Brexit: Data protection and cybersecurity law implications

By James Mullock, Simon Shooter, Philippe Bradley-Schmieg

01-2020

The UK government's “Article 50 notice”, under the Treaty on European Union, resulted in Brexit taking effect on 31st January 2020. The UK is now subject to transition arrangements under a Withdrawal Agreement.

Yet even after 31st January, organisations are still likely to face a data protection and cybersecurity law landscape heavily influenced by EU laws, at least for the foreseeable future. This article explains why that is the case, under the various outcomes that may lie ahead.

During the Brexit transition period

The Withdrawal Agreement, once approved, will govern the legal relationship between the UK and EU for the duration of a “transition” (or “implementation”) period. This is tabled to expire on 31 December 2020 but with the possibility of an extension of one to two years, although at the time of writing, Boris Johnson’s government was seeking to legally curtail its own ability to request that extension.

So far as businesses are concerned, the key point is this: if the Withdrawal Agreement is approved, the GDPR will continue to apply in the UK throughout the transition period. The rules businesses have been familiarising themselves with since at least May 2018, are therefore likely to be in place for the rest of 2020, and possibly longer.

The most immediate change during the transition period relates to the role of the UK’s data regulator, the Information Commissioner’s Office (ICO). On 31 January 2020, the ICO will cease to be a formal, vote-carrying member of the European Data Protection Board (“EDPB”). The EDPB issues EU-wide GDPR guidance and decisions, and can resolve regulatory matters that involve multiple countries. The ICO will be relegated to mere “observer” status for EDPB proceedings; and even then, by invitation only, rather than at all meetings and decisions.

As a result, the ICO’s voice will no longer be heard, without invitation, at the EU's top regulatory table. The ICO would not be able to cast a vote during EDPB decision-making processes, so there may even be cases where UK organisations are subject to EDPB decisions, without the ICO being able to vote on them.

That said, the ICO can still lead investigations, and even propose the draft decisions or guidance on which the EDPB then votes. And because the EDPB would only rarely be so divided that a single vote makes a difference, the UK's loss of voting rights during the transition period might have limited impact in practice.

Post-transition

Whatever the outcome of future relationship negotiations – even a no-deal outcome – many UK businesses will still need to comply with EU data protection rules

In respect of EU personal data collected before the end of the transition period, the Withdrawal Agreement requires the UK to continue to apply the EU’s GDPR rules even after the end of the transition period – although perhaps a different arrangement will be agreed as part of future relationship negotiations.
In any case, UK businesses active in the EU – even if just offering services to people there, from the UK – will probably still have to comply with the EU GDPR. That's because the EU GDPR doesn’t just apply to businesses that have headquarters, subsidiaries or branches in the EU (no matter where in the world they actually handle the personal data); it also applies to organisations located exclusively outside the EU, if they offer of goods or services to individuals in the EU, or "monitor" those individuals (which may cover online behavioural marketing, for instance).

The EU's future replacement to the current e-Privacy Directive (to create a new "e-Privacy Regulation") is likely to have a similarly broad extraterritorial scope. This will mean many UK businesses having to conform to the EU’s special rules on issues like cookies, app data, direct marketing, and the collection and use of communications data.

So even in a no-deal scenario, organisations in the UK that collect data from the EU will still have to apply the EU’s GDPR (and likely, e-Privacy) rules. But the UK may have more flexibility to determine its local data protection rules. This will be most of interest to organisations (or their subsidiaries) that can focus their activities solely on the UK or other non-EU markets.

Fundamentally, UK data protection law is likely to keep the same, “European-style” principles it has had for decades

As just noted, Brexit offers the UK some scope to determine what its local data protection rules should look like, after the end of the transition period (subject to (i) the need to continue to apply the GDPR to EU data collected prior to the end of the transition period; and (ii) any “future relationship” arrangements that are still to be negotiated).

But at least in broad strokes, the UK is likely to retain data protection rules that are quite similar to those it already has, courtesy of the EU.

This is partly because of the UK’s wider obligations under international law. Like many countries all around the world, the UK is a party to “Convention 108” – an international treaty brokered by the Council of Europe. Despite its name, the Council of Europe is an entirely different international organisation from the EU. Therefore leaving the EU would not affect the UK's obligations under Convention 108, which echo (albeit with more flexibility) the core principles found in the GDPR.

So to move away from European-style data protection rules entirely, the UK would also need to revoke its status as a party to Convention 108. So far, there’s been very little suggestion of it wanting to do so. European-style data protection laws seem likely to be here to stay, at least for the foreseeable future.

The key question, then, is just how closely the UK will continue to match the EU’s own implementation of those rules – in particular, to ensure the continued free flow of personal data between the UK and the EU

Several sectors of the UK economy, such as financial services, telecoms, banking, travel, tourism and ecommerce, rely on personal data being able to flow between the UK and other countries in Europe.

