Prime Minister Boris Johnson attempted to put his revised Brexit deal to Parliament at the end of October, but MP’s postponed a vote on it. Under the terms of the Benn Act, the Government was forced to seek a three-month extension as a result of unsuccessfully securing parliamentary approval of his deal – blocking Johnson’s ‘do or die’ October 31st deadline. This paved the way for a general election, with Johnson now aiming to win more seats in the House of Commons in hopes of passing his deal through more effectively. Official campaigning began last week with Brexit firmly at the forefront of party manifestos – they will now battle it out until the UK goes to the polls on December 12th.
With the extension approved, the UK’s departure from the European Union (EU) is now set to fall on January 31st, 2020. Brexit legislation is currently on hold whilst the election takes place, and new proposals for how best to deal with the UK’s exit are being placed on the table. Deal implementation, a second referendum, no-deal Brexit and revoking Brexit altogether are all possible results of the general election, and if recent political history has taught us anything – it is to expect the unexpected.
The UK Data Protection Authority is urging businesses to prepare for a hard Brexit to ensure there is no interruption to data flows from Europe. Giles Derrington, head of policy and trade body at TechUK warned that too many businesses “remain unprepared for the impact a no deal would have on the ability to transfer data”, but with so much uncertainty – how can we best prepare?
Before we get into more detail, please note this blog post has been written for information purposes only, to raise awareness of these issues and prompt more detailed investigation. Its contents should not be relied upon in any specific situation without taking relevant legal and professional advice.
The General Data Protection Regulation (GDPR) was introduced in 2018 to modernise laws and ensure a high standard of data protection and rights to individuals across Europe. GDPR applies to controllers and processors located in the European Economic Area (EAA), with some general exceptions. GDPR sets out the legal requirements that must be met by companies when storing, processing or transferring EU citizens personal data.
Despite the UK government attempting to start the process of a formal Brexit agreement, the European Commission has said that it will treat the UK as a “third party”; restricting the free-flow of personal data. Should a “Deal” be reached, then “Adequacy” rules may be applied as part of the agreement; thus allowing the UK to continue the transferring of data as it will be considered by the EEA under GDPR as having the “appropriate safeguards” in place.
Understandably, the UK wants to continue the unhindered flows of data between the EU and UK as it is key for business supply chains to function and crucial for the economy – reflecting the UK’s and EU’s mutual interdependence regarding data flow.
When the UK exits the EU, the UK government intend to write the GDPR into UK law. The current deal states that the UK would be able to continue to implement the GDPR during a transition period. This would fundamentally mean business as usual for cloud hosting users, businesses and individuals sending and processing data between the UK and EU. An agreed deal means data regulations will essentially remain the same for businesses who need to transfer data to and from the EU, and this would continue after the GDPR is officially written into UK law.
So, the UK would implement GDPR – but what happens with the EU/UK relationship on data flows in the long term? The best-case scenario post-Brexit would be an adequacy agreement. An adequacy decision permits cross-border data transfers outside the EU or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority. Simply put, the UK would boast the same levels of protection as they currently have and can enjoy interrupted flows of data.
However, obtaining an adequacy agreement is a lengthy process (lasting months or even years), and the EU remains clear that these discussions cannot begin until the UK has officially left. Many have suggested that the UK’s application and implementation of GDPR would go a long way into persuading the Commission into an adequacy agreement and that one shall be easily met. However, there is no guarantee, as the European Court of Justice (ECJ) has the authority to reject any adequacy agreement approved by the Commission. Historically this has been done twice, reflecting that the EU is more than happy to strike down agreements they feel are not in line with their high standards of data protection. As an example, there are concerns the Commission have issues with the controversial UK Investigatory Powers Act 2016 which has been criticised since its implementation – with bumps as big as this in the road, adequacy could be in further reach than we are led to believe.
Despite concerns, the UK adoption of GDPR does arguably put them in a stronger position to secure an agreement. If the UK can propose that their levels of protection will be essentially equivalent to the EU position on data protection, an adequacy agreement should be met.
Alternative Agreement Options
Alternatively, the UK may fight for a data agreement that will be legally binding, such a treaty would encompass mutual recognition of EU/UK data protection standards and be a more prevailing position for the UK. Known as a bilateral treaty, the UK would be asking for more than any other third-party country, as it currently stands. A bilateral treaty differs from an adequacy agreement in its authority, preventing the Commission or the ECJ from revoking the treaty once ratified, rendering it a more stable arrangement for the UK. This option would arguably be beneficial for the UK and for those who transfer data throughout the EU.
If no agreement is reached, the UK will become a third-party country to the EU and will not have adequacy, at least not straight anyway. So new restrictions will apply – at least in theory. The current Government has not said or published anything substantive on the topic of data transfers in the event of a no-deal (at least that we could find in our research at the time of writing), even though a sudden shift to third-party country status could immediately cause disruption. Given the UK and EU may never ratify the withdrawal agreement, this outcome would result in revoked rights and a fresh slate of policies and arrangements would have to be negotiated.
No-deal Adequacy Agreement
If there is a no adequacy decision or a no-deal Brexit, EU-UK data flows would still occur; however, they would require individual organisations to set up legal arrangements to facilitate them. A no adequacy decision would result in increased red tape for businesses, whilst also putting firms at risks of large fines from EU regulators. Increased costs and decreased investment stemming from disruption to EU-UK data flows may negatively impact the UK economy; a concern which has received minimal attention in the Brexit debate thus far.
Once the UK is outside of the EU, it will be beyond the scope of the ECJ, and so the future of data regulation will largely fall to the Information Commissioner’s Office (ICO) – they function as the UK regulator responsible for data protection enforcement. As it currently stands, the ICO does not seem certain as to what will happen to enable data stored in Europe to be transferred back into the UK legally and is simply advising organisations to take specific advice about what to do in these cases.
In order to bridge the gap until a formal decision is reached, the only proactive option is for businesses to implement ‘standard contractual clauses’ (SCCs) into their contracts with partners in the EEA. Negotiating contracts with specific data protection clause that meet GDPR will help maintain contracts and ensure data fluidity between the UK and EU in the aftermath of Brexit. Understandably, organising new contracts with all European customers may seem a daunting task, but acting on uncertainties may be a necessity given the current political situation.
It is unlikely that data regulators will punish businesses if they fail to get their contracts into place straight away, but it is yet another Brexit worry for companies grappling with uncertain economic landscapes. If your hosting provider holds this data in an EU-based centre, there could be disruption in event of a no-deal. If you’re unsure contact your hosting provider to find out exactly where your data is stored in order to be best prepared.
Notwithstanding the lack of substantive guidance, the fair warning is in black and white – ‘if you fail to act, your organisation may lose access to personal data it needs to operate’. The UK’s ICO has published guidance for businesses and SME’s to help companies access whether SSCs are an appropriate data transfer option, among other interactive tools and advice.
Despite uncertainty that Brexit brings, the UK have long been committed to bolstering data protection laws and harmonising these with the EU. It is evident it is in everyone’s interest that the exchange of data between EU member states and the UK continues uninterrupted.
We hope this blog post has been helpful, and we encourage you to regularly check the ICO’s website for the latest updates and advice. As always, if you have any questions, don’t hesitate to get in touch.
Please note this blog post has been written for information purposes only, to raise awareness of these issues
and prompt more detailed investigation. Its contents should not be relied upon in any specific situation
without taking relevant legal and professional advice.
Image credit: Tarikdiz/Shutterstock.com
Hannah is the Marketing Assistant at Secura, helping the team deliver campaigns and events, and our resident social media specialist.
Tweet me at: