Almost six months since Brexit became a reality, we still don’t know when it will actually happen; nor do we know the consequences of the unprecedented divorce. In this Keynote commercial lawyer and data protection specialist, Carolyn Bertin, examines the implications for the free movement of data.
The initial surprise (whichever camp you are in the result was a surprise) of the win, for the Leave Europe supporters, is over and we have had the summer months to mull it all over and start to come to terms with what Brexit means.
Except we still don’t really know what it means.
The only certainty is that Brexit is an expression to describe Britain exiting the European Union (EU) coined by an economist in 2012. As with most divorces, much is at stake and hinges on the divorce settlement. Meanwhile, how smoothly the settlement negotiations go depends on the willingness of the parties to talk openly, transparently and in a co-operative and constructive manner. All businesses in the United Kingdom (UK) and in the rest of the European Economic Area (EEA) are anxious to understand what will be required to maintain free trade between the UK and the rest of the EEA, and for maintaining data flows which are essential for the digital services sector which is one of the mainstays of the UK economy.
However it seems that the UK Government is not, as yet, willing to engage in discussions with industry bosses to better understand and address their concerns about the impact of Brexit on free trade and on maintenance of data flows. So far, the British Prime Minister, Theresa May, is keeping her cards close to her chest despite calls for more transparency. The High Court’s ruling that the UK Parliament alone has the power to trigger Article 50 (formal notice to the EU that Britain wishes to leave) offers some hope that the Government will now have to lay out its plans to Parliament rather than keeping them to itself.
However, Mrs May is not giving up her hand that easily. There could be a further delay to the triggering of the exit negotiations and a dragging out of the uncertainty while we wait to see if the Supreme Court upholds the High Court’s decision once it has considered the Government’s appeal. This potential prolonging of the political, economic and regulatory uncertainty will be a blow to every business in the UK that exports its goods and services into the EU, and for digital services companies relying on free flow of data across the UK borders.
Preserving the ability to maintain data flows, in an economy that is powered by the digital services sector, is crucial to maintaining the UK’s position as the second-largest commercial market in the world. To that end the big question everyone has been asking is, will Britain adopt the new European regulatory framework for the protection of personal data, the General Data Protection Regulation (GDPR), or not, and what does it mean for data flows if it does not? But is that the right question? The UK will have no choice when it comes to the GDPR as it will have come into force before it leaves the EU and it will have direct application in all EU member states so it will directly apply in the UK from May 2018 even if the UK does trigger Article 50 in March 2018 and the exit negotiations are going swimmingly and the UK is on target to exit the EU by March 2019.
Perhaps the question we should be focused on answering is what happens once Britain does actually leave the EU and the GDPR no longer has direct application in the UK. Will the Information Commissioner’s Office (ICO) and the UK Government be working, over the next eighteen months, to adopt the GDPR under national law so that come the day when GDPR no longer has direct application from Brussels its principles will already be embodied in national law in England? It would then be very hard for the powers that be in Europe to not fast-track an adequacy decision (i.e. declare that the UK has a regulatory regime for protection of personal data that is as robust as that in the EU), thereby seamlessly maintaining the flow of personal data into and out of the UK from and to other EU countries without the need for the use of other cumbersome methods, such as Standard Contractual Clauses, to legitimise such transfers.
It certainly seems that the Information Commissioner, Elizabeth Denham, is paving the way for adoption of the GDPR into English data privacy law to ensure a fast-track adequacy decision. In a recent BBC radio interview she said that the “bottom line is that Brexit shouldn’t mean Brexit when it comes to data privacy”. The Secretary of State for Culture, Media and Sport (CMS) seems to be supporting Ms Denham’s position and is making the right noises. The problem is, Ms Denham does not make the law and the decision is not one for her alone, not even with the support of Karen Bradley MP, the current Secretary of State for CMS. It is not even one for the Government alone, but one for Parliament once the Government has agreed on proposing a bill for Parliament to scrutinise and approve. Both the Government and Parliament will have their hands full assessing a myriad of other laws related to trade, exports, tariffs and taxes, not to mention immigration, which will all need to be sorted out quickly if Britain is to continue to thrive following its bust-up with its biggest trading partner. All that comes after the Government and Parliament have finished mulling over the hurdle of serving the Article 50 notice in the first place. From where we are today it still looks like a long and uncertain road that stretches before us.
