BREXIT: IMPLICATIONS FOR DATA PROTECTION

Transcription

1 7 BREXIT: IMPLICATIOS FOR DATA PROTECTIO This document is published by Practical Law and can be found at: uk.practicallaw.com/w Get more information on Practical Law and request a free trial at: An overview of the implications of Brexit for data protection regulation in the UK and transfers of person data between the EU and UK based companies. It is based on an Article, Brexit: the implications for data protection first published in PLC Magazine on 1 August 2016 and provides a summary of the ongoing negotiations between the UK and the EU. by Kate Brimsted and Tom Evans, Bryan Cave Leighton Paisner LLP RESOURCE IFORMATIO RESOURCE ID w RESOURCE TYPE Practice note COTETS Scope of this note Application of the GDPR in the UK following Brexit day Possible personal data flows matrix Future relations between the UK and the EU in relation to data protection International data flows Adequacy Decision Adequate safeguards Derogations What if the UK leaves the EU without an Adequacy Decision? Overlapping jurisdiction: parallel legal regimes Lead supervisory authority Enforcement Other EU-derived data laws and Brexit What can companies do now? Drafting for Brexit Comment PUBLISHED DATE 9 October 2018 JURISDICTIO United Kingdom SCOPE OF THIS OTE This note gives an overview of the implications of Brexit for data protection law in the UK. It outlines the key: egotiation positions adopted by the UK and the EU in relation to data protection. Areas of data protection regulation, such as international data transfers, applicable supervisory authorities and enforcement of the General Data Protection Regulation ((EU) 2016/679) (GDPR), that will be affected when the UK s status changes to that of a third country for the purposes of EU law. Data protection aspects of the UK government s no deal technical notice. It also highlights some considerations for companies as part of their contingency planning in case a no deal situation with the EU arises. This note assumes that the UK does not join the European Economic Area (EEA) on leaving the EU (see International data flows). Reproduced from Practical Law Data Protection with the permission of the publishers. For further information visit practicallaw.com or call Copyright 2018 Thomson Reuters (Professional) UK Limited. All Rights Reserved.

2 The following resources may also be useful: Article, Practical Law s Brexit summary: a watching brief: Data protection. Practice note, Cross-border transfers of personal data under the GDPR. Standard clauses, Privacy Shield Policy. Checklist, Privacy Shield Self-Certification. Brexit: the legal implications. APPLICATIO OF THE GDPR I THE UK FOLLOWIG BREXIT DAY On 25 May 2018, the GDPR became applicable in all 28 EU member states, repealing the Data Protection Directive (95/46/EC), and thereby changing the scope of regulation of personal data after more than 20 years (see Legal update, General Data Protection Regulation to apply from May 2018). In the UK, the GDPR was automatically incorporated into domestic law via the European Communities Act 1972 (ECA 1972). From 29 March 2019, at pm, when the UK is expected to leave the EU (Brexit day), the European Union (Withdrawal) Act 2018 will repeal the ECA 1972 and simultaneously transpose the GDPR onto the statute book, making it domestic legislation in the UK (see Legal update, European Union (Withdrawal) Act 2018 (Commencement and Transitional Provisions) Regulations 2018 made). Prime Minister Theresa May has said that repeal of the ECA 1972 will provide the legislature with an opportunity to scrutinise, amend, repeal or improve any aspect of EU law in the future; it is therefore possible that aspects of the GDPR could be amended at that point, or indeed any future point. At the same time, any changes to the GDPR would have to be carefully evaluated in case they were capable of adversely affecting the UK s prospects of securing a formal Adequacy Decision from the European Commission for its domestic data protection law (see International data flows). See further: Practice note, European Union (Withdrawal) Act 2018: legislating for Brexit: Direct EU legislation (section 3). Flowchart, Legislating for Brexit: Direct EU Legislation under the European Union (Withdrawal) Act If a withdrawal agreement is concluded between the UK and the EU, it is likely to include a transition period. The European Commission and the UK government published a Draft Withdrawal Agreement (DWA) on 19 March It provides that a transition or implementation period shall commence on the date of entry into force of the DWA, and shall end on 31 December During that transition period, article 122 of the DWA provides that EU law shall continue to apply to the UK and that any reference to a Member State in EU legislation shall be understood as including the UK. See further Practical Law s Brexit summary: a watching brief: Draft EU withdrawal agreement. The Data Protection Act 2018 (DPA 2018) also largely came into force in the UK on 25 May 2018 (a few provisions came into force on 23 July 2018) (see Legal update, Data Protection Act 2018: first commencement regulations published). It serves several purposes including that it replaces the DPA 1998, supplements the GDPR and exercises some of the derogations in the GDPR which give EU member states discretion to legislate in certain areas (see Practice note, GDPR and DPA 2018: derogations and exemptions). It extensively cross-refers to the GDPR and therefore the two must, be read together (see Practice notes, Data Protection Act 2018: overview and Overview of GDPR: UK perspective). It also aims to reassure the European Commission that on leaving the EU, the UK will provide an adequate data protection regime (section 2, DPA 2018) (see Practice note, Overview of GDPR: UK perspective: Transfers of personal data outside the EEA). 2 Practical Law Reproduced from Practical Law Data Protection with the permission of the publishers. For further information visit practicallaw.com or call Copyright 2018 Thomson Reuters (Professional) UK Limited. All Rights Reserved.

