By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states.

There are a myriad of issues that need to be addressed about what “leaving” actually means. Whilst the “leave” campaign was united in its desire to leave the EU, it was (and still is) far from clear what the terms of exit would (or should) be. This lack of clarity means it is hard to say with certainty what will happen to the UK’s data protection laws, as the terms of the UK’s ongoing relationship with the EU, particularly the trade terms it will negotiate, may influence that eventual outcome. There is also a risk that any trade deal will not be concluded on the date the UK exits the EU which may result in companies having to comply with an interim set of UK laws prior to final clarity.

It is currently unclear when the two-year period will start. Whilst the EU seem to be exerting some political pressure on the UK to serve the Article 50 notice quickly, until it is clear who David Cameron’s successor will be it is hard to envisage a decision being taken to trigger the two-year period, and many think the UK will want some comfort around the terms of exit before serving notice. However, press coverage today indicates that other member states might refuse to start any negotiations before the Article 50 notice is served. In any event, a period of uncertainty for businesses seems unavoidable.

We analyse a number of different scenarios below and summarise our view of the steps companies should take in light of such uncertainty.

Compliance until the date the UK exits the EU

The UK’s data protection law exists in the form of the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR), which currently govern the processing of data by companies established in the UK or companies established outside the EEA who use equipment in the UK to process personal data.

Following the recent reform of the EU data protection laws, the DPA will be replaced by the General Data Protection Regulation (GDPR) and therefore, Brexit aside, the DPA would likely be repealed with effect from 25th May 2018 – the date when the GDPR takes effect, which will be before the UK leaves the EU. As long as the UK remains a member of the EU, the GDPR will have direct effect, i.e. its terms will apply directly without the need for implementing UK legislation (unlike a directive), and it will be enforced by the Information Commissioner’s Office (ICO).

It therefore seems likely that the GDPR will apply to all UK companies for a period of time. Exactly how long depends on when notice is served under Article 50 and thus the length of the period between the 25th May 2018 and the date the UK leaves the EU. Theoretically, the UK and the other Member States could agree on the terms of exit prior to the expiration of the two year term, but given the complexity of the issues at hand, this seems unrealistic.

Compliance after the date of exit – the extra-territorial effect of the GDPR

Given two years is a short time to negotiate a complex and politically contentious set of arrangements, there is a risk that negotiations may not be fully concluded before the two-year period expires. In the worst case scenario i.e. that the UK has failed to reach agreement within the two year period (or any extension thereof agreed to by all member states) any EU regulations including the GDPR would cease to apply.

Although the GDPR would not have direct effect as a law of the UK following the UK’s exit. Article 3 purports to give the GDPR extra-territorial effect by requiring any company that offers goods or services to EU citizens or monitors their behaviour to comply with its terms. This will impact a large number of UK companies that trade with European consumers, UK online companies that have EU users or UK business that monitor the behaviour of EU residents. These companies will lose the ability to designate a lead authority and thus will be subject to supervision of each supervisory body in countries where they have customers or users, unless they have a main establishment  outside of the UK within the EU. Such companies will also have to appoint a representative in the EU which, under the GDPR, has legal liability for their compliance.

There has always been some uncertainty regarding enforcement of the GDPR against non-EU entities. In the current climate, we think it is impossible to say what the practical risks will be until we have more clarity on the terms of exit and whether the ICO will remain closely connected to EU regulators.

In this scenario, the UK may well grandfather the majority of existing EU regulations into domestic law to fill the gap when EU regulations cease to have direct effect, and then slowly amend them over time resulting in a broader application of the GDPR.

The Privacy and Electronic Communications Directive, which is implemented by PECR, is also due to be reformed by the EU, but that process has not really started and there is no clear timeline. Thus, unless there is a significant delay in triggering Article 50, PECR is likely to continue to apply in the short to medium term. What happens after that will depend on the terms of the UK’s exit.

Finally, it goes without saying that all UK companies will need to comply with whatever laws are in place in the UK post-exit, as well as the GDPR to the extent it applies.

Will a trade deal require the UK to adopt the GDPR (and other EU privacy regulation)?