So what can businesses that are reliant on data flows between the UK and the EU do to ensure that they are fully prepared to demonstrate a continued culture of protection of personal data so as to maintain the same unfettered level of data flows post-Brexit?
1. Prepare for the GDPR
Whatever happens with Brexit, the GDPR will apply at least for a period from May 2018. If you offer goods or services to individuals in the EU (whether or not charged for), or if you monitor the behaviour of individuals in the EU, then the GDPR will apply to you anyway irrespective of whether it is the law in England or not. Therefore you should start taking steps now to ensure that you are compliant with the new requirements for both data controllers and data processors under the new EU regulations. For the ICO’s overview of the GDPR, see: https://ico.org.uk/for-organisations/data-protecti... and for my article summarising the key differences between the GDPR and the existing EU Directive, see http://www.keystonelaw.co.uk/keynotes/changing-the...
2. Implement Binding Corporate Rules (BCRs)
These are like a code of conduct applicable to all entities within a group irrespective of geographic location of the entities. This code of conduct covers how the entire group handles personal data. The BCRs need to be approved by the data protection authorities (DPAs) in each of the EU member states but you would work with your local DPA (which in the UK would be the ICO) to establish an approved BCR and then approval of the other DPAs should follow that of the lead DPA. The BCRs do only cover intra-group transfers of personal data and the processing of data within the same group. They do not extend to third parties unless you specifically design them to include third-party sub-processors, which would be difficult as you would be seeking to enforce a code of conduct against organisations over which you exercise no control except through contractual arrangements. For more information on obtaining BCRs in the UK, see: https://ico.org.uk/for-organisations/guide-to-data...
3. Be prepared to enter into Standard Contractual Clauses (SCCs)
Although under scrutiny and probably due a revamp, SCCs still remain the preferred mechanism for ensuring legitimate transfers of personal data to organisations outside of the EEA. These are a set of standard clauses approved by the European Commission that impose obligations on organisations outside of the EU that are receiving and processing personal data of persons in the EU. It is essential for the importing organisation to have in place appropriate technical and organisational security to protect the personal data, the details of which must be documented in Appendix 2 to the SCCs. Once Britain is outside of the EU and the GDPR no longer has direct application in Britain, unless Britain has been granted adequacy status by the European Commission, SCCs (or any successor to SCCs that comes into play) will likely be essential for UK organisations receiving data from inside the EEA. Organisations in the UK receiving personal data from organisations in the EEA will need to enter into the SCCs with each organisation in the EEA that is sending personal data for storage and processing in the UK. Therefore it would be as well to be prepared to build the SCCs into your contractual arrangements post-Brexit. Here is a link to the current EU SCCs: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML...
4. Build the latest security and technological advancements into your data storage and processing systems
Demonstrating an ability to keep personal data secure both in transit and at rest will be key to demonstrating compliance with the GDPR and SCCs and in getting approval for BCRs, and in maintaining trust of customers and regulators both within the EEA and across the globe. It is therefore essential for all businesses that store, process and transfer personal data to ensure that the latest security and technological advancements are applied to systems storing and transmitting personal data including use of encryption coupled with good key management, application of identity binding protocols, maintaining tamper-evident logs, supporting execution verification by auditing authorities, support for dynamic data operations, and maintaining protocols for public verification of data integrity by a trusted auditing server, to name a few. It is essential to carry out thorough due diligence on the type of technology and levels of security provided by any outsourced service providers and to get binding contractual commitments from such service providers to ensure the implementation and maintenance of the most up-to-date and robust technological and organisational security.
Even if the triggering of Article 50 is delayed, or never happens, considering and taking the above steps will be time well spent and should put your business ahead of the game whatever the final outcome.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.