The Current State of Play
The UK is set to leave the EU on 29 March next year. In the current minefield of UK and EU politics, nothing is absolutely certain, but it would take a minor miracle for this date to change. The uncertainty is around the terms on which the UK will leave. The UK could crash out on 29 March with no terms agreed, or there could be what has variously been called a withdrawal agreement or a transitional arrangement in place.
Many of the terms of a withdrawal agreement have already been settled, at least provisionally, and were published some months ago. The full draft agreement was published last week and is set to be adopted during a special European Council meeting on Sunday 25 November. Although, at least according to the British media, the outlook seems to change almost daily, there must be some optimism that the negotiations will be brought to a successful conclusion. What is perhaps less hopeful is the prospect of any deal being endorsed by the respective legislatures, and most especially by the UK Parliament.
Those elements of a withdrawal agreement that have already been settled impact on data protection. Unless there is any backtracking, the UK will continue to be subject to the GDPR and will not be treated as third country by the EU during a transitional period following 29 March 2019. This transitional period is scheduled to last until the end of 2020, although there has been some suggestion recently that the end date could be extended. Thus, personal data flows from the UK to the EU and vice versa will be unaffected until the end of 2020 at the earliest.
What is less certain is the position of the UK Information Commissioner’s Office (ICO) in any transitional arrangement. Will it still be a member of the European Data Protection Board (EDPB) and, more particularly, will it still be able to take part in the GDPR’s one stop shop and consistency mechanisms? As a general proposition, the UK will cease to participate in the decision-making bodies of the EU after 29 March, so the writing seems to be on the wall so far as the EDPB is concerned. However, it is still possible that some special provision will be made for the ICO, even if this is only so that the ICO can continue to sit as a non-voting member or observer. The rules of procedure of the EDPB allow such an arrangement. We will just have to wait for the final version of any withdrawal agreement to find out for certain.
The UK’s Ambitions
The UK Government has been clear that it wants to maintain a high standard of data protection. UK law will continue to be based on the GDPR after Brexit. Even if there is no withdrawal agreement, the UK Government wants to provide for the continued exchange of personal data between the UK and the EU and for ongoing cooperation between data protection authorities, including a role for the ICO in the one stop shop mechanism. It sees this as taking the form of a data protection agreement between the EU and the UK, described sometimes as “Adequacy Plus”. How realistic this is remains to be seen, but early indications from the EU side have not been particularly encouraging for the UK. At the very least, the UK expects to be subject to a favourable adequacy finding by the European Commission, enabling personal data flows from the EU to the UK to continue unabated. There is, though, a recognition that consideration of the UK’s adequacy status can only start once the UK has actually left the EU.
It is noteworthy that, in a recent update to its guidance on international transfers, the ICO has come up with a distinction that does not appear in the text of the GDPR. The distinction is between what the ICO terms “restricted” international transfers and, by implication, unrestricted transfers. Unrestricted transfers, to which GDPR limitations such as the requirement for standard contractual clauses or binding corporate rules do not apply, are transfers to third countries where the data will continue to be subject to the GDPR after transfer. This is presumably the basis on which the UK Government says confidently in a recent note to businesses that in the event of a no deal scenario, “You would continue to be able to send personal data from the UK to the EU” even if the converse might not necessarily be the case.
The Best and the Worst
The best possible outcome for businesses involved in transfers between the UK and the EU is almost certainly that there is a withdrawal agreement that allows data flows in both directions to continue unimpeded during a transitional period, at least until the end of 2020 if not beyond. During this period the ICO also continues to participate actively in the GDPR’s one stop shop arrangements, even if not as a full member of the EDPB. During the transitional period there is a finding of adequacy for the UK so that there are no obstacles to data flows continuing once the period comes to an end. In this best-case scenario the adequacy finding is supplemented by an agreement enabling the ICO to continue to participate in the one stop shop arrangement.
The worst possible outcome is that the UK crashes out on 29 March with no deal. Although transfers from the UK to the EU would, on the basis of the ICO’s guidance, be unaffected, there would be a scramble to put in place standard contractual clauses or other mechanisms to legitimise transfers from the EU to the UK. The ICO would drop out of the EDPB and, although informal cooperation might well continue, they would not play any further part in the one stop shop. Consideration of an adequacy finding for the UK might start at some point thereafter, but progress would be slow, with the prospect of adequacy remaining in the far distance. The EU contingency plan for a “no-deal Brexit” confirm that in this scenario there is no assumption of adequacy, not even for a transitional period.
What’s Most Likely?
It would take a reckless gambler to put any money on the eventual outcome, given the instability of the UK and EU politics on which it depends. However, as is usually the case, the most probable outcome almost certainly falls somewhere between the best possible (or perhaps this should be the least bad!) and the worst. We can be reasonably hopeful that there will be a withdrawal agreement allowing data flows to continue in the short term after 29 March 2019. For the ICO to retain any formal role in the EDPB and its mechanisms once Brexit has taken place, though, might be seen as a step too far. Adequacy discussions should be able to get under way during the transitional period and these ought to lead, in due course, to an adequacy finding for the UK. However, the discussions would have to proceed at a rapid and unprecedented pace if a formal EU adequacy decision is actually to be in place before we get to the end of the transitional period.
Whatever the outcome, Brexit undoubtedly represents a step backwards for those of us who are committed to the free flow of personal data, based on high data protection standards, and to regulatory convergence. We can only hope that the damage to the system of data protection that so many of us, both in the UK and in the rest of the EU, have worked so long and hard to establish can be kept to a minimum.
How Nymity Helps
Even though Brexit may entail a change of the legal situation, the approach Nymity has designed for privacy and data protection compliance in recent years will also support companies having to deal with Brexit. A privacy program built on top of the Privacy Management Accountability Framework™ can be mapped to multiple laws at once, including the GDPR and the UK Data Protection Act 2018. With the added implementation of standard contractual clauses or other data transfer mechanisms, the privacy office can continue to ensure compliance in the long run. In order to stay up-to-date on all Brexit related developments, Nymity Research™ may prove to be a valuable resource for you as well. Find out how Nymity’s tools can help.