The implications for data protection law in the UK and GDPR compliance plans in the eye of the Brexit Storm

On the 4th May 2016, a fundamental milestone in the history of EU Data protection law was reached with the adoption of the EU General Data Protection Regulation (“GDPR”) achieving harmonisation of the rules across the EU after four years of hard-fought negotiations.

On the 23rd June 2016, the United Kingdom European Union membership referendum unexpectedly saw the victory of the Leave vote (Brexit) over the Remain vote, throwing the UK, the EU and the world into uncharted waters from a political, economic and legal point of view.

Currently there is an essential lack of clarity on the implications of this referendum, which is being challenged both from a legal and political standpoint.

In light of the fundamental change of circumstances called for by the likely forthcoming so-called Brexit, it remained to be seen to what extent the data protection reform successfully concluded by the EU would be jeopardised by Brexit. The resounding answer to this question is that GDPR surfaces immune to any Brexit fallout. Following a two-year implementation period, the GDPR will be applied across the EU from 25 May 2018.

In order to clarify the applicable legal requirements, and address concerns from those UK companies which were committed to comply with the GDPR prior to the Brexit vote, it is worth reminding ourselves briefly of the timeline and rules laid out by the Treaty of the European Union (“TEU”) governing the exit of a Member State from the EU, as well as referencing the legal challenges to Brexit (1). The article will then go onto provide a summary of the options available to the UK upon actual exit and assess the period that the GDPR will have direct effect in the UK (2); analyse the latest GDPR guidance overview provided by the Information Commissioner (ICO) ahead of all the other DPAs in the EU (Section 5), look at the operational planning required to ensure that a business complies with the GDPR (Section 6) and then finally address the specific regime applicable to data transfers in the EU (Section 7).

1. Brexit timeline

Brexit timing and process

The EU exit process to be followed by a Member State is clearly set out by Article 50 of the TEU. A Member State is required to give the European Council at least two years’ notice of its intention to leave the EU. During this period, an agreement setting out the arrangements for its withdrawal will need to be negotiated, taking on board the framework for its future relationship with the Union. The UK would cease to be an EU Member State either at the date of entry into force of the withdrawal agreement or, ‘failing that’, two years after the notification of its intention to withdraw from the EU, unless the European Council and the UK unanimously agree to extend that period.

As no fully-fledged Member State has in fact left the EU before or after the entry into force of the Treaty of Lisbon - although some parts of Member States have done so (Greenland) - we are in terra incognita and it is no surprise that numerous legal challenges to Brexit have arisen, in particular in relation to the applicable exit process.

Under the European Referendum Act, this Referendum is merely advisory and legally non-binding in nature. This unexpected legal qualification of the Referendum is the basis for a plethora of legal challenges before the UK courts.

Legal challenges to Brexit

First, it is argued by the UK Government that under the royal prerogative part of the prime minister's executive powers it has the right to invoke Article 50 of the Treaty of the European Union which provides that “Any Member State may decide to withdraw from the Union in accordance with its own constitutional requirements”. However, a judicial review challenge before the UK courts argues that the parliament is sovereign and as such, parliamentary approval and primary legislation would be required before the UK Government may be authorised to initiate a withdrawal from the EU. Similarly, many other cases (7) are being brought before the UK courts seeking a declaration clarifying that the UK Government will not trigger such Article 50 (“Art. 50”) without an Act of Parliament, upholding the sovereignty of Parliament and following the appropriate constitutional process for Brexit.

However, it is no longer argued that only the UK Parliament has the power to repeal the European Communities Act 1972 (“ECA”) and if the Article 50 were to be triggered it would be postponed to 2017.

2. Potential models for the UK’s relationship with the EU post Brexit

There are three main options.

While a myriad of nuanced possibilities may be available to the UK to redefine its relationship with the EU, it may broadly boil down to three major options.

