether an application made by the UK to the EC for adequacy would be successful within the transition period or at all.
Also, the Withdrawal Agreement is far from a certainty. If no deal is reached between the UK and EU, there will be continued uncertainty as to how the UK will be treated after Brexit. The likely scenario would be that European businesses will need to implement one of the appropriate legal safeguards in order to continue to transfer personal data to the UK post-Brexit in a GDPR-compliant manner.
The GDPR is here to stay in the UK regardless of the Brexit outcome. However, some certainty is still needed around cross-border transfers of personal data from the EEA to the UK. At present the Withdrawal Agreement is by no means a certainty and the question still remains regarding what system will be established between the EU and UK (if any) after the transition period concerning the cross-border transfer of personal data between the EEA and the UK.