Under the GDPR, personal data normally cannot be transferred out of the EEA (i.e. the EU, plus Iceland, Liechtenstein and Norway), unless the data will continue to be "adequately" protected after it leaves the EEA. After the end of the transition period, this legal restriction will likely apply when personal data is going to be sent from the EEA to the UK.

According to the Political Declaration that accompanied the Withdrawal Agreement, the European Commission and UK hope to assess and then formally recognise each others’ data protection rules as providing "adequate" protection for data sent from one territory to the other. This should allow organisations throughout the EEA to freely send personal data to the UK, and vice-versa, without them having to take extra steps to protect the transferred data – minimising costs and friction for businesses and non-profits.

Although the Political Declaration adds that “[t]he future relationship will not affect the Parties' autonomy over their respective personal data protection rules”, the reality is more complex.

Obtaining EU recognition that the UK “adequately” protects personal data means that the UK must show that its protections are "essentially equivalent" to those in the EU. This would pressure the UK to continue some degree of alignment with the EU's data protection standards, going forwards. For instance after the EU upgraded its data protection laws (by introducing the GDPR in 2016), Switzerland – a non-EEA country – is now looking to upgrade its own data protection laws, and therefore protect its EU 'adequacy' decision, staving off the risk of it being revoked by the European Commission.

Close alignment with EU data protection rules carries a risk of knock-on effects for the UK’s own data flows: when considering whether a country’s data protection laws are “adequate”, the European Commission looks (inter alia) at the country's "onward transfer" rules: the EU would not want to green-light the free flow of personal data to the UK, if the data's recipients in the UK could then freely send the data (without protection) to riskier countries.

The U.S. is a case in point: in 2015, when the EU Court of Justice annulled the EU-U.S. Safe Harbor adequacy decision, Israel and Switzerland promptly followed suit. Their transfer rules were similar to those of the EU, so there seemed to be little justification for them to be applied differently; and revoking the Swiss and Israeli equivalents to the EU-U.S. Safe Harbor scheme avoided arguments that Switzerland and Israel provided inadequate protection for EEA data that was forwarded from their territory to the U.S. without additional safeguards.

Neither Switzerland nor Israel have exact copies of the EU’s data protection laws. Instead, they have their own unique spin on those rules. If the UK were to change its data protection rules so they no longer copy GDPR wording verbatim, there might be a reduced risk of immediate knock-on effects from EU legal decisions or amendments, as the UK may be able to show that its own adequacy decisions (e.g., for Commonwealth countries) do not suffer from the same issue.

But in addition to complicating the legal framework for multinationals, such deviation could also complicate the European Commission's job of evaluating UK rules and concluding that they offer adequate protection. This might already not be completely straightforward, even if the UK strictly copied the GDPR going forward: since the GDPR test for adequacy requires a range of factors to be considered, including respect for human rights, the European Commission will also need to assess the powers of UK security and intelligence services, like GCHQ, which are subject to different safeguards. Some have criticised those safeguards as being inadequate.

Should the EU conclude that UK laws do not offer adequate protection, without the UK being willing to change those laws or find some other means of offering added protection for incoming data, then the UK will likely be unable to obtain EU-recognised "adequacy" status. In turn, the ability of other countries which have data transfer laws (such as Japan or Singapore) to recognise the UK as "adequate" for data transfers might also be affected.

In short, failure to secure an EU adequacy decision could have a significant knock-on effect on international UK-centric data flows, and the businesses that rely on them. In any event, an adequacy decision does not seem likely to arrive in time for a December 2020 end to the transition period. So there may in any case be a period – hopefully limited in time – during which organisations are restricted by the GDPR from transferring data from the EEA to the UK.

Post-transition options for businesses, in the absence of an adequacy decision

After the end of the transition period, in the absence of an adequacy decision, exporters of personal data from the EEA to the UK will need to primarily rely on extra commitments by UK data importers to protect the data they receive (and to flow those safeguards through to other recipients of the data, in the case of onward transfers).

The ICO has provided further guidance on what form these would need to take: most likely, it would mean putting in place contracts with EEA-based data exporters, based on the European Commission's "standard contractual clauses".

There may be other options in some cases, such as so-called "Binding Corporate Rules", or codes of conduct. The GDPR also allows transfers without additional safeguards, in isolated cases, for instance when a transfer of personal data out of the EEA is necessary to conclude or perform a contract with the individuals that the data is about (or a contract with somebody else, but in the individuals' interests).

As for transfers from the UK to the EEA, after the end of the transition period: even in the event of no-deal, the general expectation is that (i) GDPR transfer rules will be copied into UK law; but (ii) to avoid those rules needlessly posing an obstacle to transfers of personal data from the UK to the EEA, the UK would decide to not apply any adequacy requirement restriction on those transfers.

The UK government might however decide not to do this, perhaps to strengthen its negotiating position (or as a tit-for-tat reprisal to the EU failing to recognise the UK as an “adequate” data destination); but as UK businesses would be negatively affected by a UK restriction on their ability to send personal data to the EU, that would seem to be a case of the UK cutting off its nose to spite its face.

