The hard-Brexit scenario has created a lot of confusion with regards to the applicability to EU data protection laws in the UK. There are a number of topics of contention, and two main questions concerning the impact on business: What happens to the applicability of GDPR? and how shall it impact the world of outsourcing to the UK. I intend to answer these two questions.
As a consequence of still having to comply with EU law under the terms of the Brexit Withdrawal Agreement, the General Data Protection Regulation, or GDPR, is currently applicable in the UK. This means that the UK has adequate data protection laws, and that there is no need to provide extra safeguards while transferring data from any other EU country to the UK.
However, with the UK deciding to proceed with Brexit, moving out of EU, legally speaking the UK does not need to comply with GDPR. The UK does not fall under the adequacy decision of the European Commission and as such the data protection laws in the UK do not meet EU data protection standards. Therefore, organisations based in the EU will have to put in place some additional safeguards when transferring personal data to the UK.
While Brexit experts have different scenarios, for the purpose of this article I will explore the worst possible scenario, that being no agreement and the UK deciding to leave as-is. I elaborate this because if you are prepared for this, you are likely to be ready for most other scenarios.
I shall elaborate on the privacy and outsourcing (or data transfers) perspective.
The privacy perspective
Yes, it is true that legally EU GDPR will not apply if things were just to close as-is and the UK exits. Technically and legally, the UK will no longer be an EU member state and hence GDPR will not apply to the UK. However, there is a practical element in that the Data Protection Act of 2018 that the UK legislated is aligned with GDPR and is highly unlikely to change. Even if it does, I cannot see the UK offering lower privacy protection to its citizens. So, in all probability, there is a good chance that citizens will continue to enjoy the protection they have right now.
Similarly, all companies operating in the UK were already required to comply with the GDPR, or the Data Protection Act 2018. So, if UK based companies have clients in the EU then the GDPR applies to them even if the UK leaves the EU as-is.
From a governance perspective, the Information Commissioner’s Office (ICO) is the regulatory authority in the UK and will remain so. What will change is that the European Data Protection Board (EDPB) may not have a role and ICO will lose its seat in the EDPB. This is not likely to matter a great deal, meaning that from a privacy perspective, the impact is likely to be negligible.
The outsourcing perspective
Outsourcing of work by EU companies to the UK is currently based on what is known as the adequacy decision. The current adequacy decision states that all EU member states are deemed to have adequate privacy protection. Of course, there are non-EU countries which comply with the adequacy decision, but the UK is not on the list of other countries as it is still in many respects an EU member state. But post-Brexit, the UK will neither be a member state nor be on the list of non-EU countries deemed to have adequate protection.
If this sounds bizarre, that’s because it is: how can being included (or not) on the adequacy decision list change the level of protection in a state? I completely share your feelings. But this is how it will be.
For the record, the UK’s ICO has already stated that post-Brexit, the EU will be considered to have adequate protection. However, a reciprocal statement has not yet made by the EDPB. This means transfers from the UK to the EU will be fine without any changes and companies can continue to operate as now. But what happens to companies who have been transferring data from the EU to the UK?
In my opinion, there can be two scenarios:
1. The EU grants the UK with adequacy on the grounds that since the UK was a member state and that its Data Protection Act was inline with GDPR. If so, no action and no worries.
2. The EU does not grant the UK adequacy. In such a scenario, the transfer mechanism for all UK companies providing services to the EU companies will need to rely on standard contractual clauses.
It is very difficult to predict what will happen. It is reasonable and rational to consider that privacy protection standards in the UK will remain the same irrespective of whether EU GDPR is applicable or not. However, outsourcing to UK companies may need some changes in contracts based on what gets decided by the end of the Brexit transition period, which is the end of 2020.
We will know more about this in due course.
Unlike many news and information platforms, Emerging Europe is free to read, and always will be. There is no paywall here. We are independent, not affiliated with nor representing any political party or business organisation. We want the very best for emerging Europe, nothing more, nothing less. Your support will help us continue to spread the word about this amazing region.
You can contribute here. Thank you.