What are the key practical issues for cross-border businesses dealing in the UK in a post-Brexit world?
With a UK government minister’s recent comments that Brexit will allow the UK to take steps towards ‘reforming our own data laws so that they are based on common sense, not box-ticking’ the future is looking uncertain for data protection law in the UK. The search for a ‘Brexit dividend’ has led government to consider that data protection is where it can be found.
However, for now, the implementation of the GDPR into UK law means that the law remains substantially the same.
Here’s what cross-border businesses dealing in the UK need to know following Brexit.
What law applies?
There is now a new version of the GDPR applicable directly in the UK (the UK GDPR). In its current form it is substantially the same as the EU GDPR – but tailored to the UK.
It also has extraterritorial provisions that mirror those in the EU GDPR.
In practice, this means that EU businesses will be required to comply with the UK GDPR, in addition to the EU GDPR, where those businesses:
- have an ‘establishment’ (i.e. an employee, branch or office) in the UK and process personal data in the context of that establishment;
- monitor the behaviour of individuals in the UK – such as via cookies on a website aimed at UK consumers; or
- offer goods and services to individuals in the UK.
That’s not a concern at the moment, while the law remains similar, but recent comments of the UK government suggest that that will not always be the case.
Even if there are no substantial changes are made to UK law in the near future, interpretation of the law by the Information Commissioner’s Office (ICO- the supervisory authority in the UK) can lead to significant differences in how those laws are applied in practice.
Pre-Brexit, the ICO would take into account the guidance of the European Data Protection Board (EDPB) when drafting its own guidance and making decisions. The ICO had a seat on the board and the EDPB would ensure a consistent approach throughout the member states of the European Union.
Following Brexit, the ICO will no longer sit on the EDPB. Although EDPB guidance is likely to still be considered by the ICO, the ICO is no longer bound to follow it in issuing its own guidance. There is a chance therefore that that could result in different interpretations of the law in the UK compared to the EU.
Alongside guidance, case law will often determine how legislation applies to individual businesses. Pre-Brexit, the ICO would take into account decisions from the Court of Justice of the European Union (CJEU) on how legislation should be interpreted – the intention being that the legislation should be applied in a similar fashion across member states.
Following the end of the Brexit transition period, the UK will only be bound by future decisions of the CJEU in certain circumstances. Again, there is a good chance that UK data protection law, even though based on the GDPR could be interpreted differently as a result of UK courts taking a different line to the EU.
What does this mean for EU businesses?
In practice this means that organisations in the EU that operate in both the UK and the EU will be subject to both the EU and the UK versions of the GDPR and must comply with both laws going forwards.
That shouldn’t be a concern for so long as the laws remain similar, however in the event of a change to law or interpretation, businesses could be in the difficult position of being required to comply with different and possibly conflicting laws when dealing with personal data from EU and UK data subjects.
What about transfers of personal data ?
At the end of June 2021, the UK government and the European Commission agreed an adequacy arrangement for the UK. This means that, in practice, personal data can be transferred between the EU and the UK without further safeguards being required.
This came as a relief to businesses in both the EU and the UK – for whom the requirement to put additional safeguards in place to transfer data between the two would have been a significant and costly administrative burden.
Unusually however, the adequacy agreement between the EU and the UK included a ‘sunset clause’ which provides that the decision will automatically expire after 4 years unless renewed. It will only be renewed if the UK continues to ensure an adequate level of protection. Any divergence of the UK government from the current position- either as a result of a change to law or interpretation of that law – could mean that in 2025 the UK is no longer deemed adequate.
Practically, a loss of the UK’s adequacy status could have a significant practical impact on businesses in the EU and the UK. Data could not be transferred between those two countries unless a safeguard- as specified under the EU GDPR- was put in place.
The most common safeguard is the EU Commission approved standard contractual clauses, however the CJEU’s decision in Schrems II last year clarified that the burden is on the business transferring that data to ensure that data remains adequately protected in the jurisdiction it is transferred to. If the EU Commission has deemed that data is not adequately protected in the UK – it will be difficult for businesses in the EU to judge differently.
So, what practical steps to cross-border businesses need to take now as a result of Brexit?
The current position on the law and international data transfers mean that there is nothing further for cross-border businesses to do in respect of those issues.
There are however other practical steps required as a result of Brexit. Here are the key requirements for cross-border businesses:
- Map your data flows: even where safeguards are not required for transfers of data between the EU and the UK, it is still important that those data flows are mapped and documented so that you have a clear idea of where you process and transfer personal data.
- Update your contracts, notices and policies: it is likely that those documents only refer to the EU GDPR. To the extent that the UK GDPR will also apply to your business as a result of the extra-territorial provisions, the UK GDPR should also be appropriately incorporated.
- Consider whether you are required to appoint a representative in the UK: The UK GDPR includes provisions that mirror the EU GDPR in relation to the appointment of representatives, meaning that in some circumstances a representative will be required to be appointed in the UK.
What does the future hold for cross-border businesses dealing in the UK?
The UK government’s recent comments suggest a move away from the EU data protection position; however, it remains to be seen how the UK government will manage that without impeding the ability for data to pass freely between the EU and the UK under its adequacy arrangement.
In the meantime, cross-border businesses should ensure that they know their data flows. A clear idea of where personal data is processed, stored and transferred will enable businesses to act quickly in the event of a change in the law which applies to only part of their database or a future restriction on data transfers.