What effect, if any, does Brexit have on GDPR

Updated January 21, 2019 to reflect latest rejection of Brexit deal.

Many of you know by now that the EU’s General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used. The goal is to harmonize, modernize and strengthen data privacy and processing policies across Europe. GDPR replaces Directive 95/46/EC (the ‘Data Protection Directive’) which is out of date due to evolving technology standards.

Overall, the EU wants to give people (the data subject) more control over how their personal data is used, bearing in mind that now many companies like Facebook, Google, and many more swap access to the data in exchange for the use of the company’s service, this keeps the service at no cost to consumers and has enabled the development of the robust Internet economy. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy and secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year). GDPR requirements have been enforced since May 25, 2018. It requires organizations to diligently protect personal data, as well as provide proof about how that data is protected. GDPR sets a high standard for consent, which will have a huge impact on the marketing industry. Customers will need to be given choice and control over how their data is handled.

For UK brands, of course it has meant special treatment for the PII of its domestic (resident) citizens, as well as European citizens resident in other countries; because, as we all know, U.K. citizens are also European citizens. However, following the UK’s decision to leave the bloc, the government will be actioning its plans to split from the EU, which is provisionally set at 29 March 2019. Since GDPR is a European Union law, and the UK will no longer be part of that political body (of course, physically, the UK is still part of Europe), this has raised some questions. You might be wondering how Brexit will, if at all, change how data is collected, processed and used. Here’s my take on this issue:

1. What effect, if any, does Brexit have on GDPR? Brexit is still expected to take at least two (2) years to take full effect— meaning there should be a relatively orderly transition creating a cross-over period between the GDPR coming into force and the UK exiting the EU. The UK will need to comply with the Regulation while it is still a part of the EU. Another reason is the extraterritorial reach of the GDPR. UK companies continuing to do business with the EU after Brexit will need to comply with the Regulation to avoid infringements. This is only true if they have a Brexit “deal” that is approved by the UK Parliament – and, of course, Parliament rejected the proposed deal with the EU on January 15th.  If they don’t get a deal, then they leave the EU on 29 March this year with no​ transition at all.  It will be a cliff-hanger, and very damaging to business.  It was previously thought this was only a theoretical possibility – now it looks more likely than ever.

2. After Brexit, can I continue to transfer data from the EU to the UK? Right now, being a part of the EU, the UK is NOT a third party country. However, if Brexit does occur, the UK would be considered a third party country and would have to follow the rules for moving data to a third party country—just as the U.S. does now. (As it stands today, the U.S. is not recognized by the EC.) After Brexit, companies can continue to transfer data to the UK provided that the UK is recognized by the European Commission as a country offering adequate protection.

*There are three possible outcomes in relation to the UK’s application for an adequacy decision:

  • No adequacy: The UK becomes a third party country to which EU member states may not transfer personal data unless there is a legal data transfer solution in place. There is no time to get adequacy in place by 29 March (an adequacy determination typically takes at least a couple of years) – so, if the UK Parliament does not agree to a deal with the EU, then there won’t be time to get an EU adequacy determination before it leaves the EU on 29 March and it will be a third party country from that time forward.
  • Adequacy decision: The UK is recognized as an approved country to which personal data may freely be transferred from EU member states. However, the ICO would not participate in the European Data Protection Board, which could result in an inconsistent approach between the ICO and European regulators. This is more likely to occur if needed.
  • Enhanced adequacy decision: The UK is recognized as an approved country, and the ICO would participate in the European Data Protection Board. Needless to say, this proposal by the UK government has met resistance from the EU. This would mean not only that the UK would be certified as a safe country for data transfer purposes, but also that the UK’s Information Commissioner would participate in the European Data Protection Board, responsible for the application of GDPR. This is unlikely due to political reasons. The EU has not been especially open thus far to the suggestion that the UK should be permitted to enjoy the fruits of membership while no longer being a member.

3. What possible GDPR-related complications could result from Brexit? The most common problem faced by the majority of UK-based organizations is that they already possess personal data from individuals living in the remaining 27 EU member states. If those responsible for data collection at business do not fully understand the new guidelines and utilize this data in an unlawful manner, the consequences may be devastating.

If the UK is denied basic adequacy decision — it’s still not the end of the world.  There have always been various mechanisms by which the data in question can be transferred from EU storage to non-approved third countries, like the U.S. has. For example, there are standard contractual clauses, binding corporate rules and the EU-U.S. Privacy Shield Program. Standard contractual clauses might be the most relevant in this case — they are clauses governing data transfer adopted in advance by the European Commission, and not requiring approval each time they’re used and what is used heavily now for those in the U.S. wishing to transfer and process data from the EU to the United States.

When it comes to data protection legislation, the UK  has been protecting data for decades. All this stretches back to the UK Data Protection Acts of 1998 and 1984. This means that the UK should be able to qualify for an “adequacy decision” from the European Commission. As I said above, such a decision would certify the UK as a third country with an adequate level of data protection in place through its domestic legislation or treaty or other international commitments. Also, the good news is that the preparation UK brands should already have undertaken in preparation for GDPR should be in good standing.

UPDATED: Parliament voted to reject Prime Minister Theresa May’s Brexit deal just 10 weeks before Britain was scheduled to leave the European Union. Brexit deal rejected by a vote of 432 to 202. Now she has to go hat in hand to Brussels to see if she can work some magic there. It’s reportedly the largest defeat for a sitting government in UK political history.

I also wanted to give you a graphical view of what this all could look like as time passes — courtesy of Phil Lee, Partner, Privacy, Security and Information of one of the firms, Fieldfisher, that Return Path uses.

Dennis Dayman
eec Chairman Emeritus
Chief Privacy & Security Officer; Return Path, Inc.