There has been much debate as to whether the UK will be required to retain various EU laws in order to maintain the current ability to trade without tariffs and soft regulatory barriers.

EEA: One option is that the UK joins the European Economic Area, as Norway has. This would require adoption of EU laws, including the GDPR and any new laws replacing the E-Privacy Directive, as well as acceptance of free movement of labour. Whilst from a data protection perspective this might be attractive – as in this scenario the UK would not be relegated to “third country” status, which would restrict EU-UK data transfers, the acceptance of free movement of labour may be problematic, given that controlling immigration of EU citizens was at the heart of the “leave” campaign.

EFTA or bespoke trade deal: Any other trade deal, including following the model adopted by Switzerland, who is a member of the European Free Trade Association, but not the EEA would likely result in the UK being a third country for the purposes of international data transfers from the EU.

This means that transfers from the EU to the UK would be treated in the same way as transfers from the EU to the US, and companies would need to revisit their export compliance programme in the absence of an adequacy decision (or in any interim period before an adequacy decision is issued).

Impact of the UK being a “third country” for data export

The ICO statement issued on the day of the referendum result indicates that, whatever the form of trade deal and irrespective of whether it is concluded prior to or after exit, the UK is likely to adopt domestic legislation of a standard equivalent to the GDPR rather than adopting a less onerous privacy framework, so that it can seek an adequacy decision:

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

The issue for companies will be how to comply with data protection laws in the event that the UK leaves the EU prior to the granting of any adequacy decision. This would require reviewing all EU-UK transfers and putting in place measures to ensure that such transfers are compliant e.g. new consents, model clauses or BCRs, unless a specific exemption applies to the EU-UK transfer in question. With respect to model clauses, the timing may be unfortunate, given the Irish Information Commissioner intends to push a case initiated by Schrems with respect to Facebook challenging the validity of the model clauses to the Court of Justice of the European Union. Given the average duration of such proceedings, the Court may well decide on the case after the UK has left the EU, but before the UK receives an adequacy decision from the European Commission. However, we expect that, prior to a Court decision on the model clauses, other alternative measures might become available.

Impact on BCRs

BCRs may seem an attractive solution as they would permit free transfer of data within organisations that have both UK (and other non-EU establishments) and EU establishments. At least for companies that already have approved BCRs in place, this might be a valuable solution. For companies that have not yet applied for BCR approval, practical problems arise. If an applicant company’s main establishment is in the UK, and it needs the UK to be its lead authority then there is already a significant back log of requests at the ICO, and it may not be possible to get BCRs approved prior to the exit date (assuming notice under Article 50 is given in the not-too-distant future), not least because the ICO will have its hands full potentially putting in place new UK legislation and working out how it will interact with EU privacy regulators post exit. The loss of the ICO’s perceived business-friendly pragmatism within the Article 29 Working Party (and, post-GDPR, on the European Data Protection Board) may have more subtle effects on global business.

There is also a risk (as yet unknown) regarding the approval by other supervisory authorities of BCRs where the UK is the lead authority. In practice, such BCRs should be accepted until the point of exit. However, any delays whilst exit discussions take place could be detrimental, since once the Article 50 notice is served the two-year exit period has a hard deadline (in the absence of unanimous agreement from all EU member states).

Practical Steps

  • Continue to move forward with your GDPR compliance programme. The GDPR will apply to you if you offer goods or services to, or monitor the behaviour of, EU residents. It is highly likely that the UK will adopt the standards equivalent to the GDPR in any event.
  • Review your organisation’s activity to identify EU-UK data transfers, and consider what steps you would take to ensure compliance if the UK becomes a third country and there is a period following the UK’s exit from the EU when no adequacy decision is yet in place. 
  • If you are currently pursuing BCRs, do everything in your power to expedite the process. If you are not pursuing BCRs, consider whether it is worth doing so given your options for lead authority and the current timetables for approval. 
  • When putting in place model clauses, consider including language that would account for a change in the status of the UK, in the event that it becomes a third country and no adequacy decision is granted.
  • Keep abreast of developments and the ICO’s statements – this is a period of uncertainty, with Brexit compounding the current uncertainty around compliant data transfers following the Schrems case and the challenge to model clauses.