On 25 November 2018, a draft Withdrawal Agreement was concluded between the European Union and the UK Government. This agreement contains a political statement on how the future relationship between the EU and UK would look like after the withdrawal date of 29 March 2019, and it sets out the terms and conditions of the departure of the UK from the EU. Further, a transition period was proposed, in order to create additional time for the development of a more meaningful relationship and to diminish the severe consequences a no-deal Brexit might entail (Byrne Hill, Evans & White 2019).
On 15 January 2019, the UK Members of Parliament had to vote on the approval of the draft agreement, which resulted in 432 votes against, and only 202 votes in favor (Clarke & Voce 2019; AFP 2019). Instead of having established a legally binding international treaty, and the brick stones for a bright and clear future, the UK landscape is left with uncertainty and division on how to proceed. The question on how the future relationship between the UK and EU would look like remains unresolved.
The further course of the situation will have major consequences for the entire world. Three possible scenarios can be distinguished:
- A no-deal-Brexit, whereby no agreement is concluded between the EU and UK.
- A deal-Brexit, where an agreement is reached between both the EU and UK before the withdrawal date.
- A revoke and reconsidering of Brexit (McDonald 2019)
We investigate the consequences in the area of EU privacy and data protection regulations for all three scenarios.
Scenario 1: The UK as a “third country” in case of a no-deal-Brexit
In case the UK would cease to be a Member State on 29 March, without having a negotiated deal in place, the UK national “European Union (Withdrawal) Act 2018” (“Withdrawal Act”) will enter into force and will transpose the directly applicable EU laws, including the GDPR, into UK law (this could be compared to the transposition of EU directives in Member State legislation, but EU legislation would cease to apply in this case).
In January 2019, the UK tabled over 80 different Statutory Instruments concerning the upcoming EU exit, including the draft “Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019” (“The Regulations”). When approved, these Regulations will be implemented and will enter into force in the event of Brexit. They contain amendments to both the UK national legislation, the Data Protection Act 2018 (“DPA 2018”), and to the implementation of the GDPR in the UK legislation. As the Regulations tend to create a new UK version of the GDPR, by distinguishing between a “UK GDPR” and an “EU GDPR” and by removing the “applied EU GDPR” from their DPA 2018, it is highly likely they will have a large impact on the future UK-EU data protection scene (Amberhawk 2019).
An overview of different coexisting legislations after Brexit on 25 January 2019:
|Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)||GDPR||In force|
|Data Protection Act 2018||DPA 2018||In force|
|European Union (Withdrawal) Act 2018||Withdrawal Act||No|
|Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019||The Regulations||No|
EU data protection rules only apply to EU Member States, and Iceland, Liechtenstein and Norway (members of the European Economic Area or EEA). When the UK leaves the EU without any deal concluded, the UK will thus become a “Third Country” with respect to the GDPR and EU data protection legislation. Even if the obligations and provisions included in the GDPR (the way they exist on 29 March) would still apply thanks to the previously mentioned transposition, this new qualification would still have a severe impact on the UK data protection framework. We discuss the following issues:
- Transfers outside the UK
- EU representative or UK representative
- Lead Data protection authority
- Divergences of legislations
a. Transfers outside the UK
International transfers of personal data of EEA companies from and to the UK would not be permitted unless there are adequate safeguards in place to ensure a high level of protection. If the UK wants to be able to continue transferring personal data without any additional requirements for each UK company, the UK would require an adequacy decision from the EU Commission. An adequacy decision would recognize that the UK data protection legislation provides equivalent safeguards as the EU regime. UK companies would therefore not be required to implement any additional safeguards. The request for an adequacy decision can however only be made after Brexit takes place (Amberhawk 2018), and it is uncertain how much time it would take to conclude. In light of the extensive surveillance powers of the UK’s national security services, the possibility to obtain an adequacy decision will remains dubious. On this matter, we can make a comparison to the challenges currently faced with the USA Privacy Shield.
Until such a decision is taken by the Commission, UK organizations will need to consider alternative options to maintain safe transfer of data:
- One mechanism UK companies could opt for, is to conclude agreements containing Standard Contractual clauses approved by the Commission, between their organization and the organization outside the UK (ICO 2018);
- Another option, for company groups, would be to adopt and incorporate Binding Corporate Rules, in order for them to be able to transfer data across borders within the group. Important to note is that Binding Corporate Rules that have been approved by the ICO (Information Commissioner’s Office, the UK data protection authority) need to be re-approved by another data protection authority as the ICO will no longer be competent (i.e. within EEA) to do so;
- Finally, some companies, especially when executing high risk data processing activities, would therefore consider moving their UK entity to another EU Member State (Byrne Hill, Evans & White 2019).
According to the Regulations, the UK Secretary of State has its own powers to determine whether third countries offer an adequate level of protection. This procedure does not include any consultation of the ICO, and almost no guarantee of Parliamentary scrutiny due to a negative resolution procedure. The UK Parliament is only allowed to submit a motion to reject the determined adequacy determination within 40 sitting days of the decision. It will therefore be highly likely that transfer provisions will be discussed as part of trade negotiations between the UK and third countries, subject to (substantial) political influence (Amberhawk 2019).
b. EU Representative or UK Representative?