3 POSSIBLE PERSOAL DATA FLOWS MATRIX UK to EU EU to UK UK to White List* UK to rest of the world (not EU) Up to 29 March 2019 Y Y Y After Brexit day (no WA, no transition) Y (UK to keep under review). Y? (o commentary but appears likely.) After Brexit day (WA and during transition period) Y? (Depending on terms.) Y (Assuming that the transition terms permit this). Y? (o commentary but appears likely.) After Brexit day (WA after transition period) Y? (Depending on the final terms of the WA.) Y? (Depending on the final terms of the WA). Y? (o commentary but appears likely.) Key Y = Free flow of personal data. = o free flow, that is, restrictions likely on personal data flows. WA = Withdrawal Agreement. By White List we refer to those countries approved as at Brexit day (see International data flows). It is possible that there could be a divergent system following Brexit, where the EU subsequently recognises further countries as providing adequacy, for example, South Korea. The UK might choose to adopt that finding or not. Personal data flows are rarely a simple, one-way, bilateral movement. For example, a UK company using a cloud service provider hosting the data in Germany: following Brexit, if there is no WA then, even if the UK company could continue to freely send personal data to Germany, local German law would impose restrictions on the company from accessing its own personal data (since that would be deemed a transfer of the data to the UK, a third country ). That is not to say that these personal data flows cannot be accommodated; however, it would impose regulatory friction on the arrangement, adding to costs for both parties. FUTURE RELATIOS BETWEE THE UK AD THE EU I RELATIO TO DATA PROTECTIO There is considerable uncertainty regarding the future relationship between the UK and the EU in relation to data protection, as in many other areas (see Practical Law s Brexit summary: a watching brief: Data protection). Once the UK leaves the EU and any relevant transition or implementation period has expired, the UK will become a third country for the purposes of data protection law. This status has a number of significant practical consequences, in particular for international data transfers, competent supervisory authorities and enforcement of the GDPR, which are considered below (see International data flows, Lead Supervisory Authority and Enforcement). In her Mansion House speech on 2 March 2018, the Prime Minister stated that a deal on data protection is one of the foundations that must underpin the UK-EU trading relationship and that the UK would therefore seek more than an adequacy arrangement with the EU, in the form of a Treaty. The UK s aim was to achieve a relationship that would provide the Information Commissioner s Office (ICO) with an appropriate ongoing role, including in relation to the operation of the one-stop-shop mechanism for resolving data protection disputes under the GDPR (see Practice note, GDPR and DPA 2018: enforcement, sanctions and remedies (UK): Competence and the onestop shop ). The government released a presentation on 23 May 2018, which set out this proposal in greater detail, noting significant risks if personal data flows were to be interrupted, including a reduction in legal certainty and a Reproduced from Practical Law Data Protection with the permission of the publishers. For further information visit practicallaw.com or call Copyright 2018 Thomson Reuters (Professional) UK Limited. All Rights Reserved. Practical Law 3

