Read the blog
GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU
Andrew Solomon
At the time of writing, it is possible that the UK could exit the EU on 31 October 2019 (“exit date”) without a deal which means immediately leaving EU institutions such as the European Court of Justice without an agreement over what happens next.
Whilst a smooth transition of data privacy laws is essential for minimising disruption to the free movement of personal data which forms the lifeblood of the digital economy, this measure is not in itself conclusive. This blog forms part of our data protection series and summarises the government’s proposed data protection regime in the event of a no-deal Brexit and looks at the preparatory steps you can consider to help avoid interruption to your business.
The “UK GDPR”
The GDPR is the EU’s data privacy regulation which applies as law in the UK and all EEA countries (i.e. the EU plus Iceland, Norway and Liechtenstein). When the UK leaves the EU, the government intends to create the “UK GDPR” by amending the EU GDPR as illustrated in the ‘Keeling Schedule’ for the GDPR. This means that the fundamental rights of individuals and governing principles (such as fairness, transparency and accountability) will stay the same but the territorial scope will be limited to the UK only.
International data transfers
As discussed in our previous blog (GDPR for the UK: Brexit and international transfers of personal data), in the absence of an adequacy decision in favour of the UK (which, according to the government’s recently published Operation Yellowhammer papers, could take years to achieve), as a UK business you will need an alternative legal basis for processing personal data where you (i) send personal data outside the UK (this will be a “restricted transfer” under the UK GDPR); or (ii) receive personal data from the EEA; or (iii) receive personal data from countries which are covered by an adequacy decision.
The Information Commissioner’s Office (the “ICO”) is the independent public authority that is responsible for monitoring the application of the EU GDPR in the UK. (After Brexit, the ICO will continue to be the UK’s supervisory body in relation to the application of domestic data protection law). According to the ICO, the government intends to recognise the EU adequacy decisions that have already been made which will allow most restricted transfers to organisations in those countries to continue (this includes the recently implemented adequacy decision for Japan). Furthermore, UK businesses will still be able to transfer personal data to US organisations that are certified on the EU-US Privacy Shield as long as those organisations expressly state that their commitment to compliance with the Privacy Shield apples to personal data from the UK. You will need to check this commitment has been updated in each case.
If no adequacy decision applies to your restricted transfer, you should consider what documentation is needed to keep data flowing (and where the data is going), in many cases this will mean entering into standard contractual clauses which the sender and receiver both sign up to as this is a fairly straightforward means of providing an appropriate safeguard for a restricted transfer. Alternatively binding corporate rules (“BCRs”) can be used for transfers from an entity in the UK to overseas branches within the same corporate group. The ICO has stated that the government will recognise BCRs created pursuant to the EU process before the exit date as ensuring appropriate safeguards for the protection of personal data. On exit date the UK will become a third country so your BCRs should be updated to reflect this change. Local laws will apply in respect of data transfers from countries outside the EEA which do not have an EU adequacy decision for transfers to the UK. In these situations you may wish to seek guidance from lawyers of the relevant jurisdiction as necessary.
EU Representatives
If you target customers in the EEA and your business is based in the UK only without any branches or offices in other EEA countries, then as a non-EEA based controller or processor after exit date, you will need to appoint a representative within an EEA country where the data processing takes place. The representative (which can be an individual or an organisation) must be established in the EEA and must be able to represent your business in respect of all matters of compliance with the EU GDPR including liaising with supervisory authorities and data subjects. The representative must be appointed in writing and this is likely to be most effectively achieved through the use of a services agreement. You should make details of the representative easily accessible to customers and supervisory authorities by including them in your privacy notice and publishing them on your website. A representative does need to be appointed if your processing is only occasional and low risk i.e. it does not involve the collection of sensitive data (such as health information and criminal records) on a large scale.
