With the United Kingdom ("UK") expected to leave the European Union ("EU") soon, the question arises as to the impact of this withdrawal ("Brexit") on the protection of personal data. The European Data Protection Board ("EDPB") has recently issued guidelines in this respect. Here is an overview.
Impact for UK-based companies: (extra)territorial scope of the GDPR, including the appointment of a representative
Companies and organisations established in the UK which offer goods or services to data subjects in the European Economic Area ("EEA") or which monitor the behaviour of data subjects in the EEA (Article 3(2) GDPR) will continue to be subject to the provisions of the GDPR even after Brexit.
One of these provisions covers the obligation to appoint a representative in the EEA (Article 27 GDPR). This representative must be explicitly appointed by means of a written mandate from the controller or processor and is the contact point for the supervisory authority (Recital 80 GDPR).
More information on the procedure for appointing a representative and his/her responsibilities can be found in the EDPB (draft) guidelines on the territorial scope of the GDPR: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).
Impact on EU-based companies storing personal data with or transferring personal data to UK-based companies
The impact of Brexit on the transfer of personal data to the UK varies depending on whether or not a withdrawal agreement is concluded between the UK and the EU before the official date of Brexit on 29 March 2019 (or a later date in case of postponement).
Agreement between the UK and the EU
If an agreement is concluded, in principle the GDPR would continue to apply in the UK until the end of 2020. In this case, nothing would change for the transfer of personal data to the UK during the 21 months following Brexit.
No agreement between the UK and the EU
If no agreement is concluded between the EU and the UK, the UK will be considered as a third country from 30 March 2019 onwards. This means that, in the absence of an adequacy decision (Article 45 GDPR), the transfer of personal data from the EEA to the UK has to be based on one of the following instruments as of 30 March 2019:
- Standard or ad hoc data protection clauses (Article 46(2)(c) GDPR),
- Binding corporate rules (Article 46(2)(b) and Article 47 GDPR),
- Codes of conduct and certification mechanisms (Article 46(2)(c) – (d) GDPR), or
- Derogations for specific situations (Article 49 GDPR).
Given the limited time remaining until 30 March 2019, the standard data protection clauses would be a ready-to-use instrument and could be put into practice quickly.
For the transfer of personal data from the UK to the EEA, in principle nothing changes on 30 March 2019. In fact, the UK Government has indicated that data can continue to be transferred from the UK to the EEA in the same way as is currently possible.
Preparation in five steps
As there is a reasonable chance that the UK will leave the EU without a withdrawal agreement on 29 March 2019, several data protection authorities, including the Belgian data protection authority (in French), stress that companies and organisations should prepare for a no-deal scenario.
Five steps should be considered in this preparation:
- Prepare an overview of the processing activities that require the transfer of personal data to the UK.
- Determine the most appropriate instrument for the transfer of personal data.
- Ensure that this instrument is ready for use by 30 March 2019.
- Indicate in your internal documentation, such as your record of processing activities, that transfers to the UK are being or will be made.
- Update your privacy statement by specifying that transfers will be made to the UK.
On 12 February 2019, the EDPB published two information notes with further explanations for companies and organisations about the correct application of the GDPR in the event of a no-deal Brexit:
- Information note on data transfers under the GDPR in the event of a no-deal-brexit
- Information note on binding corporate rules for companies which have ICO as lead supervisory authority
For an overview of the consequences of Brexit for financial service providers, we refer to Eubelius Spotlights March 2019.