The UK has served notice to leave the EU by 31 October 2019 (or a later date, should the UK Government be legally forced to seek and agree an extension). If and when Brexit happens, however, organisations are still likely to face a data protection and cybersecurity law landscape heavily influenced by EU laws, at least for the foreseeable future. This article explains why, under the various outcomes that may lie ahead.
On 25th May 2018, the General Data Protection Regulation (GDPR) came into force across the European Union, including in the UK.
A new UK Data Protection Act 2018 was introduced at the same time, and serves multiple functions: the Act provides for local GDPR enforcement (by the Information Commissioner's Office); it adds certain offences and other requirements; it makes liberal use of the GDPR's scope for national law to authorize certain uses of personal data (e.g. for health or insurances purposes); it extends the GDPR's rules to areas not already covered by the GDPR; and it incorporates the EU Police and Criminal Justice Data Protection Directive's requirements into UK law. Finally, it also imposes a data protection framework for UK national security activities, consistent with the UK's obligations to do so under the Council of Europe's "Convention 108".
The UK has also been implementing the so-called EU Cyber Directive – the Network & Information Security (NIS) Directive – along with other EU Member States.
So what are the data protection and cybersecurity law consequences for the UK should the UK leave the EU without an exit agreement – a no deal Brexit?
The Data Protection Act 2018
The first point to note is that the GDPR is already in full force - the Data Protection Act 2018 sees to that.
As an interesting aside, separate from its obligations vis-à-vis the EU, the UK would in any event be bound by international law to retain basic data protection rules (recently modernised to keep pace with the GDPR) under Convention 108 – an international treaty brokered by the Council of Europe, which (despite a similar name), is an entirely different international organization. Leaving the EU would not affect the UK's obligations under Convention 108, which echo (albeit with more flexibility) the core principles found in the GDPR. So to move away from European-style data protection rules entirely, therefore, the UK would also need to revoke its status as a party to Convention 108.
The GDPR's 'long arm' approach to jurisdiction
Any UK business which trades in the EU will also have to comply with the GDPR despite any Brexit taking effect. That's because the GDPR's many obligations apply to organisations located anywhere in the world, besides the EU, when they process personal data in connection with an offer of goods or services to individuals in the EU, or when "monitoring" them (defined to pick up many online behavioural marketing activities, among others).
Similarly, any UK business which has a group company or staff operating within the EU will similarly be caught by the GDPR's broad extraterritorial reach, and thus have to comply with the GDPR's provisions.
Finally, the EU's future replacement to the current e-Privacy Directive (to create a new "e-Privacy Regulation", governing issues such as cookies, direct marketing, and the collection and use of communications data), is likely to have a similarly broad extraterritorial scope.
The UK's post-Brexit options and 'adequacy'
Post-Brexit, the most obvious options for the UK for interacting and trading with the EU are particularly interesting when looked at through a data protection law lens:
1. Withdrawal Agreement 2.0?
At the time of writing, the future looks particularly murky for the Withdrawal Agreement negotiated in 2018 under Theresa May, prior to her resignation as Prime Minister. Although rejected by Parliament, a derivative of that Agreement might still make a comeback in the weeks or months to come (with a modified "backstop" mechanism, perhaps).
The draft 2018 Withdrawal Agreement would have committed the UK to continue to apply GDPR rules to personal data throughout the "transition period" set by that agreement, and to continue to do so afterwards, in respect of the "stock" of EU personal data collected before the end of that transition period.
As for the 2018 Political Declaration, which discussed the future relationship that the UK and EU hoped to negotiate for after the end of that transition period, the UK and EU simply committed to "ensur[e] a high level of personal data protection to facilitate such flows between them" – suggesting that some divergence would be tolerated going forward, provided neither side overly watered-down its laws.
It remains to be seen whether any new deal will be negotiated, and if so, whether they will arrive at a similar compromise on data protection rules.
2. No deal?
In the event of a "no deal" outcome, then on the face of it, the UK will immediately have free rein to choose the form of data protection laws that it wants to maintain.
However, the UK economy, in particular its financial services sector, relies on data being relatively freely transferred between the UK and other countries in Europe. Under the GDPR, personal data normally cannot be transferred out of the EEA unless there are assurances that the data will continue to be "adequately" protected after it leaves the EEA – for example, when it is sent from the EEA to a post-Brexit UK.
