Yesterday, the ICO published new guidance on data protection implications of a “no deal Brexit”. This includes a “Six Steps to Take” Guide, a blog with embedded guidance and FAQs. In addition, UK government published its plans for “No Deal Brexit”.
Here are the key points:
- Substantive changes to GDPR rules: GDPR continues to apply under the EU Withdrawal Act. But UK Government will amend it to remove references to “EU institutions and procedures” and references to “Union or Member State law”.
- ICO role: The ICO will remain the ICO’s Independent privacy regulator. It will no longer be a member of the European Data Protection Board. But the UK and EU have agreed to implement rules on co-operation between the ICO and the Board.
- Data Transfers to EEA countries and Gibraltar: the UK will transitionally recognise all EEA states and Gibraltar as providing adequate protection for personal data. Personal data continues to flow freely from the UK to these countries. But this may be kept under review.
- Data Transfers from the EEA to the UK: you need a transfer solution in place. This may require re-papering with SCCs to be clear that the UK is a data importer or another transfer solution.
- Data Transfers under EU adequacy decisions: The UK will preserve the effect of the EU adequacy decisions on a transitional basis. Data Transfers to these jurisdictions can continue uninterrupted. This covers: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and USA (under Privacy Shield framework). As Privacy Shield is an EU/US agreement, it is less clear how the UK can recognise it post-Brexit. The ICO have actually said that Privacy Shield would be excluded from this arrangement but that the UK government’s intention is to make arrangements for it to continue to apply. This will need a “watching brief”. It may require an alternative solution to be in place for transfers from UK to US if these arrangements are not in place in time.
- Data Transfers from countries with an existing EU adequacy decision to the UK: These transfers were based on an adequacy decision in place with the EU. It will be for each individual country to determine whether it will respect that decision regarding transfers to UK. But transfer solutions may be necessary.
- Data Transfers from UK under EU Standard Contractual Clauses (SCCs): you are probably using SCCs to export data to countries like the US. No action is required on these at this time provided you have SCCs in place. The UK government plans to recognise EU SCCs. The ICO will be given the power to issue new SCCs (presumably customised for UK terminology) post-Brexit.
- BCRs: Existing authorisations of BCRs made by the ICO continue to be recognised in UK law post-Brexit. The UK will also recognise BCRs approved by other EU supervisory authorities pre-Brexit. The DCMS paper suggests that post-Brexit, the ICO will continue to be able to authorise new BCRs but only under domestic law. It is not clear why BCRs approved post-Brexit by the EU would not be potentially valid for transfers from the UK (as UK BCRs are for transfers from adequate jurisdictions). BCRs (both approved and in-flight applications) will presumably need to transition to a new Lead Supervisory Authority. Existing BCRs will also need to be updated to reflect the UK as a third country.
- One Stop Shop: If you’re only established in the UK post-Brexit (not the rest of the EU), you’ll lose the benefit of “One Stop Shop”. You will also lose the benefit of “One Stop Shop” where you no longer undertake any cross-border processing in the EU due to Brexit (e.g. you previously processed only in two EU countries one of which was the UK). This may mean that in the event of a breach you would need to deal with both the ICO as well as the supervisory authorities in the each of the relevant EU countries in which individuals are affected. This raises the possibility of multiple enforcement actions (including fines).
There are a number of other significant implications:
- Consider updating GDPR documentation (e.g. Article 30 records) and privacy notices (e.g. references to the UK as part of the EU and in relation to data transfers).
- If you end up not established in the EU post-Brexit but are caught by the EU extra-territorial scope, you’ll probably need to appoint a Representative (one Representative in the jurisdiction in which you have the majority of your customers). Conversely, if you target products into or monitor data subjects in the UK but are not established here, you probably need to appoint a UK Representative.
- Consider reviewing DPIAs (if they involve data transfers).
DCMS plan to issue draft regulations soon to implement the above proposals.