As the March 29th deadline for Brexit looms ever closer, there are implications for organisations to consider in the event of a ‘no-deal’ outcome, whether those firms are located in the UK, within the EU, or elsewhere in the world.
In short, a ‘no-deal’ Brexit will have the following data management implications:
There will be no formal trade agreement between the UK and the remaining 27 member states of the European Union from 23:00 (GMT) on the evening of March 29th 2019, and for the foreseeable future. In such circumstances, the UK will be considered a ‘third country’, equivalent, in EU data processing terms, to India, Australia or China;
From that date onwards, the UK will not be considered an ‘adequate’ state from the perspective of its data management regime, until such time as the UK formally applies for such status, and it is granted by the remaining states of the EU. Such a process can take up to 3-4 years, based on the recent experiences of Israel and Japan when seeking such status;
UK firms to continue to abide by GDPR
It should be noted that the UK Information Commissioner has recently reiterated her position that, from end-March onwards, UK-based organisations will continue to comply with the GDPR. This is because, while no longer an EU Member State, UK firms which continue to offer products or services to individuals within the EU must ensure that such processing complies with the GDPR principles.
Additionally, the UK Commissioner has confirmed that the GDPR, combined with the UK Data Protection Act (2018) will form the basis for any processing of personal data by organisations within the UK until further notice.
Appropriate Transfer Mechanisms
Any transfer of personal data after March 29th 2019, by an EU-based organisation to an organisation based in the UK which is acting either as a Data Controller or as a Data Processor, must be protected by one of the following, formal legal mechanisms:
- The EU-based Controller will need to enter into a formal contractual arrangement with the UK entity, using one of the pre-drafted Special Contractual Clauses (SCC’s) available on the web-site of the European Commission here.
- An EU-based entity sharing data with a UK organisation which is a subsidiary within the same group of companies may be able to avail of the Binding Corporate Rules (BCR) mechanism, as long as this status has already been evaluated and granted by the European Commission.
- The EU-based entity must manage the transfer of personal data within the terms of a formal Code of Practice or certification mechanism which might be in place among organisations which operate within a particular industry or sector – here again, the Code of Practice or certification standard must already be defined and in place among the members of that sector or industry.
- As ever, certain exemptions and alternative solutions for data transfers between Member States and ‘third countries’ will remain in place, and these can be viewed on the web-site of the UK Information Commissioner’s Office (ICO) or can be read here.
Organisations should refer to this set of options when considering the lawfulness of their intended data transfers.
Unfortunately, if the March 29th 2019 deadline remains (as seems likely), then these transfer mechanisms must be put in place within the coming weeks. Any transfers of personal data by an EU firm to a UK-based entity without these mechanisms in place are at risk of being found non-compliant, and a breach of the GDPR.
The Challenge of Increased Public Awareness
Given the increased publicity and attention which the whole Brexit scenario has received, it is highly likely that customers, donors and members of the public will be raising questions in the coming weeks about the processing of their personal data, particularly where they are aware that their data is being shared with a subsidiary or service provider within the UK. Irish and other EU-based organisations need to be prepared to explain the provisions they have put in place, and to confirm that their continued engagement of UK-based partner organisations is compliant and appropriately secure.
EU and UK Nominated Representation
Regardless of whether March 29th 2019 passes with a Brexit ‘Deal’ or ‘No Deal’ in place, the departure of the UK from the EU will have other implications for both UK- and EU-based organisations.
Article 27 of the GDPR requires that organisations established outside of the EU, but wishing to provide products and services within the EU which involve the processing of personal data, must have a Nominated Representative within at least one EU Member State. The GDPR requires that this entity will “represent the (non-EU) Controller or Processor with regard to their respective obligations under this Regulation.”
By extension, organisations from anywhere in the world, including the EU, will need to have a legal entity within the UK in order to continue processing personal data of UK citizens after March 29th 2019.
(1) Non-EU firms
Many such international organisations who are aware of this obligation have, up to now, nominated a representative organisation established within the UK. Post-Brexit, this will no longer comply with the obligation, since the EU Nominated Representative must be established within a Member State of the Union. Therefore, where organisations may already have a UK-based Nominated Representative, they will also need to nominate another entity within one of the remaining 27 Member States on or by March 29th 2019 in order to continue to comply with this obligation.
(2) UK Firms
As a further consequence, the obligation to have a Nominated Representative will apply, from March 29th 2019, to all UK firms which continue to offer products and services within the remaining 27 EU Member States. The unimpeded movement of personal data which was one of the benefits of being an EU Member will no longer be available to UK firms from that date.
Therefore, since they will now belong to a jurisdiction which has the same Data Protection status as India or China, UK firms who meet the criteria should really start looking for a legal entity within one of the remaining EU jurisdictions which will represent their Article 27 obligations by the end of the month.
(3) EU Firms
As a final consequence, organisations established within the EU which offer products and services within the UK jurisdiction will, from end-March, need to have a legal entity established within the UK to represent their interests for such data processing activities. This is a mirror of the EU Nominated Representative, but ensures that UK citizens and the Supervisory Authority will have an entity established within the jurisdiction which will represent the interests (and liabilities) of any non-UK firm which is processing their personal data.
(4) GDPR “Stragglers”
As we have seen from recent half-year and year-end reports from several EU Supervisory Authorities, many organisations are still struggling to implement GDPR-compliant solutions which meet the obligations of the Regulation – the failure to appoint a Nominated Representative, where required to do so, is just one manifestation of that decision. Given the increased public and commercial awareness of the Brexit implications, such organisations will have very little excuse for non-compliance by the end of March 2019.
Brexit Options still available!
As we have seen in recent days, some uncertainty still remains in this context – not only with the form and duration of the Withdrawal Agreement, the final terms of the Back-Stop arrangement, the post-Brexit status of the UK and its territories, but also with the March 29th 2019 date itself.
All of the observations and recommendations outlined above will apply on whatever date is finally agreed by the interested parties – whether that is March 29th 2019, or some future date towards which this particular “can” is “kicked”.
It is difficult to envisage any comprehensive round of negotiations which might take place in the coming weeks or months which would render any of this moot, other than (dare we whisper) we have a ‘Dallas’ moment, wake up, step out of the shower and find that the whole thing was just an entertaining, disconcerting, extremely worrying dream.
Regardless of what transpires, Sytorus, through our offices in Ireland, the UK, Germany and Sweden is available to provide every support we can to our clients as we all prepare for the changes in the coming weeks.