24 Jan 2020
Brexit’s Implications for Data Protection in 8 Questions
The UK is set to leave the EU on 31 January 2020. As the EU and the UK prepare for Brexit, Hong Kong companies with commercial interests in both jurisdictions should too. Brexit continues to raise many legal questions and uncertainties, not least for the protection of personal data which flows between the UK and the rest of Europe. Will organisations in the UK still have to comply with the General Data Protection Regulation (Regulation 2016/679 or “GDPR”)? Can they still transfer personal data to the EU? Will they need to appoint a representative in the EU? And what will happen with the one-stop-shop principle? What needs to be done will depend on how Brexit pans out. However, organisations cannot afford to wait until all the details of Brexit are cast in stone. Instead, they should start preparing now in order to be ready to implement necessary measures as soon as the details of Brexit are sorted out. On the basis of eight frequently asked questions, we provide an overview of issues to consider and steps to take to start preparing now in order to be ready for Brexit.
1. WILL THE GDPR CONTINUE TO APPLY AFTER BREXIT?
For any organisation that is established in the EU27 (i.e., the EU without the UK), the organisation will have to continue to comply with the GDPR for all activities in the context of such establishment.
Even if your sole EU establishment is currently located in the UK, the GDPR could still apply after Brexit. The short-term response depends on whether the UK will leave the EU with or without a deal. The current draft Withdrawal Agreement foresees the application of EU data protection law until 31 December 2020. Moreover, it provides that EU data protection rules will continue to apply to personal data of data subjects outside the UK that were processed under EU rules before the end of the transition period, unless the UK were to receive a so-called “adequacy decision” (see: question 2).
Moreover, the UK Government has expressed its intention to adopt its own version of the GDPR (the so-called UK GDPR). Data protection obligations will therefore remain very similar after Brexit for organisations based in the UK (however, see question 7).
2. WILL I BE ALLOWED TO CONTINUE TRANSFERING PERSONAL DATA FROM THE EU TO THE UK AND VICE VERSA?
In principle, transfers of personal data between the EU and the UK will no longer be unrestricted once the UK becomes a third country.
A framework of protection needs to be implemented to transfer data from the EU to the UK. The GDPR foresees the possibility for the European Commission to adopt an “adequacy decision”. Such a decision for the UK would mean that the European Commission recognises that UK legislation ensures a high level of data protection that is at least similar to the GDPR. Since the adequacy decision procedure can only be initiated officially once the UK becomes a third country, and since the procedure usually takes quite some time, companies should consider implementing other appropriate safeguards in the meantime.
For most organisations, these appropriate safeguards will take the form of Standard Contractual Clauses (SCC). The SCC are a contractual arrangement that offers adequate safeguards with respect to the protection of personal data when it is transferred to a third country.  Alternatively, some organisations may wish to rely on Binding Corporate Rules (BCR) that authorise international transfers within the same group of companies. BCR are binding policies on the protection of personal data that must be approved by the data protection authority of the company’s lead supervisory authority. The approval process usually takes several months, so BCR may not provide a short-term solution if the approval process has not yet been initiated. In addition, if you have BCR in place, these will need to be updated to recognise the UK as a third country. A third alternative provided by the GDPR is to adhere to codes of conduct that are approved by the European Data Protection Board (EDPB) or adhere to other clauses that would be approved. However, such measures are currently not yet available and therefore will not provide a short-term solution on Brexit day.
Only in case of exceptional circumstances and if the transfer is not structural, massive or repeated, can you transfer personal data outside the EU without any of the above-mentioned safeguards. In such specific or exceptional situations, international transfers may be permitted on the basis of a data subject’s informed and explicit consent, if it is necessary to defend a legal claim, or on the basis of other derogations set out in Article 49 of the GDPR.
|For data transfers from the UK to the EU, the UK Government has confirmed that, after Brexit, such data transfers will not be restricted. They will be covered by transitional provisions pending a UK adequacy decision. Even if the UK failed to adopt such an adequacy decision recognising the EU, the UK GDPR will most likely require similar safeguards as set out above.|
3. WILL I HAVE TO APPOINT A EUROPEAN OR UK REPRESENTATIVE?
If you are based outside the EU (and do not have any offices, branches or other establishments in the EU) the GDPR may nevertheless apply to your organisation if you “target” data subjects in the EU (see: Question 3). In such a case, the GDPR requires that a representative in the EU is designated. The representative – set up in the Member State (or one of the Member States) where the data subjects are located that are monitored, or to whom goods or services are offered – acts on behalf of the controller or processor with regard to their obligations under the GDPR and is the direct point of contact for data subjects and the competent authorities. You must provide the data subjects with the details of the representative, which are usually mentioned in the privacy notice.
|EXCEPTION: The requirement to appoint a representative does not apply to (i) public authorities; and (ii) occasional processing activities with a low risk for the protection of rights and freedoms of individuals which do not involve the large-scale use of special category or criminal offence data.|
Under the UK GDPR, the UK Government intends to require a controller or processor not established in the UK to appoint a UK representative under the same conditions as described above.
4. I AM BASED IN THE UK BUT HAVE OFFICES, BRANCHES OR OTHER ESTABLISHMENTS IN THE EU: WHO WILL BE MY LEAD SUPERVISORY AUTHORITY?
The GDPR introduced a “one-stop-shop” mechanism, meaning that, in principle, a company only has to deal with a (single) lead supervisory authority if it is carrying out cross-border personal data processing activities. This mechanism thus establishes a single point of contact and precludes your organisation having to deal with questions from various authorities in parallel. The lead supervisory authority acts on behalf of the other EU supervisory authorities and is responsible for regulating your cross-border processing and for enforcing the GDPR (including by issuing fines).
