I’m often entertained by some of the imaginative job titles given to data protection specialists - over the years, I’ve seen everything from “Privacy Ninja” to “Data Protection Jedi”. One I’ve not yet seen though is “Data Protection Clairvoyant”, despite increasingly feeling that this would be an apt description for what many privacy professionals are asked to do: predict the future. The past few years have seen us guessing at what the final text of the GDPR would look like, if and when the first 4% fine would be issued, and when the e-Privacy Regulation will become law, amongst other things.
Then, of course, there’s the “B” word: Brexit. It’s impossible to be a UK (or EU) privacy professional without fielding many questions about Brexit and what it means for data protection. The problem is it’s complicated! Understanding Brexit alone is hard enough, let alone trying to work out the interplay between the GDPR and the UK Data Protection Act 2018, what the UK’s EU (Withdrawal) Act has to do with it all, and what happens in the event of a “deal” vs “no deal” Brexit.
So let’s return to basics and try and explain what it all means here then:
1. The Basics: What is Brexit?
On the 23 June 2016, the UK held a referendum on whether to remain in the European Union or not (the European Union being a political and economic union of 28 Member States with an internal single market guaranteeing free movement of goods, capital, services and labour - aka the “four freedoms”).
52% of the UK voted to leave the EU, but this didn’t automatically trigger our departure. Instead, the UK government needed to serve a formal notice of departure called an Article 50 notice (so-called because the process for leaving the EU is set out in Article 50 of the Treaty on European Union) - you can think of this as being a bit like serving formal notice to terminate a contract.
Article 50 requires the EU to negotiate and conclude a withdrawal agreement with the departing Member State - i.e. the UK. A maximum period of two years is allowed to reach this withdrawal agreement - this time period can be extended only if the European Council (i.e. heads of state of each EU Member State) agrees to do so with the departing Member State.
The UK served its Article 50 notice on 29 March 2017 and so the expiry of this two year period will end on 29 March 2019 at 11pm UK time. This is the point at which, unless an extension is agreed, the UK will leave the EU.
2. What is the difference between a “deal” and a “no deal” Brexit?
Put simply, it’s the difference between whether the UK and EU successfully manage to agree a withdrawal agreement under Article 50 (as described above) or not.
The purpose of the withdrawal agreement (the current draft of which you can see here - the “Withdrawal Agreement”) is to ensure the UK leaves the EU in an orderly fashion: it deals with things like the settlement of financial arrangements between the UK and EU, citizens’ rights post-Brexit (e.g. residency arrangements for immigrants into or from the UK and EU post-Brexit), and the ever-difficult question of how to solve the Irish border.
It also covers a wealth of other issues too, ranging from intellectual property protection, ongoing police and judicial cooperation, VAT and customs arrangements and so on. If you want to try and understand just how complex the Brexit negotiations are, the Withdrawal Agreement is a good place to look. And, yes, it even contains draft provisions relating to data protection - have a look at Part 3 (Separation Provisions), Title VII.
According to latest reports, the UK and EU are 95% agreed on the terms of the UK’s Brexit withdrawal - the sticking point being arrangements concerning the Irish border.
3. OK, so that’s the Withdrawal Agreement, what’s the UK’s EU Withdrawal Act then?
You may also have head of the European Union (Withdrawal) Act 2018. This is not to be confused with the Withdrawal Agreement. Whereas the Withdrawal Agreement is essentially an agreement (i.e. a treaty) between the UK and the EU about how to manage an orderly Brexit, the EU Withdrawal Act is legislation (i.e. a statute) passed in the UK.
The EU Withdrawal Act serves a few key functions:
- First, it repeals the European Communities Act 1972 (“ECA”) in the UK. In simple terms, the ECA is the piece of UK law that gives European Union law effect in, and supremacy over, UK law (i.e. “supremacy” meaning that if there is a conflict between UK law and EU law, EU law prevails). By repealing this, this ceases to be the case - i.e. the UK becomes subject only to UK law.
- Second, it essentially “copies and pastes” all existing EU law into UK law on the day of exit, in order to provide legal certainty and continuity immediately upon leaving the EU. However, this does not mean that the UK remains subject to these EU laws indefinitely - by cutting and pasting them into UK law, they can be superseded, amended or repealed by the UK Parliament going forward.