Ideally, either the EU and the UK would agree by treaty to override those GDPR rules, or by applying the rules in the GDPR itself, the European Commission would consider and then formally recognize the UK's underlying legal framework as providing "adequate" protection for data sent from the EEA. This allows organisations throughout the EEA to freely send personal data to organisations in that "adequate" country (in this case, the UK), in most cases without either the exporter or importer having to take extra steps to protect the transferred data.
However, this puts the non-EEA "adequate" country under pressure to stay in lock-step with the EU/EEA's data protection standards.
For instance Switzerland, which is not a member of the EEA, has historically had data protection laws which look and feel similar to those in the EEA. On that basis, the European Commission long ago recognised Switzerland's laws as "adequate". But since the EU's recent GDPR reforms, Switzerland is now working to update its own laws, in part to maintain parity of protection with the EEA, and thus ensure that its 'adequacy' decision is not revoked by the European Commission.
There is also a risk of knock-on effects for the non-EEA country's own data flows: one of the things that is assessed by the European Commission, is the country's "onward transfer" rules: the EEA would not want to green-light the free flow of personal data to the UK, if UK organisations could then freely send the data (without protection) to countries that the EU itself does not recognize as providing adequate protection.
The U.S. is a case in point: in 2015, when the EU Court of Justice annulled the U.S. Safe Harbor adequacy decision, Israel and Switzerland promptly followed suit. Their rules were similar to those of the EU, so there seemed to be little justification for them to be applied differently; and revoking the Swiss and Israeli equivalents to the EU-U.S. Safe Harbor scheme avoided arguments that Switzerland and Israel provided inadequate protection for EEA data that was forwarded from their territory to the U.S. without appropriate safeguards.
If the UK were to change its data protection rules so they no longer copy GDPR wording verbatim, there might be a reduced risk of immediate knock-on effects from EU legal decisions or amendments, as the UK may be able to show that its rules do not suffer from the same issue.
But such deviation could further complicate the European Commission's job of evaluating UK rules and concluding that they offer adequate protection. This might already not be completely straightforward, even if the UK kept GDPR-like rules: the European Commission would also need to consider the powers of UK security and intelligence services, like GCHQ, which are subject to different safeguards, which some have criticised as being inadequate. That is because the test for adequacy under the GDPR requires a range of factors to be considered beyond legislation in an applicant country, including respect for human rights more broadly and case law.
Should the EU conclude that UK laws do not offer adequate protection, this might put the UK in the position of having to either change those factors, or to lose the ability to obtain EU-recognised "adequacy" status, with the knock on impact that that would cause data based trade. The ability of other countries which have data transfer laws (such as Japan or Singapore) to recognise the UK as "adequate" for data transfers might also be affected.
What seems clear is that in the absence of an adequacy decision (which in any event does not seem likely to arrive in time for the UK's possibly "hard" / "no deal" exit from the EU), data transfers from the EEA to the UK will need to primarily rely on commitments by UK data importers to take extra steps to protect the data they receive from the EU (and to flow those safeguards through to other recipients of the data, in the case of onward transfers).
The UK Information Commissioner's Office has provided further guidance on what form these would need to take: mostly likely, it would mean putting in place contracts with EEA-based data exporters, based on the European Commission's "standard contractual clauses".
There may be other options in some cases, such as so-called "Binding Corporate Rules", or codes of conduct. The GDPR also allows transfers without additional safeguards, in isolated cases, for instance when a transfer of personal data out of the EEA is necessary to conclude or perform a contract with the individual (or with somebody else, but in that individual's interests).
For now, the UK government's position (at least, under Theresa May) was that GDPR transfer rules would be copied into UK law; but to avoid those rules needlessly posing an obstacle to transfers of personal data from the UK to the EEA, the UK would decide to not apply any adequacy requirement restriction on those transfers. At the time of writing, this was still the ICO's expectation, although Boris Johnson's government has yet to reiterate the previous government's (very welcome) commitment. Conceivably that decision could be reversed if the UK government decided to take a harder line negotiating position, but as UK businesses would equally be negatively affected in addition to their EU counter parts, this would seem to be a case of the UK cutting off its nose to spite its face.
The impact of the Brexit vote upon the ICO
Those familiar with EU data protection rules will be aware that the European Data Protection Board (EDPB), whose members include representatives from each EU Member State's data protection regulatory authorities, plays a very significant role in data protection compliance.