4 rise in consumer scepticism (see HM Government: Framework for the UK-EU Partnership). In that presentation, EU exports to the UK of data reliant services were reported to be worth approximately EUR36 billion in 2016, covering a diverse range of sectors such as finance, telecoms and entertainment (see Legal update, Framework for UK-EU partnership concerning data protection published). The EU s chief negotiator, Michel Barnier, rejected the UK government s proposals in a speech delivered on 26 May 2018, in which he stated that the EU could not share its decision-making autonomy with a third country, and that the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision (see EC: Speech by Michel Barnier at the 28th Congress of the International Federation for European Law (FIDE) and Legal update, Michael Barnier rejects various proposals in the UK s proposed data protection framework with EU post-brexit). On 6 June 2018, the UK government released a technical note, which envisaged that a bilateral legally binding data protection agreement would be entered into between the UK and the EU, providing improved legal certainty and better co-operation on enforcement and investigations (see HM Government: Benefits of a new data protection agreement). On 13 September 2018, the Department for Digital, Culture, Media and Sport confirmed that on Brexit day, even without a deal, there would be no immediate change in the UK s data protection standards (see DfDCMS: Data protection if there s no Brexit deal (o Deal guidance)). However, there would be a change to the legal framework for transfers from EU organisation to the UK (see Possible personal data flows matrix and International data flows). The o Deal guidance states that the ICO would produce guidance outlining the steps organisations would need to take (see Legal update, o-deal Brexit: data protection technical notice). ITERATIOAL DATA FLOWS The UK s status as a third country will have important consequences for incoming data flows from the EU. Under the GDPR, the transfer of personal data from a controller or processor organisation in an EU member state (practically, the EEA) to a recipient located in a third country (even a member of the same corporate group) may only take place if specified conditions are met (Article 44, GDPR). Adequacy Decision The GDPR provides that the European Commission can examine and then formally recognise a third country s laws as adequate (Article 45(1), GDPR). A formal, positive finding (Adequacy Decision) takes into account the entire range of protection for personal data across the private and public sectors, including arrangements for law enforcement and security services as well as factors such as the rules of law in force in the third country, the professional rules and the security measures being deployed (Article 45(2)). So far there is a somewhat eclectic band of countries which benefit from such a decision, namely: Andorra. Argentina. Canada (commercial organisations). Faroe Islands. Guernsey. Isle of Man. Israel. Jersey. ew Zealand. Switzerland. Uruguay. Privacy Shield participants in the United States. (The so-called White List countries.) 4 Practical Law Reproduced from Practical Law Data Protection with the permission of the publishers. For further information visit practicallaw.com or call Copyright 2018 Thomson Reuters (Professional) UK Limited. All Rights Reserved.

5 Agreement has been reached with Japan but a formal Adequacy Decision has not yet been issued (see Legal update, EU and Japan agree on reciprocal adequacy in relation to data transfers). Adequacy talks are ongoing with South Korea. For further information, see Practice note, Cross border transfers of personal data under the GDPR: Adequate level of protection. In practice, personal data can be transferred to a recipient in a White List country on the same terms as if the recipient were located in the EU. Adequate safeguards If the recipient is not located in a White List country, adequate safeguards (set out in Article 46 of the GDPR) such as standard clauses or binding corporate rules (BCRs) must be provided for the transfer (see Practice note, Crossborder transfers of personal data: Transfers subject to appropriate safeguards). Derogations If the recipient is not located in a White List country and there are no adequate safeguards for the transfer, the final option is for the transfer to fall within one of the narrowly construed derogations set out in Article 49 of the GDPR (see Practice note, Cross-border transfers of personal date: Derogations for specific situations). The UK has indicated its willingness to start talks with the EU with regard to reaching an Adequacy Decision. However, the European Commission has not yet indicated a timetable for this and has stated that the decision on adequacy cannot be taken until the UK is a third country (see o Deal guidance). It has also been noted that the UK s use of mass surveillance techniques may lead to EU member states raising concerns about data protection in the UK, which might jeopardise an Adequacy Decision. The recent ruling of the European Court of Human Rights (ECtHR) which held that aspects of the UK s surveillance regimes under the Regulation of Investigatory Powers Act 2000 (RIPA) did not comply with Articles 8 and 10 of the European Convention on Human Rights, is particularly relevant and is of more than historic interest (Big Brother Watch and others v United Kingdom (Applications nos 58170/13, 62322/14 and 24960/15) [2018] ECHR 722). Even though the ECtHR considered RIPA, rather than the Investigatory Powers Act 2016 (IPA 2016), which has largely replaced RIPA, the judgment may have implications for the IPA 2016 insofar as it replicates those aspects of the surveillance regimes which were not compliant with the ECHR. It has already been suggested that the regime for obtaining related communications data under the IPA 2016 is very similar to that under RIPA. The IPA 2016 has already been challenged and Part 4 must be amended by 1 ovember 2018 to make it compatible with the EU Charter of Fundamental Rights (see Legal update, Aspects of UK surveillance regimes under RIPA 2000 violated Articles 8 and 10 (ECtHR) (full update)). If the European Commission were to adopt an Adequacy Decision in respect of the UK, this would clearly simplify the issue of international transfers post-brexit day. Adequacy Decisions can be challenged before the ECJ, however, and do not therefore provide the same degree of legal certainty in relation to security of personal data flows as ongoing membership of the EU. What if the UK leaves the EU without an Adequacy Decision? The UK leaving the EU without an Adequacy Decision potentially has immediate implications for both UK and EU businesses. The o Deal guidance identifies these as follows: For businesses operating in an EU member state, the UK s status as a third country means that under the GDPR adequate safeguards may need to be implemented for any inbound transfers of personal data from the EU to the UK; it is likely that in many situations this would involve the EU s model contract clauses being entered into (see Practice note, Cross border transfers of personal data under the GDPR: Transfers subject to appropriate safeguards). For businesses operating in the UK, outbound international transfers of personal data will be subject to the GDPR as a UK domestic law. The o Deal guidance states that given the unprecedented degree of Reproduced from Practical Law Data Protection with the permission of the publishers. For further information visit practicallaw.com or call Copyright 2018 Thomson Reuters (Professional) UK Limited. All Rights Reserved. Practical Law 5

