#AtoZofGDPR - B is for Brexit
The Article 50 negotiating period comes to an end on 29 March 2019 which is now less than 6 months away! There are significant concerns around how Brexit will affect transfers of personal data and indeed what role, if any, the UK’s Information Commissioners Office will have post Brexit.
Upon its exit from the European Union, the UK will become a ‘Third Country’ which means that unhindered cross border transfers of data will no longer be able to take place between the UK and the EU. This is an extremely serious concern as transfers of personal data from the EU to so called third countries are severely restricted.
Adequacy decisions are the EU’s mechanism to allow free transfers of data to ‘Third Countries’. These adequacy decisions can be granted to a country to which the European Commission deems to provide a level of personal Data Protection essentially equivalent to that in the EU. The Schrems v. Data Protection Commissioner case shone a light on the “essential equivalence” test and it was found that national security surveillance by foreign countries undermines the privacy rights of Europeans.
Therefore, a stumbling block to achieving essential equivalence for the UK may be the Investigatory Powers Act 2016. The High Court and the European Court of Human Rights have declared that the powers granted to the UK’s security and intelligence services to intercept, retain and examine data violate the right to private and family life. This puts a positive adequacy decision on, or very shortly following 29thMarch 2019 into doubt.
There is "no doubt" that the UK's national security and surveillance powers would come under scrutiny.
This would include the intelligence services' collection, retention and use of data, and the secretive Five Eyes intelligence-sharing network between the UK, US, New Zealand, Australia and Canada, as adequacy decisions also set rules on how data is shared with third countries.
Soft Brexit (Chequers Plan)
Under the Chequers Plan / Soft Brexit the UK would leave the EU with the minimum possible effect. In data protection terms this would allow unhindered transfers of personal data between the UK and the EU and would allow the Information Commissioners Office to continue to participate in the one stop shop mechanism.
Semi Soft Brexit
A Semi Soft Brexit scenario would be for the UK and the EU to agree on a deal that would ensure the unhindered flow of personal information. This scenario would require the EU to commit to granting an adequacy finding at the point of exit or during an agreed transitional period however, the adequacy conditions would have to be met by the UK. This scenario would allow organisations to continue to operate as safe recipients of EU data in exactly the same way that they do today.
Semi Hard Brexit
In a Semi Hard Brexit scenario an adequacy decision may take up to 6 years to achieve. The level of scrutiny would be extremely meticulous, remembering the issue of the Investigatory Powers Act 2016! Under this scenario, UK recipients of personal data from the EU would be required to implement and apply appropriate safeguards via contractual arrangements and binding corporate rules etc.
Hard Brexit (No Deal)
In the event of a No Deal exit / Hard Brexit, the UK Data Protection Act 2018, which implements the GDPR in UK domestic law would continue to apply whilst the GDPR itself would be incorporated into UK law via the operation of the EU Withdrawal Act 2018. However, this scenario may well put an end to any hopes of reaching an EU adequacy finding. It could also put an end to any involvement for the ICO in the one stop shop mechanism.
To prepare for Brexit, however the egg is cooked, organisations should review all of their processing activities and confirm if they, or any of their suppliers are processing data within the UK. You should also review your cloud / app suppliers, are they processing your data within the UK? If so, what are their contingency plans? One thing is for sure, whatever the outcome, it will not be business as usual….