What impacts will a no deal Brexit have on data protection?

In a no deal Brexit, what rules will apply to privacy, data protection, direct marketing and electronic communications?

The ICO and the UK government published guidance in December on the data protection implications of a no deal Brexit. The UK government is consequently working its way through data protection, privacy and electronic communications legislation to update it ready for Brexit. We summarise the guidance, what is expected in the coming weeks as the position develops rapidly and what organisations will need to do when it comes to privacy, data protection, direct marketing and electronic communications

The government’s policy statement

The statement builds on the technical note “Data protection if there’s no Brexit deal” issued in September 2018. It clarifies that the EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law and that the government will make appropriate changes to the GDPR and the Data Protection Act 2018 (DPA 18) to ensure they apply appropriately after the UK is no longer in the EU.

The ICO’s guidance

The government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected in a no deal Brexit. This guidance therefore includes an indication of the possible safeguards to be employed, a six steps to take’ guide; broader guidance on the effects of leaving the EU without a withdrawal agreement, and a general overview in the form of an FAQ. The ICO is working on an online automated form of putting in place EU Model Clauses (which will be a commonly used measure to deal with this), though these are not yet available at the time of writing. They can still be put in place in other ways, for example by supplementing existing contracts using Word documents available on the ICO’s website.

Why are amendments to data protection legislation needed?

It’s worth taking stock of where we are at present.

• The GDPR applies directly to the UK before Brexit;
• The DPA 18 supplements GDPR where the UK can apply derogations, as well as extending the application of GDPR to certain areas outside EU law (with amendments).

What happens next then?

The EUWA makes the GDPR continue to apply directly to the UK following Brexit. It also applies any adequacy decisions and the EU standard model clauses directly into UK law. To give effect to this, practical changes are needed to the legislation to amend, for example, wording that refers to the UK as an EU member state and to address powers and tasks that are assigned to the EDPB which will no longer be competent to act in relation to UK data processing following Brexit.

The new (draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 have now been published and amended once already. It is this law which will make the practical changes referred to above.

The intention is to:

• more closely align the data protection standards in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) with the GDPR;
• Preserve EU GDPR standards in domestic law and create a new merged regime of the UK GDPR;
• Transitionally recognise all EEA countries (including EU member states) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue;
• Preserve the effect of existing EU adequacy decisions on a transitional basis;
• Recognise EU standard contractual clauses (SCCs) in UK law and give the ICO the power to issue new clauses;
• Recognise binding corporate rules (BCRs) authorised before Brexit;
• Maintain the extraterritorial scope of the UK data protection framework so as to apply the rules to the remaining EEA states;
• Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale; and
• Transfer certain powers or tasks to the Secretary of State or the ICO, such as ongoing adequacy decisions.

What are the next steps for UK organisations?

1. GDPR compliance business as usual.
   Organisations should continue to comply, and follow ICO guidance. Data protection officers can continue in the same role for both the UK and the EU. The EU versions of the GDPR may well still apply directly to organisations which operate in Europe, or which offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. The new versions of the GDPR and DPA 18 implementing the UK GDPR will need to be monitored for variations from the original intention once published, and a pragmatic approach taken to the differences.
2. Data transfers
   Ensure you have identified your relevant flows to and from the EEA. Flows into the UK will need to be protected by GDPR safeguards such as the standard model clauses, so you may need to work with EU organisations to help them decide how best to protect data flows. Flows out of the UK will not be restricted if they meet new UK transfer and document provisions. Documentation and polices should be reviewed for potential deficiencies.
3. Direct marketing and electronic communications
   PECR cover marketing, cookies and electronic communications, and although they derive from EU law, they are set out in UK law and will continue to apply after we exit the EU. Although there are plans in the EU to replace the current e-privacy law with a new e-privacy regulation, this will happen post-Brexit and will not form part of UK law in a no deal Brexit.
4. Network and information systems
   The NIS rules derive from EU law but are set out in UK law. They will continue to apply after Brexit. Organisations that are UK-based digital service providers offering services in the EU may need to appoint a representative in one of the EU member states in which services are offered and comply with the local NIS rules in that member state.
5. Freedom of Information Act
   The Freedom of Information Act 2000 forms part of UK law and will still need to be complied with.
6. Wait and see if there is a deal, and what terms it might be on
   The terms of a deal will determine what happens – the present deal includes permitting EU to UK data transfers on a transitional basis.

However, one thing is paramount, as always – know where your personal data is, who it is shared with, for what purposes, and why – so as well as anything else, you can be ready to deal with a no deal Brexit.