6 alignment between the UK and EU s data protection regimes, the UK would at the point of exit [from the EU] continue to allow the free flow of personal data from the UK to the EU. However, it is significant that the guidance states: the UK would keep this under review. This appears a slightly surprising concession bearing in mind the aim previously expressed by the UK government of reaching a bilateral deal with the EU over data flows. This is intended as worse-case scenario guidance and the o Deal guidance specifically states that organisations should consider whether to seek separate professional advice before making specific preparations. It cannot therefore be entirely certain that in a o Deal situation UK businesses will not need to take any measures to enable the outbound flow of personal data to the EU after Brexit day. It is not unprecedented for the legal basis for international personal data flows to a third country to alter overnight. One recent example was the aftermath of the ECJ s Safe Harbor invalidity finding in 2015 (Schrems v Data Protection Commissioner (Case C-362/14) EU:C:2015:650). This brought into sharp focus the political and economic dependency on data flows by immediately closing down a popular legal transatlantic transfer basis for commercial personal data (see Legal update, ECJ rules that the EU-US Safe Harbor arrangement is invalid). The ruling also led to many businesses with international trade links conducting an urgent review of their data flows (for example, with vendors, group companies and customers), to ascertain whether alternative measures needed to be implemented to ensure compliance with the restriction on data exports imposed by the law then in force, the Data Protection Directive. To try to mitigate the issue, the EU and the US agreed a replacement for the Safe Harbor framework: the EU-US Privacy Shield (see Practice note, Cross-border transfers of personal data: Data exports from EU to the US). The European data protection authorities permitted an enforcement grace period of several months to allow organisations to put alternative arrangements in place. OVERLAPPIG JURISDICTIO: PARALLEL LEGAL REGIMES On Brexit day, the GDPR will be transposed onto the UK statute book, creating two distinct (albeit initially identical) legal regimes in the UK and the EU. In addition to the direct application of data protection law, the long arm jurisdiction effect of Article 3(2) of the GDPR would give rise to the following: Organisations based in the EU without an establishment in the UK will be subject to the UK regime if their personal data processing operations involve the offering of goods or services or monitoring of the behaviour of individuals in the UK. Organisations based in the UK without an establishment in the EU will be subject to the EU regime where their personal data processing operations involve the offering of goods or services or monitoring of the behaviour of individuals in the EU. From the point at which any transition or implementation period expires, assuming nothing beyond an Adequacy Decision is in place between the EU and the UK, there are other significant consequences of the UK and EU regimes being separate. Lead supervisory authority The UK s ICO will cease to be a supervisory authority for the purposes of the GDPR. Organisations that previously considered the ICO to be their lead supervisory authority under the GDPR would need to consider which remaining EU member state s supervisory authority is likely to be considered their lead supervisory authority, applying the criteria set out at Article 56 of the GDPR. Organisations would need to engage with that authority in relation to: Data breach notifications (see Practice note, Overview of GDPR: UK perspective: data security and personal data breaches). The appointment of a Data Protection Officer (see Practice note, Overview of GDPR: UK perspective: appointment of a data protection officer). 6 Practical Law Reproduced from Practical Law Data Protection with the permission of the publishers. For further information visit practicallaw.com or call Copyright 2018 Thomson Reuters (Professional) UK Limited. All Rights Reserved.

