Brexit has potentially significant implications for data protection law, particularly with regards to the UK's status as a 'safe' destination for the transfer of personal data from EU Member States. In addition to data protection, we have also highlighted below some of the key issues relating to the impact of Brexit on IT contracts and e-commerce.
The main issue, is that once the UK leaves the EU, it will become a 'third country' for data protection purposes. An adequacy decision by the European Commission, which effectively whitelists the UK for data protection purposes, would then be required in order to enable data controllers to continue to transfer personal data from the EU to the UK, without having to put additional measures in place first.
Whether such a decision is forthcoming and when, will depend very much on whether the draft Political Declaration and the Withdrawal Agreement are ratified by Parliament. The European Commission has committed in the Declaration, to commencing an adequacy assessment as soon as possible and with a view to adopting a decision by 31 December 2020 – the end of the transition period. However whether adequacy is granted is by no means a foregone conclusion and will depend on an assessment not only of the UK's data protection laws, but also the wider regime including access by UK Government agencies to data for investigatory purposes etc.
If the Withdrawal Agreement is not ratified by Parliament, then the situation is even more uncertain, since the European Commission has specifically stated that the adoption of an adequacy decision in this scenario would not form part of its immediate contingency planning. The upshot is, that in the absence of an adequacy decision at the point when the UK exits the EU, businesses will need to find a GDPR compliant mechanism (such as the European Commission approved model clauses (assuming they are still considered valid – they are the subject of an ongoing legal challenge in the CJEU, a decision on which is expected in the new year)) for transferring personal data about EU citizens out of the EU to the UK. The main question relates to timing: if the UK exits at 29 March with no deal, then businesses will need to act swiftly to have mechanisms in place by this date; if the Withdrawal Agreement is ratified, then there will be a two year transition period in which the status quo will be maintained, and, it is hoped, an adequacy decision will transpire during that period.
Transferring personal data about UK data subjects to the EU
Brexit won't change the requirement for businesses to comply with GDPR with respect to the processing of personal data about UK data subjects. GDPR will continue to apply after exit, and the Government has recently published draft legislation adapting GDPR to apply to the UK as a non-EU country which, if confirmed, would enable businesses to transfer personal data about UK data subjects to both the EU and those countries in respect of which the European Commission has made adequacy decisions, without further action.
What should businesses do now?
Businesses should assess, in the first instance, their material personal data flows, and in particular, transfers of personal data from the EU/EEA to the UK and beyond. Businesses can then use this information to identify with whom they might need model clauses or another valid mechanism to govern the transfer, so that they are ready to put these in place at short notice if necessary, once there is greater clarity about the prospects of a deal. Although strictly speaking the obligation is in fact on the data controller transferring the data outside the EU to put a valid transfer mechanism in place, rather than the recipient located in the third country, it will be in the interests of those UK businesses which do rely on transfer out, to facilitate the transfer and ensure it can be done smoothly, in as proactive a way as possible.
This is not the end of the story in terms of the data protection fall out from Brexit; after Brexit, it may be necessary for those UK businesses which process data about EU data subjects, to appoint an authorised representative in the EU for data protection purposes. Some UK businesses may wish to consider whether they fulfil the criteria to appoint a lead supervisory authority in another member state as well.
For more information, please see our recent briefings in relation to Brexit and its effect on the transfer of personal data, and the processing of European personal data.
IT contracts and e-commerce
On Brexit, UK businesses would stand to lose some of the potential benefits of the EU's Digital Single Market initiative, which is designed to facilitate the EU-wide provision of e-commerce services. In particular, digital services suppliers will lose the benefit of the 'mini one-stop-shop' for VAT, which is designed to simplify administrative requirements: see Brexit: Tax for further details. As regards the impact of Brexit on IT contracts, see Brexit: Commercial Contracts for a list of issues to consider.
The EU Geo-blocking Regulation, another aspect of the EU's Digital Single Market, which prohibits traders from geo-discriminating or geo-blocking (e.g. discriminating against customers wishing to purchase their goods or services simply on the basis of where they are based in the EU), will also fall away. If the Withdrawal Agreement is approved, then this will not happen until the end of the transition period; but in the event of a no deal, the Regulation will fall away from the UK with effect from 29 March. This would mean that UK traders could then prevent EU nationals from accessing their UK websites, and UK nationals from accessing their EU facing websites. However, businesses which trade in Europe would still need to comply as between customers from different member states within the EU. For further details please see our recent briefing.
For an update on the EU's recent adequacy decisions in respect of the UK, please read our Brexit: UK gets data adequacy decision briefing.