A “one-stop-shop” for cross-border processing
The ICO is preparing guidance for cross-border processing and lead supervisory authorities. The aim is to create a “one-stop-shop” system whereby controllers and processors which carry out processing that impacts individuals in more than one EEA country only need to liaise with a single lead supervisory authority in the EEA. Such authority will act on behalf of all other interested EEA data protection regulators and will be responsible for investigating breach incidents and taking enforcement action such as by issuing fines. Further comment on the proposed arrangements may be provided once guidance has been issued by the ICO and the European Data Protection Board.
Business as usual after Brexit
Whilst Brexit remains in a state of flux, as a UK business with international operations and overseas customers, it is important to evaluate the potential impacts of legal changes and consider your data flows and the subsequent steps you could take to help maintain business as usual after Brexit.
Should you have any Brexit, GDPR or data protection queries, please contact Kingsley Napley’s Brexit or Data Protection teams.
Latest blogs and news
Extradition post-Brexit: plus ça change, plus c’est la même chose?
Rebecca Niblock and Edward Grange examine the key changes & similarities to extradition law following Brexit. The introduction of new surrender arrangements under the EU-UK Trade and Cooperation Agreement. Changes effected under the Extradition (Provisional Arrest) Act 2020.
The Tail Wagging the Dog - Hourly Rates Review 2021
The Master of the Rolls, Sir Geoffrey Vos, has approved the new guideline hourly rates (GHR) proposed by the CJC and the Stewart committee which will come into effect on 1st October 2021.
These new rates are a result of the final report of the Civil Justice Council released at the end of July 2021 and the forerunning consultation that took place between 8 January and 31 March 2021.
EU Member States’ reluctance to extradite their own nationals to the UK
Perhaps the first practical negative consequence for the UK to emerge “Beyond Brexit” from an extradition perspective relates to Article 83 of the TCA which allows EU Member States to refuse to extradite their own nationals to the UK. Germany, Austria and Slovenia had already exercised the Nationality bar during the transition period, which ended on 31 December 2020.
Extradition post-Brexit: the TCA at a glance
The potential fallout from Brexit for extradition and cross-border criminal justice security had been forewarned even before the first vote was cast in the Referendum. The risks to the UK of losing access to SIS II and complicating a relatively simple (albeit not perfect) EAW process were highlighted by many practitioners, law enforcement agencies and politicians.
The UK assumes responsibility for its sanctions policy
Deal or no deal, when the UK’s transition agreement expires at 11pm on 31 December 2020 the country will no longer participate in EU sanctions arrangements or otherwise give effect to EU sanctions regimes. Instead, it will operate a two tier system, devising its own sanctions policies and measures which will be supplemented by sanctions measures imposed as a result of United Nations Security Council Resolutions.
Would the Constitution survive a No-Deal Brexit? The Internal Market Bill and its legal controversies
The Internal Market Bill (the “Bill”) has caused a dramatic fallout at home and abroad. It has faced massive defeats in the House of Lords over the month on November. It was the reported reason behind the UK’s most senior legal civil servant announcing his departure from the Government Legal Service.
Brexit and ‘Physical Presence’ Requirements for Irish professionals resident in the UK
As the end of the Brexit transition period draws near, complexities associated with navigating cross-border regulatory regimes have been increasingly brought to the fore. The Law Society of Ireland’s announcement last week, confirming a ‘physical presence’ requirement for solicitors intending to practise in Ireland, has highlighted wider post-Brexit issues surrounding residency requirements and recognition of qualifications for regulated professionals on the British/Irish border.
Claiming for maintenance in England when divorcing elsewhere in the EU: Will Brexit close the Villiers loophole?
The Supreme Court recently made clear in Villiers v Villiers [2020] UKSC 30 that divorcing in one EU country does not prevent a party from making a separate claim for maintenance from their spouse in England and Wales. The case therefore demonstrates the possibility of ‘forum shopping’, where a party seeks to bring a financial claim in a jurisdiction (country) that is more convenient or provides a more generous maintenance provision than the jurisdiction in which the divorce is taking place. However, the loophole relies on an application of the EU Maintenance Regulation which will cease to be in force in the UK on 31 December 2020. This blog considers the case of Villiers and how Brexit will affect the current position.
