GDPR in the Time of Brexit
The year 2016 saw two momentous legislative events that would forever change European politics.
In April, the European Union (EU) adopted the General Data Protection Regulation (GDPR), transforming the data regulation landscape not only in Europe, but across the world.
In June, the United Kingdom (UK) voted, albeit by the thinnest of margins, to leave the EU, triggering a long and tumultuous British exit process now famous worldwide as Brexit.
In 2019, these two juggernauts have come to a head, bringing unprecedented compliance challenges to business owners.
In this article, we take a look at the consequences of Brexit on data protection regulations — particularly the GDPR — in the UK.
GDPR & Brexit — A Quick Review
General Data Protection Regulation
First proposed in 2012, adopted after years of negotiation in April 2016, and finally implemented in May 2018, the GDPR is among the world’s strictest data privacy laws.
The GDPR, with consent and transparency at its heart, hands residents of the EU and the European Economic Area (EEA) an unprecedented number of rights over their personal data, wresting some power back from the hands of corporations.
A notable feature of the GDPR is its extraterritoriality: for the GDPR to apply, a business does not need to be located in the EEA. Serving or simply targeting users in the EEA would bring a company into the scope of the GDPR, irrespective of where that company is located.
Similar to the GDPR, Brexit has a long and storied timeline.
Succumbing to pressure from the public and from within his party, then UK prime minister David Cameron announced that his government would hold a “Remain in the EU vs Leave the EU” referendum by the end of 2017 should his party win the 2015 UK general election.
Cameron’s Conservative Party won the 2015 election, and consequently, the referendum was scheduled for June 23, 2016. On referendum day, the “Brexiters” narrowly edged the “Remainers,” setting off a chain of political and legislative events that would culminate in the UK leaving the EU by October 31, 2019.
The UK and EU are currently hashing out their differences (for example, about immigration and customs) and agreeing on an exit plan (“deal”) — to be finalized by this deadline. If these negotiations fail, the UK — not just the government but also its people and businesses — would have to face the disruptive consequences of a “no-deal” Brexit.
Brexit, with or without a deal, has consequences across almost all industries and sectors in the UK.
Data Protection Laws in Post-Brexit UK
GDPR — The EU and UK versions
The collection and processing of personal data in the EU, and by extension the UK, is currently governed by the GDPR.
To ensure a smooth Brexit, the UK government plans to adopt all existing EU legislation into UK national law by means of the European Union (Withdrawal) Act 2018 (the “repeal act”).
This means that in a post-Brexit UK, the UK Data Protection Act of 2018 — originally passed to implement the GDPR within the UK legislative system — would become the new data protection law.
Therefore, regulations surrounding personal data collection in the UK would effectively remain unchanged.
Given the extraterritoriality of the GDPR, UK businesses that target users in the EEA would need to comply with the GDPR.
So, companies that collect the personal data of both UK and EU users would find themselves within the scope of both the UK Data Protection Act as well as the GDPR. This could increase compliance challenges; for example, in the case of a data breach, the company would have to work with both UK and EU agencies.
Another prominent data protection and privacy legislation in the EU is the ePrivacy Regulation. This proposed law will work in conjunction with the GDPR and govern communication channels such as the Internet of Things, emails, and text messages.
Because this regulation is unlikely to be passed by EU lawmakers before Brexit, it would not be adopted into UK law as part of the repeal act.
The ePrivacy Regulation is based on the current ePrivacy Directive, which has similar objectives. In EU law, a directive differs from a regulation in that directives indicate only the goal to be achieved, leaving the choice of methods and measures used to achieve the goal with each EU member.
Following Brexit, if the UK copies the directive into national law via the repeal act, UK businesses will need to continue to comply with the directive.
Whether the ePrivacy Regulation will be adopted by the UK at a later date — which would have consequences for companies that handle the data of UK residents — remains to be seen.
