Brexit and GDPR

Brexit update: political uncertainty demands proactive steps to protect from no-deal consequences

Last week, the UK government’s defeat at the House of Commons marked the pass to a new phase of Brexit, the process that will bring the United Kingdom outside the European Union.

The UK parliament rejected the draft EU-UK withdrawal agreement, the agreement negotiated by the government with the European Commission, and which would have set clear rules on the application of sectoral legislation in various sectors, including data protection. With the draft deal now off the table, the government is trying to plan the way ahead, and we can envisage four possible scenarios as potential outcomes of this process.

Scenario 1 – No Brexit at all

One of the possibilities in this shaky political context is that the government decides to unilaterally withdraw their ‘Article 50 notification’, in essence renouncing Brexit and keeping the UK in the EU.

From a strictly data protection perspective, this would be a positive outcome, because the General Data Protection Regulation and the rest of the EU-derived data protection legislation would remain in full force, without frustrating the efforts made by organisations to comply with the new, stricter requirements.

However, from a political point of view, this option seems less viable, as it would overturn the Brexit referendum outcome and is most probably seen as a tool of last resort.

Scenario 2 – The so-called ‘extension of Article 50’

Another possibility is the extension of the negotiation period, to enable the government to kick off new negotiations with the Union and agree on a draft withdrawal agreement that can win the majority of votes in Parliament.

From a data protection perspective, this would represent fresh air, as it would ensure the ongoing application of the current data protection regime and enable (a) organisations to continue monitoring the situation and (b) the European Commission to issue a refreshed version of the Standard Contractual Clauses, to ensure their compliance with the GDPR and their potential deployment after Brexit.

Scenario 3 – A new draft agreement

A further scenario is that the UK government manages to agree a renewed deal with the EU and get it approved in Parliament before 29 March 2019. In this case, it is likely that a phase-out period of two years will be agreed upon to enable the government and organisations to get ready for the actual exit from the Union.

From a data protection perspective, such a possibility would represent a relatively stable outcome for two reasons. First, the two-year transition period would give adequate time to the data protection offices in big and small organisation to plan and execute Brexit plans to ensure a smooth transition to the new regime; it would also enable the government to draft and approve a new data protection law to replace the then-inapplicable GDPR and obtain a ‘so-called’ adequacy decision from the European Commission – securing the ongoing possibility for organisations to operate data transfers with Europe without additional safeguards. Second, data protection has not been a point of particular controversy during the EU-UK negotiations; therefore, it can be assumed that a renewed draft agreement would contain rules that do not diverge from the ones included in the rejected draft.

Scenario 4 – No deal exit

The fourth and most critical scenario is that of a no-deal Brexit, i.e., an exit from the Union on 29 March 2019 without any of the above scenarios having materialised. In this event, EU law would cease to apply on the Brexit day, leaving the UK legal system regulated by obsolete pieces of legislation and flawed with legislative voids.

From a data protection perspective, this scenario may prove critical to those organisations that transfer data with Europe on a regular basis, because the GDPR (applicable only in Europe following a ‘hard Brexit’) prevents data transfers to third countries that have not received an adequacy decision from the European Commission, which the UK would be after-Brexit.

Politically and economically, a hard Brexit would take a toll on the UK; however, we are confident that the government and Parliament will make an effort to prevent this scenario from materialising.

How to prepare

Preparing for Brexit at this very moment means preparing for the possibility of a no-deal Brexit. As it can be inferred from above, scenarios 1, 2, and 3 do not pose immediate threats to data processing and data transfers, because while scenario 1 does not lead to any change in the data protection regime, both 2 and 3 would provide adequate time for organisations to prepare. On the contrary, a no-deal Brexit would create an immediate problem and it is worth preparing for it.

Currently, most supervisory authorities across Europe suggest that organisations prepare for a no-deal exit by amending the existing data processing agreement (which should be in place when personal data is processed by organisations other than the data controller) to include the 2010 Standard Contractual Clauses(ideally as an annex and/or by referring to them). While these clauses have not been recast after the entry into force of the GDPR, these may serve as a buffer to limit the nefarious effects of a no-deal exit and ensure the ongoing lawfulness of cross-border data processing with EU countries until the UK and the EU agree on the terms of an ongoing data transfer regime.

Depending on the size and complexity of your organisation, strategic considerations can be made as to whether it is appropriate to immediately initiate the renegotiation of data processing agreements vis-à-vis wait for further signs of a no-deal outcome. However, it is advisable to invest some time preparing a model draft amendment to be ready when needed.

For more information visit Trilateral Data Protection Officer page and contact our team:

Filippo Marchetti, Data Protection Specialist at Trilateral Research

 
Tags: