You might think that we know nothing about what the world will look like post-Brexit. Or you may read this post-Brexit, and this will guide you on what to do. Or Brexit might not have happened, and then you’ll know what to prepare for, or what you were able to avoid. In any case – this is an instance where you don’t need to shrug your shoulders and say “We don’t know, do we?”.
So this is what we do know:
You can’t forget GDPR (the General Data Protection Regulation); it is part of UK law (under the Data Protection Act 2018 as well as in its own right. Whether the UK is part of the EU, the EEA (European Economic Area) or not, the protection of personal data is with is to stay.
UK as a Third Country
When the UK leaves the European Economic Area we will be considered to be a “Third Country” outside of the remit of the GDPR’s automatic recognition of adequacy as regards Data Protection laws. Pre-Brexit, we’re automatically OK, as are all EEA (EU plus Iceland Switzerland Norway and Lichtenstein) countries.
Post-Brexit, as a Third Country, we have to rely on the European Data Protection Board making a finding of adequacy on the UK’s laws. It might do this, though the EU has always had a grumble about some of the UK’s snooping rights.
Transfers to Third Countries
The GDPR requires anyone who sends EU citizens’ personal data out of the EEA (or permits access) to make sure it is properly protected; post-Brexit, the UK will be outside the EEA. UK companies processing EU citizens’ personal data therefore need a written contract in place and to adhere to one of the approved transfer mechanisms.
The most straightforward of these to use in practice would be the Standard Contracts Clauses (SCCs). These SCCs are standard terms written and approved by the EU which cannot be amended by anyone. They are therefore the easiest way to ensure compliance with the GDPR on paper as a data processor. Getting SCCs signed between UK companies and companies wishing those UK companies to process (however slightly) the data of EEA citizens will therefore be necessary unless they have another mechanism in place.
It isn’t just signing the SCCs, though – the SCCs bind companies to comply with the measures prescribed by terms. This isn’t just paperwork.
Likelihood of adequacy decision
The ideal scenario is for the EU to recognise the UK Data Protection framework as being “Adequate” and effectively providing the same or better protection that required elsewhere in the EEA. If this occurs, then you just need to comply with the relevant UK legislation (Data Protection Act 2018) in order for customers in the EEA to send you EU citizens’ personal data.
Considering the UK has strong data protection laws, it is likely the EEA will find in favour of an adequacy decision with the UK, but the EU will NOT consider making any such determination until after the UK has left the EU. Therefore, there will be a gap during which time you’ll need to make sure you are using an approved transfer mechanism.
Transfers to the EU for processing
The UK has recognised the EU (and the GDPR) as providing sufficient protection for UK citizen’s personal data, so transfers from the UK to the EU are currently permitted under UK law, but the other way around is not currently approved on a general level.
Data Controller Obligations
If you are a Data Controller, then you need to have an establishment in the EU acting as a shopfront in order for EU individuals to interact with you. If you are just acting as a Data Processor in the UK working only on the strict instructions of a Data Controller based in the EU, then you do not strictly need an EU shopfront or presence as the Data Controller will be primarily responsible for dealing with data subject requests in exercising their rights and reporting to the relevant data protection authority. You will though – as mentioned above – need an agreement in Standard Contract Terms to process data.
Who will be checking?
The Information Commissioner’s Office, and national data protection offices across the EU have responsibility for enforcement; but it’s more likely to the companies in the EU and EEA who will be self-policing, because if they get it wrong and get reported, or report themselves to the data protection authorities, then it’s them who might be fined. It’s the gravity of the fines – the higher of €20 million or 4% of global turnover (not national, not profit) – that has exercised minds so strongly in the last year or so.
Data Protection isn’t easy, and data protection outside the EEA is that bit harder.
Paul Berwin is a leading technology and digital law specialist and heads Berwins Digital, the specialist IT and Technology division of Berwins.