The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK.
UK retained Law
- The EU Withdrawal Act 2018 will effectively retain the GDPR as UK law and give the Government the power to make appropriate amendments. Amendments will include, for example, amending references to EU laws and institutions.
- The fundamental data protection principles, obligations on organisations, and rights for individuals will remain the same under the UK law.
Data transfers from the UK to the EEA
- The UK will recognise all EEA states, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data, meaning that data can flow freely from the UK to these jurisdictions.
- However, the UK will keep this under review, meaning that the Government could decide in the future that certain Member States do not provide adequate protection and restrict the flow of data to such countries.
Data transfers from the UK to countries with adequate protection
- The UK will preserve the effect of existing EU adequacy decisions meaning that data can flow freely from the UK to Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
- The Government has also confirmed that it will preserve the effect of the existing EU-US Privacy Shield to enable the free flow of data from the UK to organisations on the Privacy Shield List.
- However, the Government has stated that this will be on a transitional basis, leaving the door open for the UK to potentially agree its own Privacy Shield with the US in the future.
Data transfers from the UK to third countries with no adequate protection
- Any EU Standard Contractual Clauses that have been approved by the European Commission will continue to be a legitimate basis for transfers from the UK to third countries.
- Under the proposed regulations to be published in the next few weeks, the UK Information Commissioner will also have the power to issue new Standard Contractual Clauses applicable to the UK.
Extra-territorial scope of the UK law
- The UK law will have the same extra-territorial scope as the GDPR, meaning that it will apply to organisations based outside of the UK (including in the EU) where they are processing personal data about individuals in the UK in connection with offering them goods and services, or monitoring their behaviour.
- Controllers based outside of the UK who are directly subject to the UK law will need to appoint a representative in the UK. This means that companies based outside of Europe but doing business in both Europe and the UK will need to appoint both an EU representative under the GDPR, and a UK representative under the UK law.
For further details on our view of the possible impact of Brexit on data protection under both a deal and no deal scenario, please see our Brexit Legal Guide available here.
Click here to access the Government’s “no deal” note on data protection.