Joining as a member the European Free Trade Association (“EFTA‟), currently including Iceland, Lichtenstein and Norway. The UK may use its membership as a gateway to re-join the European Economic Area (“EEA”) and retain access to the Single Market albeit without any say on its rules. Such countries have all adopted the Data Protection Directive into their respective local laws, and the GDPR will likely follow in 2018. Therefore, should the UK pursue this option, it seems almost inevitable that it would have to fully take on board the GDPR.
Following Switzerland’s model of relationship with the EU. The UK may be tempted to regulate its relationship with the EU through bilateral treaties only without being subject – to date – to the jurisdiction of the European Court of Justice. However, although the country is part of the single market for goods it is not for services, which is a major drawback for the UK. In terms of its data protection laws, Swiss law closely resembles the local laws of EU Member States, and as a result, Switzerland has been recognised as offering adequate protection by the European Commission (“EC”). It will have to update its laws in light of the GDPR in order to retain this recognition. Therefore, if the UK mirrors this model, it will find itself in a similar boat.
Transferring all sovereign powers back to the UK. The UK would choose a “third way” leading to a complete detachment from the EU. In practice, the ECA would need to be repealed or amended and all related legislation implementing EU law in the UK would cease to apply creating a legal vacuum.

Whatever the option chosen by the UK, it may be wise to consider putting in place an interim agreement should the UK decide to trigger Art. 50. It is that or leaving the EU after 2 years with no trade deals in place at all. The UK would then beat the mercy of World Trade Organisation rules. That would be completely consistent with the fact that Brexit means the ECA would need to be repealed plus all related legislation implementing EU law in the UK would cease to apply creating a legislative void. Clearly a grandfathering framework of all the laws in place will need to be adopted so as to keep the UK legal landscape as it is for probably 10 years, so as to have sufficient time to enact new legislation. This would mean communicating a difficult political message to the country in spite of offering much needed legal certainty.

The GDPR’s period of direct effect

As a matter of fact, early 2017 looks to be the earliest feasible date that Article 50 may be invoked, and even this is still uncertain. Either way, the earliest the UK can be expected to exit the EU is January 2019. With the GDPR coming into force before then, this would mean that the GDPR would become part of UK law for the period from 25 May 2018 until at the very least December 2018. Any additional delay in pressing the Brexit button and any extension in the withdrawal negotiations – both of which may well occur – would only serve to extend the time that the UK would remain a Member State and thus that the GDPR would be in force in the UK.

Based on the above, we can expect the GDPR to become part of UK law for at least a period of more than half a year. Furthermore, if and when the GDPR is replaced with domestic legislation post-Brexit, then the likelihood is that this legislation will basically be the GDPR in all but name. As a result, business’ plans prior to the referendum designed to comply with the GDPR, should not change now, and businesses should continue to press ahead to ensure that they are ready to be GDPR-compliant by May 2018.

3. ICO GDPR guidance

In a post Brexit era, although the GDPR may not have direct effect in the UK, it will need to be fully taken on board as part of any new data protection legislation enacted in the UK. This point is reflected by the ICO statement in June 2016, with the ICO recognising that despite Brexit, “UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018”. Back on the 14 March 2016, the ICO had published a first guidance paper: ‘Preparing for the General Data Protection Regulation: 12 steps to take now’. It then made a further publication on 7 July 2016 entitled, ‘Overview of the General Data Protection Regulation (GDPR)’. While the first publication served as a general introduction to GDPR, the “overview is for those who have day-to-day responsibility for data protection.”

Many of the elements and enhancements the ICO refers to will likely require input from advisers and experts. However, businesses may get a head start by at least considering the issues highlighted below;

