logo text

Tuesday, 26 March 2019

How will a no-deal Brexit affect our data protection laws?

Are you like Times columnist, Hugo Rifkind? Asked to predict what would happen next with Brexit, he responded, "I don't know anything. Nobody knows anything. The government doesn't know what it is doing and the ERG also doesn't know what it is doing. The Labour Party, meanwhile, doesn't know what it is doing. Looking towards the future, then, my thoughts are 'wuh?' and 'huh?' and 'can we talk about something else?'"

It's fair to say that considering the implications of Brexit in the round is quite the brain-scrambler. However, if we focus on specific aspects, we'll get a much clearer picture, so let's examine now the implications of Brexit on data protection law.

The current state of play

As part of the EU, the UK is subject to the General Data Protection Regulation (GDPR). The UK then adopted the Data Protection Act 2018 (DPA 2018), which includes various derogations where the GDPR allows for these, and extends the concepts of the GDPR to other areas such as law enforcement and the intelligence services. Also in the data protection legislation mix are the Privacy and Electronic Communications Regulations (PECR), which give people specific rights in relation to electronic communications, and the Network and Information Systems Regulations 2018 (NIS), which are aimed at improving cybersecurity.

The European Union (Withdrawal) Act 2018 (
EUWA) passed into law in June 2018 and retains the GDPR in UK law. Therefore, when the UK leaves the EU, organisations and data subjects will experience the same fundamental principles, obligations and rights that they've been used to.

Well, that sounds fine. What's all the fuss about?

As always, the devil is in the detail, and the particular devil that is the focus of this blog is international data transfers.

International data transfers

With the UK a member of the EU, personal data can flow freely between organisations in the UK and the European Economic Area (EEA) without requiring any specific additional compliance measures, because a common set of rules – the GDPR applies to all countries in the EEA. That will all change if the UK leaves the EU without a withdrawal agreement that makes specific provisions for the continued flow of personal data to the UK as a non-EEA country during the transition phase.

If we leave without a deal, the UK government has committed to taking steps to facilitate the flow of personal data to EEA states and to Gibraltar, enabling that data to flow freely from the UK to those areas. The UK has also committed to honouring any adequacy decisions that were agreed before the UK's exit date, such as those relating to Japan and the US (although the latter is limited to the
EU–US Privacy Shield).

The EU-US Privacy Shield

The clue's in the name: the Privacy Shield framework only applies between the EU and the US. By leaving the EU, the UK will no longer be covered by it. Therefore, UK companies transferring personal data to the US will need to check whether the US organisation receiving the data has agreed to extend its commitment to the Privacy Shield by accepting data flowing in from the UK. The US Department of Commerce has stated that, in the event of a no-deal Brexit, Privacy Shield participants must update their privacy notices by the exit date to confirm their decision to extend their operation of the Privacy Shield to the UK.

Although the UK has committed to maintaining the same free flow of personal data as it did as part of the EU, no such reciprocal arrangement has been mooted by the EU27. Therefore, GDPR transfer rules will apply to any data coming from the EEA into the UK.

Organisations will therefore need to consider what GDPR safeguards they can establish to ensure that personal data continues to flow into the UK in a compliant manner.


These safeguards sound handy. Tell me more.

When the UK leaves the EU, it will become a non-EEA country, also known as a third country in data protection terms. Under the GDPR, data transfers to third countries are restricted unless certain safeguards are established. There are various potential safeguards/compliance measures that can be put in place, including the following:
  • Standard contractual clauses (SCCs). The UK organisation and the relevant EEA organisation will need to enter into a contract that incorporates SCCs. These clauses place contractual obligations on the data exporter (the controller based in the EEA) and the data importer (the processor or controller outside the EEA), and set out rights for the individuals whose personal data is transferred.

    However, only transfers from controllers are currently covered under the two versions of the EU SCCs. The circumstances for data transfers from an EEA processor to a UK controller may therefore be restricted. Neither
    the Information Commissioner's Office (ICO) nor the European Data Protection Board (EDPB) have clarified how this would be permitted in practice - a very unsatisfactory position indeed!

  • Binding corporate rules (BCRs). This is an intra-group arrangement that a UK organisation can sign up to with the relevant EEA organisation to allow restricted data transfers (e.g. among parts of a multinational group). The arrangement must be submitted to and approved by an EEA supervisory authority in an EEA country where one of the companies is based. This process usually takes a considerable time to implement.

    Under the GDPR, BCRs allow the free flow of data both within and outside the EEA. Those BCRs certified by the
    ICO are recognised by 21 EEA countries under mutual recognition. However, this may not continue after Brexit.

  • Adequacy decisions. At the time of writing this article, the European Commission has not made an adequacy decision about the UK, despite the UK's current implementation of the GDPR. Discussions on an adequacy decision had been expected to occur during the 21-month transition period allowed for in the withdrawal agreement, but a no-deal Brexit means no transition period.

For more information about SCCs and BCRs, including template contracts for SCCs, see the ICO's guidance or contact us at Pritchetts Law LLP for advice and support with putting these in place.


How does the ICO fit into the Brexit picture?

That's a good question. At the moment, organisations that perform cross-border data-processing have to deal with only one EEA supervisory authority. When the UK leaves the EU, the ICO will no longer be recognised as one such authority. This means that UK organisations that are involved in cross-border processing could be subject not just to the ICO, but to one or more EEA lead authorities. These authorities could supervise and possibly fine UK organisations for their activities. Equally, EEA-based organisations may need to deal with the ICO in addition to their local regulator.

My company is based in the EEA and not established in the UK. Will I need to appoint a representative?

Yes. If your company offers goods or services to UK individuals, or monitors their behaviour, it will be subject to the UK version of the GDPR and you will need to appoint a representative in the UK.

Likewise, under the GDPR, UK-based companies that are not established in the EEA, but offer goods or services to EEA individuals, or monitor their behaviour, will need to appoint a representative in the EEA.

Representatives act on behalf of their principals, so if there is non-compliance, they can be fined by the ICO or by data protection authorities in the EEA.


Does Brexit only affect the implementation of the GDPR? What about PECR, etc?

The UK government has confirmed that PECR and NIS will continue to apply in the UK after Brexit, although in relation to the latter, UK-based digital service providers will need to appoint representatives in the EU if they want to maintain access to EU markets.

The draft new EU ePrivacy Regulation, however, will not be implemented in the UK after Brexit. Where it differs from PECR, companies that perform direct marketing to individuals in the UK and the EU27 will need to comply with both the UK and EU regulatory regimes. There are also concerns that if that new EU ePrivacy Regulation is not implemented in the UK, this may affect the EU's decision to award the UK adequacy status as a safe country for data flows (as discussed above).


Help! How can I prepare my business for no-deal?

  • Contact your partners in the EU to discuss how you can work together to ensure that data can continue to flow into the UK.
  • Read the Six Steps to Take and Data protection if there's no Brexit deal guides from the ICO, which help organisations to understand the implications of no-deal and plan ahead.
  • By the day the UK leaves the EU, you'll need to have taken various actions such as:
    • Appointing representatives in the EU or the UK depending on where you're based.
    • Checking your contracts and terms around restrictions on data transfers into or outside the EU/EEA.
    • Updating privacy notices to reflect your data transfers into or outside the EU/EEA.
    If you would like some help with this, or any other assistance with your organisation's Brexit planning, please contact us.