Brexit’s impact on the enforcement of the General Data Protection Regulation (GDPR) has generated more questions than answers for businesses.
However, it is important to highlight the fact that the effect of the UK’s withdrawal from the EU will be influenced heavily on the type of exit agreement, if any, is approved by the British parliament and is acknowledged by the European Union.
While British firms, as well as those that market in the UK, have focused their resources on becoming compliant with GDPR, the improbability regarding the impact of the regulation in the long-term has left the privacy and IT personnel concerned about the possible legal frameworks that may come into effect. This uncertainty is heightened by the fact that nobody knows what the details of the eventual withdrawal deal will be.
This article seeks to outline the possible scenarios businesses will face in relation to GDPR compliance in the post-Brexit UK.
How Will Brexit Impact the UK-EU Relationship?
To comprehend the implementation of an all-encompassing EU-based law such as the GDPR in the post-Brexit UK, it is prudent to examine how the UK and the EU will engage once Britain is no longer a member of the Union.
Firstly, there is a possibility that the UK will be allowed membership to the European Economic Area (EEA) trade bloc, in a relationship similar to the one Norway and Iceland have with the Union. The EEA enforced GDPR in July 2018. Therefore, if the UK is granted EEA membership, the utilization of personal information in Britain will still be overseen in line with GDPR principles.
However, granted that one of the core factors behind the ‘leave’ campaign was autonomy from principals and regulations of both the European Union as well as the EEA, there is a possibility that the UK will not be seeking EEA membership. For this reason, GDPR compliance in these circumstances is uncertain.
Assuming the UK opts to join the less stringent European Free Trade Association (EFTA) instead of the EEA, it means that GDPR will not be directly enforceable in the UK. Switzerland has this kind of engagement with the rest of the EEA. In such a scenario, data privacy laws and compliance obligations after Brexit will become even more unclear.
How will a No-Deal Brexit Impact Data Protection?
In case the UK exits the European Union without a withdrawal deal agreed, the GDPR will cease to be binding on Britain immediately it formally leaves the Union.
While the regulation will not be binding, it is essential for businesses to keep in mind that any British firm that has staff in the EU or will continue to market, or collect personal data from EU residents, will be obliged to remain compliant to GDPR in the handling of the information belonging to those individuals.
The most significant impact of a No-Deal Brexit will be felt in the transfer of EU residents’ data out of the European Union. In the GDPR regime, member state companies are permitted to move personal data between the UK and other EU nations without being asked to oblige to additional legal mechanisms.
Nonetheless, a ‘hard’ Brexit will eliminate this right resulting in a scenario where the UK will be required to adopt and depend on Binding Corporate Clauses (BCRs) to handle any EU citizen’s private information within the UK.
Since most British firms have not instituted these structures, yet, the implication is that data processing activities in the UK will be subject to delays. Additionally, while consent is accepted from EU consumers for specific data transfers, the situation is different when it comes to the transfer of personal information belonging to employees.
For this reason, businesses operating in Britain, as well as the rest of the European Union, need to start identifying strategies through which they can facilitate the transfer of staff data between the EU and the United Kingdom.
However, there is a possibility that the EU may extend an ‘adequacy decision’ to Britain after its exit from the Union. Under such circumstances, personal data can be exchanged freely without calling for other legal mechanisms between the Union and the ‘adequate’ nation, described as ‘Third Countries’ under the GDPR.
A nation is considered ‘adequate’ if the EU has determined that the nation’s information protection regulations for personal data suffice to a degree where they cannot abuse or weaken the lawful protections of this data under GDPR. Currently, the ‘Third Countries’ are Canada, Israel, Switzerland, Japan, and Argentina.
Conspicuously, the US is not included in the list of ‘adequate’ countries. This aspect explains why data transference to the US must adhere to a recognized transfer framework such as Privacy Shield or a Data Processing Agreement (DPA) with EU-ratified terms.
Since the UK’s DPA is almost similar to GDPR, an eventual ‘adequacy decision’ is probable, although it may take longer to attain. Essentially, the recognition of a ‘Third Country’ calls for a proposal from the European Commission, which is then approved by member states through a vote.
How will a Brexit Deal Affect Data Protection?
Although there is a lot of conjecture regarding how the ultimate deal between the UK and the European Union will look like, Britain’s current draft provides some insights on what the nation is aiming for, as well as what may happen concerning data protection.
The proposed withdrawal deal outlines a transition phase that ends on 31st December 2020. During this period, EU laws, GDPR inclusive, will remain in effect. In this context, the EU is willing to subject British data handled within the Union to existing regulations despite the UK’s exit. Specifically, GDPR will apply to personal information processed before or during the transition phase.
Essentially, the UK will be allowed to come up with and examine possible personal data policies and laws, including transfer agreements with the US and Canada in the course of the transition phase. However, these kinds of laws may not be enforceable until the transition period concludes.
Additionally, during the transition phase, the European Union will explore the suitability of the ‘adequacy decision’ for the UK. In case the EU fails to make a favorable determination for the UK regarding this issue, Britain will be at liberty to craft new personal data processing legislation that differs from the GDPR at the end of the transition period.
Finally, it is vital to take into account the fact that there are no guarantees about a deal being struck between the EU and Britain, let alone this draft is approved by the UK legislature. As such, it is still unclear whether these terms will be implemented.
As of now, a mutually binding withdrawal deal between the UK and the EU is yet to be struck. As such, the long-term enforcement of GDPR in Britain remains uncertain. We will continue to follow the proceedings carefully and provide updates on potential consequences for the UK’s data protection obligations.