What does a no Brexit deal mean for data protection?
As much as the UK government remains resolute that a “no deal” Brexit scenario is unlikely, we won’t find out for sure until the 29th of March 2019. As with all major events, it is better to prepare your company for all scenarios, particularly if they are likely to have a big impact on your data protection and your customers.
GDPR currently states that organisations are free to transfer personal data within the EU, but are only allowed to transfer personal data outside of the EU if there is a legal basis to do so.
At the start of this year, 2018, the House of Commons Digital Culture, Media and Sport (DCMS) Committee highlighted that retaining the ability to transfer personal data across EU borders is absolutely fundamental to the success of UK technology businesses.
This report states: “The success of the UK’s digital economy is underpinned by ongoing data transfer across the globe and particularly within the EU. It is important to recognise that Brexit creates a potential risk that the UK’s ability to transfer data across UK borders will be limited”.
So, what would this mean for the UK if there’s a no deal Brexit?
There would be no immediate change in the UK’s data protection standards because the Data Protection Act 2018 (DPA) would remain in place. The European Union (Withdrawal) Act 2018 incorporates the GDPR into UK law, to sit right alongside the DPA.
If a no deal Brexit occurs, the issue would arise when personal data is transferred from the EU to the UK, as the legal framework governing the data would change on exit.
The European Commission has previously stated that if the UK’s level of personal data protection is deemed to be the equivalent of that of the EU (GDPR), then it would allow personal data to be transferred from the UK without any restrictions.
The White Paper emphasised that the UK and the EU start their extensive agreement (on the exchange of personal data) from a unique position of trust in each other’s standards, and regulatory alignment on data protection. The DCMS also suggested that a standard contractual clause be put in place in contracts and Privacy Notices to allow for the continued transfer of personal data to and from the EU.
However, the situation becomes more confused when we factor in the thoughts of the European Court of Justice. The ECJ have raised concerns over the UK’s growing surveillance culture especially in connection with The Regulation of Investigatory Powers Act (RIPA) and on this basis we may not be deemed to have adequate protections.
It must also be remembered that organisations which habitually processes the data of, or monitors EU Citizens may be required to have representative within the EU.
It seems that regardless of what happens on the 29th of March next year, the UK government’s approach to data protection is similar to what it is now, which bodes very well for UK businesses, however, the uncertainty means business should plan for all eventualities.
Sign up to our eBulletin for the latest developments in data protection, information governance and compliance.