- Finally, blindly copying and pasting EU laws into UK law won’t work - many of those laws will need tweaking to work after Brexit (for example, to replace references to European institutions with references to equivalent UK institutions). There isn’t time to legislate for all of the necessary changes before Brexit, so the Withdrawal Act therefore confers so-called “Henry VIII” powers upon the UK government to make any changes necessary for these copied EU laws to work in the UK after Brexit.
The Withdrawal Act will only come into effect if the UK and the EU don't manage to agree a deal. So it operates as a safety net. Without it huge areas of regulation which originates from the EU would fall away at the moment the UK leaves the EU. This would even be the case with EU regulations, including the GDPR!
Oh, and one last point: don’t confuse the Withdrawal Act with the EU (Withdrawal Agreement) Bill - the UK Parliamentary Bill that will implement the major elements of the Withdrawal Agreement (if and when agreed with the EU) into UK law.
Are you keeping up so far?
4. Does the Withdrawal Agreement cover the UK’s future relationship with the EU?
It’s not that simple, I’m afraid! The Withdrawal Agreement deals with the UK’s separation from the EU. Its future relationship with the EU will need to be agreed by way of a separate agreement. This can only be agreed once the UK has left the EU - although discussions concerning an “overall understanding” of the future relationship between the UK and EU are already taking place. These discussions aim to deliver a jointly agreed, non-binding “political declaration” that will outline the framework of a future relationship between the UK and the EU (the UK's position in relation to these discussions were set out in the so-called "Chequers plan" – which is available here).
The goal is to reach an agreement on a future relationship during the Brexit transition period - assuming we have a “deal” Brexit. If we don't, then the UK will have to try and reach an agreement on its future relationship with the EU only after it has fully left the EU.
5. I’ve heard about the transition period. What’s that?
If the UK reaches a deal with the EU concerning Brexit, then the Withdrawal Agreement provides for a transition period through to 31 December 2020. (There have been reports that the UK and the EU are discussing an even longer transition period - perhaps one year more - but for now until December 2020 is what is in the draft Withdrawal Agreement.)
During this transition period, the EU and UK would implement the various measures agreed within the Withdrawal Agreement and, more generally, take the implementation steps necessary to adapt themselves to life post-Brexit (e.g. create infrastructure necessary for customs checks at borders and so on.)
During this period, while the UK will technically cease to be a Member State of the EU, it will continue to remain subject to EU law. This is because the Withdrawal Agreement says that EU law will still apply to the UK during the transition period and that references to “the European Union” within EU laws (including within EU data protection laws) will be read to include the UK throughout the transition period. In practical terms it will be as if the UK is still part of the EU, but without the ability to participate in the development of new EU laws.
During the transition period, the UK and EU would then aim to conclude agreement on their future relationship once the transition period ends. But, if we have a “no deal” Brexit, then there will be no transition period - and this agreement would therefore need to be reached while the UK is operating under WTO rules outside of the EU.
6. Enough of the Brexit 101 - what does this all mean for data protection?
In terms of what you therefore need to know about the data protection impacts of Brexit:
- Continued application of the GDPR post-Brexit: The EU Withdrawal Act “copies and pastes” the GDPR into UK law on the date of exit from the EU. This means that the GDPR, read in conjunction with the UK Data Protection Act 2018, will continue to apply to UK established businesses and to any business that provides goods and services to, or monitors the behaviour of, UK residents. That’s the good news for those businesses that have been through extensive GDPR preparations.
- Data flows during the transition period: If we have a “deal” Brexit, then the UK will (in effect) continue to be treated as though it is part of the European Union until the end of the transition period. This means that data will continue to be able to flow freely from the EU to the UK (and back again) without restriction.
- Data flows after the transition period or in a “no deal” scenario: Once the transition period expires, or in the event of a “no deal” Brexit, the UK will cease to be part of the EU. For EU data protection purposes, it will be a “third country” and so be subject to precisely the same restrictions on international data exports from the EU as apply to any other non-EU country (e.g. the US).
- Need for EU to UK data export solutions: After the transition period, or if there is a “no deal”, this means that organisations which are subject to the GDPR will need to either put in place a data export solution (Standard Contractual Clauses being the most obvious) or rely on a data export derogation in order to send personal data to the UK - unless the UK is somehow whitelisted as safe to receive EU data.
