You can’t escape the topic of Brexit at the moment. Much of the discussion will be on whether we get a deal or not, but a topic that is not discussed is why some of the negotiations are so complex.
Much of EU trade (whether cross-border or not) has a data element to it. All EU and EEA countries handle data in a similar way and in particular personally identifiable data. This is important for many services (e.g. banking and insurance) so that we can trust data transfers across this huge region.
If you take the above at face value, everything should continue as normal after Brexit and we will continue exactly as we are now because we adopted EU GDPR into UK law. Sadly, EU negotiators don’t seem to think the same way and much has been made of technical issues that prevent the reaching of an agreement.
The UK is a member of the European Data Protection Board (EDPB) and continued membership would mean that we would be aware of future potential amendments. Unfortunately, the chief EU negotiator Michel Barnier was against the UK being a member of the EDPB after Brexit. This would create issues for example
- Who would launch an infringement against the United Kingdom in the case of misapplication of the GDPR?
- Who would ensure that the UK would update its data legislation every time the EU updates the GDPR?
- How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?
A sticking point is whether the UK would be bound by legislation from the European Court of Justice (ECJ) after Brexit. If we were not signatories to ECJ rulings then we would not be adopting future European case law into our legislation post-Brexit and this would lead to a bifurcation in UK and EU legislation. The EU may then have grounds to say that our data protection laws were no longer “adequate”.
Much of that would seem to be solved by the UK’s continued presence on the EDPB. Barnier says that the above issues can only be reached by an “adequacy decision” – however our Information Commissioner Elizabeth Denham says that a data treaty is preferable. Clearly a disagreement. The EU already has an arrangement with the US called the EU-US Privacy Shield despite the US having a lower standard of personal data privacy than the UK under GDPR.
Other issues arise around UK security legislation (e.g. the Investigatory Powers Act 2016) which would make an adequacy ruling difficult and explains why the UK Information Commissioner would prefer a data treaty similar to the US.
Helpfully, the UK Information Commissioners Office (ICO) gives guidance on the effect of leaving the EU.
Their guidance highlights six steps that all businesses should take.
- Continue to comply
- Consider transfers to your UK business from the EU and EEA and the safeguards needed to ensure that data can continue to flow.
- Consider transfers outside the UK so that you can document the new basis for those transfers.
- If you operate across Europe consider how the different data protection regimes apply to you.
- Review your privacy information and internal documentation.
- Ensure that your organisation are aware of key issues.
The ICO keep the guidance on progress of GDPR and Brexit up to date and all UK businesses should visit the ICO website regularly to ensure that they have the latest information.