Indeed, the EDPB is central to the formation of guidance, the approval of codes of conduct and certification schemes. Crucially, it is also the appellant board for GDPR disputes between national authorities that might hold differing views as to the lawfulness of an organisation's conduct that affects multiple EU countries simultaneously.
Post-Brexit, even under Theresa May's proposed Withdrawal Agreement, the ICO would have been relegated to mere observer status within the EDPB – and even then, by invitation only, rather than for all meetings and decisions. The ICO might not even be welcomed as an observer, in the event of a "no deal".
Either way, it seems that the voice of the ICO will no longer be heard, at least without invitation, at the EU's top regulatory table. The ICO would certainly not be able to cast a vote during EDPB decision-making processes.
This also means that the ICO can no longer serve as "lead authority" in the so called "one stop shop" / "consistency" procedures envisaged by the GDPR – most notably, in investigations that have a multi-country dimension.
The large number of UK businesses which are likely to fall under the jurisdiction of the GDPR could therefore find themselves in the position of being subject to guidance and/or being judged by a body which does not include their own national regulator for data protection matters.
They might also simultaneously find themselves under investigation by both the ICO and EEA regulators – without the two being bound to act through just one regulator, or to reach the same decisions, as they might otherwise be under the GDPR's so-called "consistency" rules. A large scale data breach could result in a situation where not only the ICO but also an EU supervisory authority is required to be notified with details of the breach, but also that dual enforcement from each authority may also result with fines under the GDPR and the UK's Data Protection Act 2018 potentially being imposed.
Brexit's other impacts for data protection
One way or the other, Brexit seems likely to bring about a tremendous upheaval for UK law. And unsurprisingly, given the GDPR's focus on harmonising the effect of laws of the EU/EEA and its Member States, the UK's loss of Member State status could have other important side-effects.
For instance, the GDPR states that contracts between organisations ("controllers") and their service providers ("processors") must prohibit processors from deviating from the controller's data handling instructions, "unless required to do so by [EU] or Member State law to which the processor is subject". But a UK processor might only have obligations under UK law (e.g. to comply with UK court orders) – so it would make little sense for its contracts to still refer (only) to compliance with EU or Member State laws.
Similarly, UK organisations with no subsidiaries, branches or other forms of "establishment" in other EU countries will cease to be considered as "established in the EU" for GDPR purposes – and thus often need to "designate" a "representative" in the EU, for GDPR compliance purposes. The converse would also be true for non-UK businesses in the EU, who may now need to designate a UK representative – the representative provisions of the GDPR have been mirrored in the Data Protection Act 2018.
The Withdrawal Agreement negotiated by Theresa May would, at least during its proposed transition period, have allowed organisations to continue treating the UK as a "Member State" for these purposes – minimising some of these effects. A no-deal outcome, however, would throw that to the wind; already, many businesses are seeking to "Brexit-proof" their contracts, privacy notices and other documentation, as recommended by the ICO in a no-deal scenario.
A word about cybersecurity, and the EU NIS Directive
The EU NIS Directive is currently implemented in the UK by the UK Network and Information Systems Regulations 2018 (the "UK NIS Regulations").
Depending on any deal with the EU, it may be open to the UK to do away with those regulations – but it is questionable whether that would be sensible. It is hard to identify much of the NIS rules that do not make plain common sense.
Clearly, NIS Directive/UK NIS Regulation provisions that address a pan-European approach to minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements, will need to be reconsidered, but the obvious benefits of commonality of approach to the global threat of cybersecurity will be a spur to find ways to voluntarily align with the EU's NIS Directive regime.
As is currently the case, digital service providers and operators of essential services which are subject to the UK NIS Regulations and the laws of an EU country which have implemented the NIS Directive should review how they will comply with both countries' NIS related laws. For instance, registrations may need to be filed with regulators in multiple countries and, in the event of a security breach, multiple regulatory authorities may need to be notified with details of the incident.
Digital service providers who do business in the EU, whose main place of establishment is in the UK and who are currently registered with the UK ICO will need to consider whether they will need to identify an EU Member state where they have an establishment and register with the ICO equivalent in that Member State.
We intend to update our guidance in this area as the data protection and cybersecurity law implications become clearer.
This article is part of our Brexit series.