As for transfers from the UK to the rest of the world, it is hoped that the UK may be able to move quite quickly – and perhaps quicker than the EU, or with a focus on different countries – to recognise some Asian, Commonwealth or other countries as "adequate" for the purpose of UK data exports. This could simplify life for UK-based organisations currently suffering from the EU's restriction on data transfers to those countries.

Brexit's other impacts for data protection, post-transition

One way or the other, Brexit seems likely to bring about a tremendous upheaval for UK law generally. And unsurprisingly, given the GDPR's focus on harmonising the effect of laws of the EU/EEA and its Member States, the UK's loss of Member State status could have other important side-effects.

Contracts and privacy notices may need to be revised.

For instance, GDPR Article 28 states that contracts between organisations ("controllers") and their service providers ("processors") must prohibit processors from deviating from the controller's data handling instructions, "unless required to do so by [EU] or Member State law to which the processor is subject". But a UK processor might only have obligations under UK law (e.g. to comply with UK court orders) – so it would make little sense for its contracts to still refer (only) to compliance with EU or Member State laws.

Similarly, UK organisations with no subsidiaries, branches or other forms of "establishment" in other EU countries will cease to be considered as "established in the EU" for GDPR purposes – and thus often need to "designate" a "representative" in the EU, for GDPR compliance purposes. The converse would also be true for non-UK businesses in the EU, who may need to designate a UK representative, following the end of the transition (the “local representative” provisions of the GDPR have been mirrored in the Data Protection Act 2018).

During the transition period, the UK will continue to be treated as an EU Member State for these purposes – minimising some of these effects in the immediate term. But with a transition period potentially lasting as little as 11 months, and uncertainty about what will happen thereafter, many businesses are seeking to "Brexit-proof" their contracts, privacy notices and other documentation, as recommended by the ICO for a no-deal scenario.

The GDPR "one-stop-shop" will no longer apply in the UK

As for the ICO, changes upon the end of the transition period will be significant. Once the UK is no longer directly regulated by the EU GDPR, the GDPR's consistency / "one stop shop" mechanism ceases to apply with respect to the UK, in investigations that have a multi-country dimension. EU regulators will no longer be bound to act through the ICO, even when a business has its overall European headquarters in the UK. Conversely, for organisations with their "main establishment" in one of the remaining EU countries, the ICO will no longer be bound by the GDPR's consistency mechanism.

In either case, this means that organisations could face distinct investigations and sanctions in the UK and the EU. In a large scale data breach, for instance, both the ICO and at least one EU regulator may need to be notified with details of the breach, and each could follow up with distinct investigations and sanctions (such as fines).

The situation will be worse still for EU-active, UK-headquartered businesses unless they can position one of their other (non-UK) EU presences as their “main establishment” in the EU. For offshore businesses without a “main establishment” in the EU, the EU GDPR’s “consistency” rules do not apply; so in the aforementioned data breach scenario, for instance, the UK-headquartered business might have to notify (and then cooperate with investigations by) regulators in every relevant EU / EEA country (plus the UK, if the UK is relevant).

To avoid that worst-case outcome, many UK-headquartered multinationals are therefore looking at how best they can position a subsidiary in the EU as their “main establishment” in the EU; for efficiency, businesses might even decide to shift control of data protection matters entirely out of the UK, rather than split control between the UK and the EU.

As for approvals granted under the GDPR, for instance so-called Binding Corporate Rules ("BCRs"), certification schemes, and codes of conduct, legal changes may be needed before the EU and the UK can continue to recognise approvals issued in each other's territory. Organisations with UK-approved BCRs are already busy transferring oversight of those BCRs to authorities in the remaining EU countries.

A word about cybersecurity, and the EU Network and Information Security (“NIS”) Directive

The EU’s key cybersecurity rules - the “NIS Directive” – are currently implemented in the UK by the UK Network and Information Systems Regulations 2018 (the "UK NIS Regulations").

It may be open to the UK to do away with those regulations – but it is questionable whether that would be sensible. It is hard to identify much of the NIS rules that do not make plain common sense.

Clearly, NIS Directive/UK NIS Regulation provisions that address a pan-European approach to minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements, will need to be reconsidered as part of the discussions regarding the future relationship of the UK with the EU, but the obvious benefits of commonality of approach to the global threat of cybersecurity will be a spur to find ways to voluntarily align with the EU's NIS Directive regime.

As is currently the case, digital service providers and operators of essential services which are subject to the UK NIS Regulations and the laws of an EU country which have implemented the NIS Directive should review how they will comply with both countries' NIS related laws. For instance, registrations may need to be filed with regulators in multiple countries and, in the event of a security breach, multiple regulatory authorities may need to be notified with details of the incident.

Digital service providers who do business in the EU, whose main place of establishment is in the UK and who are currently registered with the UK ICO will need to consider whether they will need to identify an EU Member State where they have an establishment, and register with the relevant authority in that Member State.


 
Bird & Bird & guide to the general data protection regulation View more Brexit Read more on our Brexit portal