• Business buy-in: Practically, compliance is likely to involve more policies and procedures for businesses, although many businesses will already have many of the required good governance measures in place. Awareness and education is probably the foundation of ensuring compliance. It is imperative that the board, senior management and key decision makers are educated about compliance issues and the implications of non-compliance. Although ensuring compliance may involve an allocation of time and an outlay of money now, it could well save both more time and money in the future;
• Data protection officer: Businesses will also have to consider whether they will be under an obligation to designate a data protection officer (“DPO”). Previously, no such obligation existed, but under the GDPR, data controllers and processors will need to designate a DPO if (i) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, (ii) the core activities consist of processing on a large scale of special categories of data or (iii) required under Member State law. If a business has more than one establishment, it may be worth considering whether one DPO will suffice, provided that is, that the one DPO is easily accessible across the business.
• ‘Privacy by design’ and ‘Privacy by default’: Due to these dual conceptual requirements under the GDPR, businesses will need to ensure that privacy is embedded not only into the ethos and institutional thinking of the business, but also into each project that it proceeds with. The ICO had already advised that in light of these requirements, privacy and data protection be key considerations in the early stages of any project, and then throughout its lifecycle.
• Privacy impact assessments: Certain projects will also involve further burdens being placed upon businesses. For projects which might expose individuals to enhanced privacy risks, carrying out a privacy impact assessment (“PIA”) will become mandatory under the GDPR. In light of this, it will be important for businesses to review their current procedures and ensure that they have a standardised privacy impact assessment process up and running by 2018. Although, the ICO PIA code of practice was published in 2014, this will still be of assistance in this area.
• Lawful grounds for processing: Even businesses day-to-day processing will change under the GDPR, with lawful grounds for processing changing in certain instances. The rules around consent will, for example, become more onerous, with it now being required that consent must be freely given, specific, informed and an unambiguous. Given the new requirements governing consent, businesses may be best served only relying upon consent where it is the only way to justifying the relevant processing.
• Right of access: The right of access has been augmented under the GDPR to include additional information, such as details for the period for which the data has been stored. In certain circumstances, data subjects under the right to erasure will also be able to require businesses to delete their personal data where such data is no longer needed for their original purpose, or where the processing is based on the consent and the data subject withdraws that consent (and no other lawful basis for the processing exists). Organisations should therefore carefully review their processing activities, to ensure that they are able to permanently delete the relevant data in these circumstances.
• Data security breach: If a data breach occurs, the GDPR also introduces a new deadline of 72 hours to notify local supervisory authorities, and in certain high risk circumstances, a duty to inform the relevant data subjects affected by the breach without undue delay. Once again, businesses will need to review their current procedures and ensure they have a process in place forbreaches, to be identified, managed and if necessary escalated.
• The ‘one stop shop’ mechanism: Where a controller or processor carries out processing activities through establishments in multiple Member States, it may take advantage of the ‘one stop shop’ mechanism under the GDPR to appoint a supervisory authority in the country of the main establishment (namely, the country where the bulk of the data processing takes place) as a lead supervisory body across all EU operations. However, for multi-national businesses that have the ICO as the lead supervisory body, this benefit will be short-lived, as Brexit means they will have to look elsewhere in the EU. This serves to underline the point that although the GDPR involves onerous compliance requirements, Brexit will deprive the UK and many businesses of the benefits that exist under the GDPR

Certain businesses may believe in light of the vote for Brexit that such operational review and reorganisation will be of little benefit if the GDPR is only in force in the UK for less than a year. However, even if the GDPR were only to be in force for such a period, failure to prepare, and comply during this period, would leave businesses vulnerable to the increased fines that will apply under the GDPR.

Furthermore, such fears of work and time being wasted can be allayed for additional reasons. First, it is worth remembering that the GDPR will have extra-territorial effect and will apply to every business - whether in the EU or not - that offers goods and services to EU citizens or that monitors EU citizens’ behaviour. Many UK businesses will therefore still be subject to GDPR requirements regardless of whether the UK is a member of the EU.

4. EU Data Transfers Post Brexit

In the event of Brexit, the UK will likely take one of these two options to safeguard data transfers between the UK and the EU: either membership of EFTA and thereby looking to rejoin the EEA or it will seek an assessment of adequacy from the European Commission. Either route would mean that the effects of the GDPR will still be felt, even if it is not in force in the UK. Therefore, much of the preparation and many of the measures taken by businesses readying themselves for the GDPR will save much needed time and effort whatever road the UK eventually takes.

A rocky road: model clause agreements and binding corporate rules

It would be remiss not to consider the potential bumps in the road and the possibility (however faint it may be) that the UK could leave the EU without either membership of the EEA or an assessment of adequacy. Should this be the case, it would be burdensome to businesses transferring data between the UK and EU. Businesses would need to review all EU-UK transfers (including intra-group transfers) and put in place measures to ensure that such transfers are compliant. This could involve implementing model clause agreements (“MCAs”) or binding corporate rules (“BCRs”).

Introducing MCAs imposes an administrative burden on businesses, as putting them in place between all relevant legal entities, and sometimes within complex corporate structures, would require a great deal of organisation and planning. Moreover, MCAs act as a straitjacket, as they cannot be negotiated.

