Regulatory Horizons – Episode 3 – Ardi Kolah
Implications for data privacy in the UK in the wake of a deal or ‘no deal’ Brexit
Having left the European Union (EU) on 31 January 2020, the UK is currently in a Brexit transition period that runs out on 31 December 2020. Whilst the other 27 Member States of the EU have been grappling with containing the Covid-19 pandemic, you could be forgiven for thinking these countries as well as the UK have taken their eyes off the ball when it comes to striking a Brexit deal.
If you think that to be the case, think again.
If the UK wants an extension, it will need to ask for this by 30 June 2020 and the European Commission has already indicated that in the circumstances this would be granted. But the UK Government has included in the UK’s Withdrawal Agreement a prohibition on seeking any extension to the agreed timetable for getting a deal agreed and is sticking to this.
It’s fair to say the omens for a compromise deal with the EU don’t look good and a ‘no deal’ Brexit looks like being on the cards.
We’ll know for sure when both sides meet at the end of June as to whether a deal is likely or whether the two sides are too far apart. This not only has political implications for the UK in terms of the future relationship with the EU but also has profound implications for all companies engaged in international data transfers between the UK and the EU.
In a recent speech, Michel Barnier, the EU’s Head of Task Force for Relations with the UK, accused the UK of refusing to commit to guarantees protecting fundamental rights and individual freedoms as agreed in the Political Declaration.
He then went further in his criticism saying that the UK was rolling back on previous data privacy commitments it had made pre-Brexit:
It insists on lowering current standards and deviating from agreed mechanisms of data protection – to the point that it is even asking the Union to ignore its own law and the jurisprudence of the European Court of Justice on passenger data (“PNR rules”). That is of course impossible.
Brexit has created one of the big uncertainties in the enforcement of data privacy laws in the UK and the EU that could undermine the latter’s global regulatory clout over the next few years.
Main sectors affected by Brexit are those that process substantial amounts of personal information and include (not exhaustive):
- Online retail
- Financial services (banks)
- Health sector
- IT services
- Big pharma
- Travel & leisure
Outcome 1: Full deal on Brexit
This is the most unlikely outcome to emerge from looking at how the negotiations are going.
Under a full deal, companies can expect the following:
- EU-UK transfers remain unrestricted and the UK has full adequacy although this could be revoked at anytime
- Companies may need to make some adjustments to transferring data to EU/EEA
- The risk of fines for EU-UK data transfers stays low
- EU Charter of Fundamental Rights that safeguards right to privacy still applies
- UK is a ‘rule taker’ and subject to global reach of the ‘Brussels Effect’
- Companies will have to comply with changes in EU ePrivacy Regulation for digital marketing activities
Outcome 2: Minimal deal on Brexit
This is the most likely outcome if compromise deal with the EU can be reached.
Under a compromise deal, companies can expect the following:
- Some EU-UK data transfers will likely be affected. UK has partial adequacy over limited market segments
- UK is a ‘rule maker’ across other market sectors but likely no adequacy decision from EU and therefore creates uncertainty
- Northern Ireland has a physical and electronic customs border with Republic of Ireland monitored jointly
- Likely to end up with a ‘Twin-Track’ data privacy approach at heart of Europe with UK & EU
- UK companies likely to face increase in operating costs and cost of compliance to implement compliant mix of organisational and technical measures
- UK Government likely to declare UK isn’t bound by EU Court of Justice. Transition of legal sovereignty to UK Supreme Court to be agreed with EU
Outcome 3: ‘No Deal’ Brexit
This is the most dangerous outcome for the continuation of international data flows.
Under a ‘No Deal’ Brexit, companies can expect the following:
- All EU-UK data transfers are now heavily restricted, and UK now trades with EU on WTO terms
- Likely legal confusion and uncertainty as no adequacy decision granted to UK or market sectors and threat to UK exports (e.g. services)
- UK companies cost of compliance jumps as a result of ‘Twin-Track’ data privacy approach at the heart of Europe
- Greater complexity and frictions requiring novel organisation and technical solutions
- UK is a net ‘rule taker’ and subject to the ‘Brussels Effect’ across key sectors
- Companies must start to take action from 1st July 2020 after high level talks between UK and EU fail
In summary, companies can’t afford to wait and see what happens as this could be too late. Instead, companies must start planning now by reviewing organisation and technical measures that will help to navigate these unchartered waters and seek on-going support from data privacy professionals to protect business continuity, mitigate risk and use technology to achieve these outcomes.
Written for CLARC by By Ardi Kolah LLM, CIPP/E, CIPM, FIP and registered candidate with CLARC Recruitment