- Whitelisting the UK as safe to receive EU data? It’s possible that the UK could somehow be whitelisted by the EU as safe to receive EU data exports - avoiding the need to implement data export solutions or rely on derogations. There are effectively two ways this could happen: either (i) by the European Commission deciding that the UK provides an “adequate” level of protection under Art 45 GDPR or (ii) by the European Union reaching a political agreement with the UK that data flows between the EU and UK should remain unimpeded. The UK is hoping to achieve such a political agreement with the EU that extends beyond ‘normal’ adequacy arrangements - sometimes referred to as “adequacy plus”.
- Likelihood of “adequacy”: It seems unlikely that the European Commission will determine the UK is “adequate” to receive EU personal data in the short term. The adequacy process applies only to “third countries” (i.e. non-EU countries) - meaning that the European Commission will not begin the process of determining the UK as adequate until after the UK leaves the EU. Further, adequacy determinations typically take time (see here for an outline of the process) - meaning the UK will almost certainly not be determined “adequate” on the date of Brexit - or in the immediate weeks and months following Brexit.
- Political agreement on data flows: Reaching a political agreement that the UK should be able to enjoy unimpeded data flows with the EU on an "adequacy plus" basis is also a possibility. However, as this is not addressed within the Withdrawal Agreement, it will not happen by the date of Brexit. Any such agreement would therefore need to be reached as part of the agreement on the future relationship between the UK and EU. As noted above, this is the solution preferred by the UK, with the UK government arguing that the UK already has (of course) significant alignment with EU data protection law. However, it is uncertain whether the EU will entertain this proposal (for one thing, a political agreement allowing unimpeded data flows with a third country would seemingly undermine the purpose of GDPR adequacy determinations).
- What about data flows from the UK? So far we’ve mostly talked about data flows from Europe into the UK. The other piece to the puzzle is data exports from the UK to the EU and non-EU countries. In the short term, the UK government has indicated that data flows from the UK to the EU may continue unimpeded, even in the event of a “no deal” Brexit (see here). However, data flows from the UK to non-EU countries will presumably require some form of data export solution - a UK version of EU Standard Contractual Clauses, for example - though, at present, there’s no clarity on what such a solution would look like or when it will be proposed. When this clarity emerges, it will likely take the form of a statutory instrument adopted by taking advantage of the government’s Henry VIII powers - a list of current Brexit-related SIs are available here.
- What about the one-stop shop? The UK has (in its Chequers plan) suggested that not only should it be whitelisted for data transfers but also that the ICO should continue to enjoy its close cooperation with the other EU regulators. Again, it is uncertain (and perhaps unlikely) that the EU would entertain this possibility. for a “third country” regulator. But it all depends on what deal the UK can reach with the EU about its future relationship.
7. Practically, what should we do?
It’s difficult for any data protection adviser to give definitive advice on what to do about Brexit at present because so much hinges on whether we have a “deal” or a “no deal” Brexit. If we have a “deal” Brexit then, for the most part, the status quo will largely continue until at least 31 December 2020 (i.e. the expiry of the transition period), meaning UK and EU data flows will continue unimpeded during this period. Hopefully, further agreement - or at least further clarity - will then emerge on how to manage data flows after the transition period ends.
If we have a “no deal” Brexit, then the UK will become a third country for data export purposes at 11pm on 29 March 2019, and data flows between the EU, UK and rest of world potentially become considerably more complicated. It’s a little over-simplistic advising organisations to avoid transfers of data into the UK, because the scale of the UK economy means that it will always be a significant destination for EU data exports, even after Brexit. The most likely outcome is probably that organisations will implement considerable numbers of Standard Contractual Clauses to legitimise transfers of EU data to their UK operations - though the scale and complexity of this exercise shouldn’t be underestimated (anyone who had to implement SCCs after the collapse of Safe Harbor in the US will know exactly what I mean!)
For now, the most important action is to understand the scale of the issue and the parts of the organisation likely to be affected: work out which data flows are moving to and from the UK, which customer and vendor contracts may need revisiting in light of Brexit (e.g. if you have given commitments to host data “in the EU”), and where data export solutions are likely to be required. Armed with that information, you can then start to plan what contingency actions will need taking in light of the precise “flavour” of Brexit that is ultimately agreed (or not).
Preparation is everything, as they say…