Implementing BCRs would be even more challenging, costly and time-consuming. On the issue of the process being time-consuming, if the applicant’s main establishment is in the UK, and it requires the ICO to be its lead DPA, then it will have to join the queue, as the ICO is already dealing with a long line of such requests. Therefore, it may not be possible to get BCRs approved prior to Brexit. Following Brexit, the ICO will not be authorised to act as lead DPA. Businesses with BCRs where the ICO is lead DPA will have to approach a DPA located elsewhere in the EU to be its lead DPA. It certainly calls into question to what extent if at all the UK will be able to benefit from the one stop shop approach put forward by the GDPR as one of its main achievements would be to harmonise DPA’s rules and processes across the EU.

An easier road to travel: EEA membership or an adequacy assessment

Nevertheless, businesses will hope that the UK takes a route more easily travelled. With so many UK businesses and services operating across borders, and data transfers and rights being so crucial to both businesses and organisations, and to consumers and citizens, it should be expected that the UK will do everything it can to ensure there’s a smooth transition. As referred to above, there are two main routes available to the UK in a post-Brexit world to secure data transfers between the UK and the EU.

The UK may opt for membership of EFTA, which in turn would enable the UK to remain in the EEA. Membership of the EEA allows a state to enjoy free trade with EU in exchange for submitting to the EU laws included in the EEA Agreement. The GDPR will be incorporated into the EEA Agreement, and therefore, if the UK were to remain an EEA member, then the GDPR would become part of the UK’s data protection regime.

If the UK was to leave the EU and not be part of the EEA, then the UK would effectively become a “third country” for data protection purposes. By becoming a “third country”, the UK would no longer automatically be considered a “safe” destination for EU personal data. This would mean that data transfers from the EEA to the UK would be prohibited unless the UK is recognised by the European Commission as providing “adequate protection” for transfers of personal data.

If the UK wishes to obtain a swift assessment of adequacy from the EC to continue to facilitate data transfers between the UK and the EU, it will be best served implementing domestic data protection legislation materially similar to the GDPR. That is not to say, however, that if the UK were to seek an assessment of adequacy from the EC, it would be entirely straightforward. In making its adequacy assessment, the EC will likely take into account the decision taken by the Court of Justice of the European Union (“CJEU”) in the Schrems case, which invalidated the Safe Harbour Framework. One of the key concerns of the CJEU in Schrems was that the privacy of EU citizens was not adequately protected due to the powers possessed by the U.S. intelligence services, which were deemed to go beyond what was strictly necessary and proportionate to protect national security. The concern that intelligence services in the U.K. may have overly broad powers may also become an issue in deciding whether the UK provides adequate protection for EU citizens privacy.

The transatlantic travel of data: EU/US Privacy Shield in place but the UK will need its own pathway

The EU and the U.S have sought to address the CJEU’s concerns in the Privacy Shield pact that was adopted recently (effective as of 12 July 2016) and replaced Safe Harbour. Privacy Shield states that data collection will have to be narrowly focused and relate to individually identified legitimate targets; it seeks to prohibit bulk collection of data in favour of targeted collection. The EC will likely try to impose the same conditions upon the UK. It may be difficult for the UK to reconcile these requirements with the Investigatory Powers Bill in its current form, which enables bulk collection, bulk interception and equipment interference.

The Privacy Shield pact has been expedited by the EU and U.S. due to a strong mutual interest in guaranteeing transatlantic data transfers. Unlike the EU-U.S. arrangement, due to political interests, the EU may not be in so much of a rush to accommodate data transfers between the EU and the UK. The EU is far less reliant on the UK’s digital exports than it is on those from the U.S. If negotiations were prolonged, then UK businesses would again have to rely on MCAs and BCRs for data transfers between the UK and the EU.

The UK will also have to negotiate its own version of the Privacy Shield pact with the U.S. to provide a legal grounding for UK-U.S. data transfers. However, given the special relationship between the UK and the U.S., it would seem likely that this process may be somewhat smoother than the equivalent negotiations with the EU.

Although no one can be certain of the exact path that the UK will now travel, the various routes all appear to lead to the same destination; the UK will both in the short-term and the longer term have data protection legislation in place which either is, or closely resembles, the GDPR. Therefore, the advice to businesses must be to continue aligning operations and processes to the requirements of the GDPR.