Data Protection Authorities in Post-Brexit UK
Information Commissioner’s Office
Within each member state of the EEA, a Data Protection Authority (DPA) is tasked with enforcing the GDPR and investigating GDPR-related complaints. Currently, the Information Commissioner’s Office (ICO) serves as the UK’s DPA.
Typically, a country’s DPA serves as the GDPR supervisory authority for all businesses in its jurisdiction. This benefits businesses tremendously, as a business only needs to deal with a single DPA — its supervisory authority — irrespective of how many EEA member states it operates or targets users in.
After Brexit, the ICO will continue to serve as the UK’s data privacy regulator, but its scope would be restricted to the UK. The ICO would no longer be able to serve as a GDPR supervisory authority unless such an eventuality is agreed during the Brexit negotiations.
Therefore, UK businesses might find themselves having to deal with multiple DPAs if they target users in more than one EEA country.
After Brexit, companies that are based in the UK and target EEA users but have no physical presence in any EEA state will face the additional responsibility of nominating a local EU representative.
This representative, which should be an individual or an establishment physically located in one of the EEA states that the company targets, will serve as the local point of contact for the public as well as DPAs.
Data Transfer & Adequacy in Post-Brexit UK
The EU has strict guidelines on the transfer of personal data to regions outside of the EU. Currently, data flow is restricted to regions deemed to have “adequate” data protection measures in place.
Because of the high data protection standards established by the GDPR, all EEA members are deemed to have this adequacy status by default.
EEA to UK Data Flow
If the UK’s post-Brexit data adequacy is not pre-approved as part of a deal, then the UK would have to re-apply for adequacy status, a process that could take months and even years.
During the interim period, UK businesses would need to establish other legal means, such as Standard Contractual Clauses (SCCs) and binding corporate rules (BCRs), to receive personal data from the EEA.
UK to EEA/US Data Flow
On the other hand, the UK’s own data protection law has a similar adequacy clause for sending personal data out of the UK. The UK government has announced that it will recognize all members of the EEA as being adequate for data transfer, along with certain other regions (most notably, the United States).
Hence, Brexit would have no effect on UK to EEA and UK to US data flow.
Brexit Preparations for UK Companies
If you own a business located in the UK, you can take the following steps to ensure that Brexit does not negatively affect your operations:
Hire Compliance Experts and EU Representatives
Hire an expert GDPR compliance consultant to guide you through all aspects of GDPR compliance during post-Brexit uncertainty. Although this adds to your business expenses, it is cheaper than potential GDPR fines, which can be as high as 4% of your annual revenue.
In addition, if you have no presence in the UK but process the personal data of EEA residents, you should hire a competent EU representative.
With unprecedented growth in the number of certified privacy professionals, hiring a qualified privacy consultant is now easier than ever before.
Get Your Paperwork in Order
You would be wise to assume that the UK will leave the EU without a data adequacy agreement in place.
If your operations depend on data transfer out of the EEA and into the UK, you should cover your legal bases by ensuring that your transfers are bound by SCCs and BCRs.
Given the complexity of the Brexit negotiations and the extensive nature of laws such as the GDPR, staying abreast of the latest news can be quite a task. The following useful resources will help you stay up to date:
- The UK Government’s Brexit Guidance for Businesses
- The ICO’s Brexit Guidance for Businesses
- The Privacy Shield Program’s UK FAQs
- The BBC’s Comprehensive Brexit FAQs
Brexit and the GDPR together bring new challenges to business owners in the UK. With Brexit all but inevitable, it is wise to take anticipatory actions to ensure that your business does not run afoul of GDPR laws, which could cost you millions of dollars.
Staying on the right side of the law will be easier if you have the right people, the right paperwork, and the right information.
Felix Sebastian is the managing editor at Termly, where he helps business owners generate privacy policies and other important legal documents, implement best business practices, and comply with transnational privacy laws. He specialises in writing and curating compliance guides and law overviews for small business owners.