As an organisation, you should therefore consider whether, following Brexit, you can still benefit from a lead supervisory authority in the EU. If the UK’s ICO is currently your lead supervisory authority, you may need to designate a new lead supervisory authority. The lead supervisory authority is the authority of the Member State where the main establishment or single establishment in the EU is located. To benefit from the one-stop-shop it may be required to transfer the decision-making on the protection of personal data to the location of the “main” establishment in the EU.
5. DO I NEED TO APPOINT A NEW DATA PROTECTION OFFICER?
Even if the GDPR does not require the data protection officer (DPO – see box below) to be located within the EU, the Article 29 Working Party recommends this, whether or not the controller or the processor is established in the EU. If you currently appointed a DPO in the UK for a group of undertakings, the same person can continue to act as DPO after Brexit. However, you should assess whether the DPO is easily accessible from the EU.
Some data controllers and data processors are required by the GDPR to designate a Data Protection Officer (DPO). This obligation applies if (i) you are a public authority or body; (ii) your core activities require large scale, regular and systematic monitoring of individuals; or (iii) your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences. Groups of undertakings can designate one DPO for the entire group provided that the DPO is easily accessible from every establishment and for all the data subjects concerned.
6. WHERE DO I NOTIFY DATA BREACHES AFTER BREXIT?
Under the GDPR, the controller must notify personal data breaches to the supervisory authority within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. After Brexit, some UK organisations may still be subject to the GDPR if they have an establishment in the EU or if they target EU data subjects (see: Question 1). The duty to notify a personal data breach under the GDPR may therefore still apply to you.
It is important to consider which supervisory authority must be notified. This will depend on whether the UK organisation has an establishment in the EU or not. If you have an EU establishment, any local breaches must be notified to the local supervisory authority and breaches of a cross-border processing must only be notified to your lead supervisory authority, i.e. the authority of the Member State where you have your single or main EU establishment. If you do not have an EU establishment, you should notify cross-border breaches to the supervisory authority of the Member State where your EU representative is located (see: Question 3).
Under the UK GDPR, EU companies will have a similar duty, subject to the same conditions, to notify personal data breaches to the UK’s ICO.
7. WILL THE PROTECTION OFFERED BY THE EU AND UK DATA PROTECTION RULES REMAIN THE SAME?
The UK Government intends to write the GDPR into UK law, resulting in a UK GDPR. Therefore, in the short to medium term at least, the regulatory regimes for personal data protection will remain the same or at least very similar. However, the rules may diverge over time, either because the EU or the UK amends its data protection rules, or as a consequence of UK regulators no longer being bound by interpretations of the Court of Justice of the EU (CJEU) or the European Data Protection Board (EDPB). Indeed, escaping the CJEU’s jurisdiction is one of the reasons why the UK wishes to leave the EU. Instead, the UK Supreme Court will be the ultimate interpreter of the UK GDPR and the UK’s ICO will publish its own guidance on the interpretation and application of data protection rules in the UK.
It is therefore possible that, after some time, equivalent rules will be applied differently depending on their interpretation in the EU or UK. Such differences may also be relevant if the UK were to receive an adequacy decision of the European Commission (see: Question 2), as this decision will need to be reviewed on a regular basis. Such review will look at possible divergences between EU and UK data protection rules. If the divergence were to become significant, the adequacy decision could be revoked.
8. SHOULD I START PREPARING NOW?
The above questions show that Brexit is likely to raise some data protection issues. For some of these issues, the exact requirements that you must take will need to be determined depending on whether there will be a “deal” or “no deal” Brexit. While supervisory authorities could announce a grace period for implementing the measures that are required after the details of how Brexit will be organised become clear, they are unlikely to be very forgiving for organisations that failed to take preparatory measures seeing that Brexit-related topics have dominated news headlines for the past three years. Indeed, the GDPR already requires organisations to be “accountable” and accountability includes having a clear plan for protecting personal data after Brexit. Below, we provide an outline of what such a plan should cover.
First, start mapping your data flows (if any) between the EU and the UK and have a clear view of contracts relating to such data flows. Mapping data flows may take some time, so it should not be left until the last minute.
Second, set out your strategy for international transfers outside the EU: do you opt for SCC or BCR? In the latter case, you may already have to start implementing the BCRs. A clear strategy will be needed in order to act fast once the details of Brexit are known.
Third, review your current contracts, including data processing agreements, general terms and conditions and other contracts with data protection clauses. The wording of these clauses may need to be updated to reflect the new situation after Brexit. For instance, if your contract asserts that personal data will not be transferred outside the EU, but you store data in the UK, you may need to amend the agreement or change your data storage location. In addition, some organisations may no longer wish to warrant that they will comply with EU law (including GDPR) if this is no longer applicable to them.
Fourth, update your compliance documentation: privacy notices, breach notification procedures, Data Protection Impact Assessments (DPIAs) or other documentation. Policies can already be updated to add a reference to “the EU and the UK” since, in any case, the UK will no longer be part of the EU. In addition, DPIAs may need to be updated to describe international transfers and describe the strategy for dealing with such transfers.
Fifth, as a UK organisation, you should consider whether you should establish a branch office or affiliate in the EU, or transfer decisional powers to such establishment, in order to benefit from the one-stop-shop.
Sixth, make sure your appointed DPO in the UK for a group of undertakings is easily accessible from the EU.
Finally, determine whether an EU or UK representative needs to be appointed. You must provide the data subjects with the identity and contact details of the representative; this is usually done in the privacy notice.
 Please note that the validity of the SCC is currently under review by the Court of Justice of the EU. This will need to be taken into account when opting for the appropriate transfer mechanism.