As part of its preparations for a “no deal” scenario when the Article 50 negotiating period comes to an end on 29 March 2019, the Department for Digital, Culture, Media and Sport (“DDCMS”) has today released guidance on “Data protection if there’s no Brexit deal”. The UK will become a “third country” on its exit from the European Union, which means that unhindered cross-border transfers of data will no longer automatically be able to take place between the UK and the EU.
In a “no deal” situation, the Data Protection Act 2018, which implements the General Data Protection (“GDPR”) in domestic law, would continue to apply, while the GDPR itself would be incorporated into UK law through the operation of the EU Withdrawal Act 2018. National data protection standards would therefore remain the same. The guidance confirms that, given the “unprecedented alignment” between the UK and EU data protection regimes, the UK would continue to allow transfers of data from the UK to the EU at the point of exit.
Adequacy decisions are the EU’s established mechanism to allow free transfers of data to third countries. These can be granted to a country which the European Commission deems to provide a level of personal data protection “essentially equivalent” to that in the EU. Twelve adequacy decisions have so far been granted and the Commission has made it clear that they would not make a decision on adequacy until the UK is a third country (that is, after 29 March 2019), and its procedure for reaching a decision typically lasts several months.
In addition, the Commission will take the UK’s crime and national security legislation into account in its assessment of UK data protection laws, which means that the controversial Investigatory Powers Act 2016 will be relevant to its decision. Both the High Court and the European Court of Human Rights have declared that the powers granted to the UK’s security and intelligence services to intercept, retain and examine data violate the right to private and family life, which puts a positive adequacy decision further into doubt. On the other hand, the European Commissioner with responsibility for data protection has indicated that the “quickest and most efficient legal framework for the exchange of data with the UK” will be desirable “for the sake of business interests.”
There are therefore doubts about whether a positive adequacy decision will be made at all, let alone on exit day. If a decision about adequacy is not made at the point of exit (i.e. on or very shortly after 29 March 2019), the guidance recommends that organisations (and individuals) identify an alternative legal basis for their transfers of personal data from the EU to the UK. DDCMS’s view is that the most relevant such basis would be standard contractual clauses.
In July 2018 the Government indicated in its White Paper “The future relationship between the UK and the EU” that the EU’s adequacy framework provided the “right starting point” for the UK and the EU’s co-operation on data protection issues after Brexit. The Government emphasised that the UK’s starting point was “unique” due to the degree of regulatory alignment resulting from the UK’s membership in the EU, and advocated for a continuing role for the ICO in cooperation with the EU’s data protection authorities. The Government’s proposals for data protection after Brexit are therefore fairly similar whether or not a deal is reached, both dependent on the granting of an adequacy decision. It remains to be seen how this will play out in practice.