The Waiting Game Continues for Impact of Brexit on Data Transfers
On April 10, 2019, the European Union (“EU”) voted to extend the Brexit deadline to October 31, 2019. Although the UK has avoided a no-deal Brexit for now, the parameters of a withdrawal agreement are still uncertain and the possibility of the UK eventually leaving the EU without a deal still exists. In addition, if the UK fails to abide by the terms required for the full extension (i.e., fails to hold EU Parliamentary elections by May 26th), the UK must exit the EU on June 1st, with or without a deal. A no-deal Brexit or, to a lesser extent, a withdrawal agreement are likely to disrupt international markets, trade, and immigration. In particular, organizations transferring personal data from other EU member states to the UK will need to monitor how the UK plans to address compliance with the EU General Data Protection Regulation (“GDPR”) and make preparations accordingly. Although nothing about Brexit has been predictable so far, we have described some potential scenarios in this insight to help businesses plan for the future.
Scenario 1: A “No-Deal” or “Hard” Brexit
Data Transfers from the EU to the UK. The UK will be dubbed a “third country” under the GDPR if it exits the EU without a withdrawal agreement. A “third country” generally means any country or territory outside the European Economic Area (“EEA”). Under the GDPR, organizations from third countries without an “adequacy decision” must adopt appropriate safeguards to transfer data from the EEA to a third country.1 Appropriate safeguards may include Binding Corporate Rules, Standard Contractual Clauses, certification mechanisms, or other protections.2 The UK expects to receive an adequacy decision from the EU given that the UK’s data privacy laws will remain consistent with the GDPR (at least in the short term), but it is unclear when the EU will issue an adequacy decision.
Data Transfers from the UK. The UK government amended the Data Privacy Act 2018 (“DPA”) to minimize disruption to organizations by allowing the free flow of data from the UK to the EU and third countries that have received adequacy decisions from the EU. Countries and territories with adequacy decisions from the EU include Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, and Uruguay. In addition, the DPA amendment allows U.S.-based organizations that have self-certified to the EU-U.S. Privacy Shield Framework to freely transfer data from the UK to the U.S.
GDPR Representative & Data Privacy Enforcement. If U.S. companies affirmatively market goods or services to individuals in the EEA, or monitor the behavior of individuals located in the EEA, then these companies must designate a legal representative in the EEA.3 Thus, if a company’s legal representative for GDPR is in the UK, the company would need to appoint a new representative in the EEA. The EU is also expected to establish a uniform enforcement regime that prevents multiple supervisory authorities from issuing fines for the same incident. However, if a no-deal Brexit transpires, then organizations could be fined by the UK supervisory authority and the relevant EU supervisory authority for the same incident.
Scenario 2: Theresa May’s Withdrawal Agreement
The EU and Theresa May negotiated a withdrawal agreement (the “May Agreement”) that required the UK to maintain compliance with the GDPR and permitted the free flow of data between the UK and the EU without an adequacy decision or the adoption of appropriate safeguards.4 However, the May Agreement was limited to the transition period from March 30, 2019 to December 31, 2020.5 The May Agreement has so far not been ratified by the UK Parliament (although there is a chance that it will be brought back by the government for another vote in the future), but it offered an option that the EU was willing to accept and it may instruct negotiations over the next two to six months.
Scenario 3: Common Market 2.0 Agreement
An informal group of Members from the UK Parliament created a Common Market 2.0 agreement that contemplates the UK joining the European Free Trade Association (EFTA). Countries that are part of the EFTA are considered members of the EEA and do not require an EU adequacy decision or additional transfer protections such as Binding Corporate Rules or entering into Standard Contractual Clauses to receive data from an EU member state.
Scenario 4: New Withdrawal Agreement
The UK and the EU may strike an entirely new withdrawal agreement, although there are significant political hurdles to any such outcome. A new agreement could include additional data privacy assurances that go beyond the assurances detailed in the May Agreement. For example, the EU may require the UK to establish a privacy shield framework similar to the EU-U.S. Privacy Shield Framework. Alternatively, a new agreement could include a transition period similar to the May Agreement and a requirement that the EU issue an adequacy decision at the end of the transition period.
What this Means for You
The EU has given the UK Parliament some time to craft and negotiate a new withdrawal agreement or obtain approval of the May Agreement. But, organizations operating in the EU and UK should monitor these negotiations closely to understand and prepare for potential additional data privacy compliance obligations. For example, organizations may want to prepare appropriate safeguards for data transfers between the EU and UK and be ready to implement those safeguards in the event of scenarios such as a no-deal Brexit. The waiting game continues but organizations should not wait so long that they are unable to react quickly once the Brexit journey comes to an end.
1 Under Article 45 of the GDPR, the European Commission has the power to issue an adequacy decision if a third country’s national laws provide a level of protection for personal data which is comparable to those of EU law. If a third country has obtained an adequacy decision, then data may freely flow from the EU to that third country without any additional safeguards in place.
2 Binding Corporate Rules are a set of internal policies governing cross-border transfers that offer sufficient safeguards on data protection for cross-border transfers and have been reviewed and approved by an EU supervisory authority. Standard Contractual Clauses are clauses approved by the European Commission that are placed in a data transfer agreement and offer sufficient safeguards on data protection for cross-border transfers..
3 See 5 Things You May Not Know (But Should!) About GDPR (hyperlink: https://plus.velaw.com/2018/07/26/5-things-you-may-not-know-but-should-about-gdpr/) for a discussion regarding the difference between a legal representative and Data Protection Officer under the GDPR.
4 See Draft Agreement On the Withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, Title VII, Article 70-74 (November 14, 2018).
5 See id. at Article 126.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.