7 Prior consultations in relation to high risk processing activities. The Article 29 Working Party (WP29) (now the European Data Protection Board (EDPB)) has published guidelines for identifying a controller or a processor s lead supervisory authority (see Legal update, Article 29 Working Party publishes GDPR guidelines on DPIAs for consultation and adopts final guidelines on DPOs, data portability and lead supervisory authority). Enforcement The UK government s technical note of 7 June 2018, notes that companies would face investigation by the EU and UK regulator as well as two sets of large fines up to EUR 20 million or 4% of global turnover for the same breach (see HM Government: Benefits of a new data protection agreement). The UK government has continued to display a pragmatic attitude to this eventuality, stating in the o Deal guidance that the ICO would continue to push for close cooperation and joined up enforcement action between the [ICO] and EU data protection authorities. Other EU-derived data laws and Brexit In addition to the GDPR, there are two other key EU instruments in this area: The E-Privacy Directive (2002/58/EC) is currently being revised. The EU institutions are negotiating its proposed replacement, the draft E-Privacy Regulation (COM(2017) 10 final) (epr). Progress has been slower than anticipated (originally it was intended to coincide with the coming into force of the GDPR on 25 May 2018). The reforms are set to impact on electronic direct marketing, online tracking and cookies. Current indications are that the text is unlikely to be finalised before Brexit day. If that is the case, it is unclear, subject to conclusion of the DWA, and depending on the date on which the text is finalised, whether the epr would apply directly in the UK. If it did not, the UK government would need to take specific action to adopt it. Based on initial drafts of the epr that have been made publicly available, however, it is possible that companies in the UK could be caught by the expanded territorial scope of the regime, and would therefore need to comply with the epr anyway. Where personal data is processed, the GDPR would apply in any event. To follow the progress of the draft epr see E-Privacy Regulation: tracker. In the UK, the etwork and Information Systems Regulations 2018 (SI 2018/506) implemented the etwork and Information Security Directive ((EU) 2016/1148) on 10 May This legislation imposes obligations on operators of essential services and relevant digital service providers to report relevant network and information systems security incidents to GCHQ; GCHQ then liaises with the relevant authorities in the EU (see Practice note, Cybersecurity Directive: UK implementation). WHAT CA COMPAIES DO OW? Many companies will have conducted data mapping exercises in readiness for the GDPR coming into force, with international data transfers a likely area of focus. Consistent with the government s o Deal guidance, companies should identify existing relationships, including those with suppliers and group companies, that rely on the international transfer of personal data. For those organisations which have secured or were in the course of applying for BCRs with the ICO as lead authority, the ICO has announced that the BCR authorisations it has made will not be cancelled as a result of Brexit and that the ICO will continue to work together with other European data protection authorities for international transfers to be achieved and to ensure that the ICO s leading expertise in BCR is continually available to the international controller and processor community. Greater clarity over adjustments which may need to be made by organisations will be welcomed (see Legal update, ICO blogs on changes to binding corporate rules applications). Companies with operations that concern both the UK and the EU should consider whether their existing policies and procedures accommodate and envisage co-operation with and notifications being made to more than one Reproduced from Practical Law Data Protection with the permission of the publishers. For further information visit practicallaw.com or call Copyright 2018 Thomson Reuters (Professional) UK Limited. All Rights Reserved. Practical Law 7

8 supervisory authority. Particularly in the case of personal data breaches, which companies are obliged to notify to supervisory authorities within 72 hours (Article 33, GDPR), it will be important to ensure that companies are not caught out due to a lack of legal certainty. DRAFTIG FOR BREXIT For information on how to prepare for Brexit in contractual arrangements, see Practice note, Draft for Brexit: Brexit clauses. COMMET Even without Brexit, the period we are living in has seen significant upheaval for data protection regulation. Add the uncertainties and unprecedented complexities of the Brexit negotiations, and a difficult situation looks positively daunting. However, history tends to show that capitalist societies are not in the habit of allowing regulation to overwhelm trade or wealth creation (even if the path followed is not always an entirely smooth one). 8 Practical Law Reproduced from Practical Law Data Protection with the permission of the publishers. For further information visit practicallaw.com or call Copyright 2018 Thomson Reuters (Professional) UK Limited. All Rights Reserved.