What does the new government mean for public lawyers?
Friday 13 December 2019 will be remembered as the day the Conservatives won their biggest majority since the 1980s and finally obtained the dominance required to complete the Article 50 process and take the UK out of the EU.
Brexit and family law – what will happen to divorce, financial proceedings, prenups and cases involving children?
At the time of writing, the UK is on the cusp of a General Election where Brexit is high on the agenda. In this blog, Stacey Nevin considers a number of scenarios and the changes that people who have connections with England and another EU member state might encounter for divorces, financial proceedings and matters concerning children in the event of a no deal Brexit.
Data protection for your business after a no-deal Brexit
At the time of writing, it is possible that the UK could exit the EU on 31 October 2019 (“exit date”) without a deal which means immediately leaving EU institutions such as the European Court of Justice without an agreement over what happens next.
Enemies of the constitution? The words of those attacking independent judges are corrosive and wrong
Everyone has an opinion on yesterday’s decision of the UK Supreme Court. Boris Johnson said on television that he profoundly disagreed with it. Jacob Rees-Mogg reportedly called it a ‘constitutional coup’ on a cabinet conference call. Former Lord Chancellor Michael Gove was distinctly equivocal about it when interviewed on the Today programme. Laura Kuenssberg reported on Twitter that a No 10 source said ‘the Supreme Court is wrong and has made a serious mistake in extending its reach into these political matters’. The fact these people all claim they will still ‘respect’ the decision does not detract from the corrosiveness of their sentiments.
Since prorogation ‘never happened’ what happens next?
The prorogation judicial reviews concerned the constitutional equilibrium between government, parliament and the courts. Today, an 11 member UK Supreme Court panel affirmed its centuries-old supervisory jurisdiction over acts of government and ruled unanimously that Boris Johnson’s government failed to advance any reasonable justification for proroguing parliament. The prorogation was therefore unlawful and ‘never happened’ so parliament is back in the game.
Cross-border criminal justice post-Brexit – Operation Yellowhammer
Tucked in between the “reasonable worst-case” scenarios for food, trade and fuel is a stark one liner: “Law enforcement and information sharing between U.K. and EU will be disrupted”. The reduction in capability of law enforcement agencies that will come from a no deal will, according to government documents, be accompanied by an increase in cross-border crime.
When politics and law collide: The prorogation judicial reviews
Scotland’s highest court and a senior divisional court of the High Court in England and Wales have reached opposite conclusions about whether the recent decision to prorogue parliament was lawful.
Handle with care: why it’s time to treat EU nationals responsibly
Katie Newbury discusses the implications of a no-deal Brexit on free movement and the impact on Europeans living in the UK.
The suspension of parliament increases legal scrutiny of Brexit – and possibly a public inquiry?
The suspension of parliament yesterday, at time of political crisis, is now the subject of intense legal scrutiny across the United Kingdom. Lawyers for Gina Miller have lodged an application for judicial review, and are expected to argue that Boris Johnson’s advice to the Queen is an improper use of power, designed to curtail the legislature, resulting in infringement of the constitutional bedrock of parliamentary sovereignty.
Glitches in the EU Settlement Scheme
The full launch of the EU Settlement Scheme on 30 March 2019 was a welcome development for many EEA nationals. However, whilst the EU Settlement Scheme has been generally well-received, glitches in the system are materialising.
UK farmers demand more workers for the summer season
As we head into the summer months, spare a thought for overworked UK farmers who at the peak of the harvesting season are struggling to recruit the workers they need. The National Farmers’ Union has long been lobbying hard for added flexibility in recruitment of non-EEA nationals given the growth in the sector.
GDPR Compliance for US Companies
Focussing upon US companies considering their privacy policies and procedures in Silicon Valley and beyond, in this blog we consider the geographic scope of GDPR and the core business functions it impacts upon.
Share insightLinkedIn Twitter Facebook Email to a friend Print