According to Article 27 of the GDPR, when UK companies are no longer established within the EEA, they might be required to have an EU representative. Controllers located in the UK without any establishment in the EEA will need to appoint an EU representative in case they offer goods or services to data subjects in the EEA. A representative is however not required when the processing is occasional, and does not include, on a large scale, processing of special categories of data or personal data relating to criminal convictions and offences. This processing must be unlikely to result in a risk to the rights and freedoms of data subjects. Public authorities or bodies are also not required to have an EU representative (EDPB 2018). Controllers located outside the EEA which had their EU representative located in the UK, will have to select an alternative EU representative located in an EEA country (Byrne Hill, Evans & White 2019).
The Regulations, on the other hand, introduce their own principle of “Third Country” in their Article 6(13), being “a country or territory outside the UK”. This means that each EU controller offering services to UK citizens would also be obliged to appoint a representative in the UK. It remains unclear yet what that representatives’ role would be (Amberhawk 2019).
c. Lead Data Protection Authority
Companies which had their main headquarters in the UK and thus had their lead data protection authority located in the UK will receive another lead DPA in one of the EEA Member States. The companies will need to cooperate with both the new EU lead DPA and the UK DPA in certain cases where the UK establishment is maintained e.g. when a data breach has affected both UK and EU data subjects (Byrne Hill, Evans & White 2019).
d. Divergence of data protection legislations
After the withdrawal date, the UK legal system and the EU legal system will probably be quite aligned in the beginning. Over time, the UK will develop distinct national rules on data protection, whereby potential conflicts between both legal systems might arise as some rules will probably contradict the EU GDPR. When the Regulations will be approved and enter into force, two different versions of GDPR will be created (UK and EU) and harmonization between both will no longer be an objective. The UK is allowed to modify any article of the GDPR, and thus any obligation they need to comply with. The other EU Member States are not provided with such a margin of discretion (Amberhawk 2019). Also, the European Data Protection Board will interpret the GDPR through recitals and will adopt binding decisions to further harmonize the GDPR across the EU. These recitals and decisions will not be applicable to third countries, and thus not enforceable in the UK (Amberhawk 2018). Further, the DPA 2018 will also remain in force and could be modified or complemented as well. Consequently, divergence will occur between the UK and EU Member States’ data protection legislations. It is, however, recommended for the UK to not diverge too far from the provisions of the GDPR, as they may still require an adequacy decision to freely transfer to and receive data from the EU (or all companies that have to comply with the GDPR). As a third country, the UK data protection authority would no longer be a member of the European Data Protection Board (Byrne Hill, Evans & White 2019).
Scenario 2: Brexit-deal
A second possible scenario for the UK in the context of data protection seems to be more promising.
a. Transition period
First of all, if the UK ratifies the Withdrawal Agreement on 29 March, the transition period will commence and last until 31 December 2020. It would, unfortunately, not prevent the UK from ceasing its membership of the EU. Despite this, in such a way, the parties can try to agree on the terms of their future relationship, while the UK can gain some time to obtain an adequacy decision from the European Commission. During this period the UK will be considered as a Member State, which means that EU laws will still apply to the UK, so the data transfer from the European Economic Area may take place without the necessity to implement any further safeguard measures (Byrne Hill, Evans & White 2019). However, this does not mean that the UK will be able to take part in decisions made by the EU institutions.
b. Canadian model
One more optimistic alternative for the UK lies in pursuing a deal based on the Canadian model, also known as CETA, the EU-Canada Comprehensive Economic and Trade Agreement. It implies the liberalization of trade with the EU, although UK companies would not have the same level of access to EU markets and some sectors. For example, financial services and transport services, will still remain very restricted (Heffer 2017). Regarding data protection, the scenario of a no-deal Brexit, as described above, will apply in this situation as well. However, the fact that the UK will be able to trade freely with the EU, might help the country to maintain a good relationship with the EU and, consequently, obtain an adequacy decision in the future.
c. Norway model
The Norway model might be a bright light at the end of the tunnel for the British population. It would mean that the UK will remain part of EEA and the single market. Although, there is a chance that EFTA (European Free Trade Association) and EEA countries will not accept the UK’s application to join their club as the country already announced its desire to leave soon.
Moreover, the UK needs to first accept all the requirements of the deal including the freedom of movement of EU migrants, among others. Taking into consideration that Theresa May pledged to reduce the number of migrants, the UK would not be able to meet this requirement and, as a result, to remain a member of the EEA. This would consequently have an impact on the application of the GDPR, whereby the UK will be considered as a 3rd party (Chaplain 2018).
Scenario 3: Revoke and reconsider
After Theresa May’s proposed Withdrawal Agreement has been rejected on 15 January 2019, she was called to rule out a no-deal Brexit or to hold a second referendum. Currently many political and business leaders have already called for a second referendum, whereby Brexit could be reversed. This scenario is rather optimistic but not improbable. The Court of Justice of the European Union last year already ruled in a landmark judgement that it would be possible for the UK government to simply revoke the decision to leave the EU made under Article 50 of the Treaty of the EU (Chaplain 2018). As of the day Brexit was voted, the opinions on Brexit by the UK population remain highly divided, hence a new referendum might lead to a turnaround: to a majority of people voting to stay in the EU (Tidey 2019). If the second referendum leads to a British vote against Brexit, this would be a very positive outcome with regards to the data protection scene: data transfers would not imply complications, as the UK would not be considered as a third country, and thus the GDPR would still remain applicable. Besides, Britain would be subject to decisions of the European Data Protection Board, including the participation of the UK Information Commissioner’s Office and its influence on the interpretation of data protection law. Though, for the referendum to happen there should be a delay to Brexit, which should first be approved by all 27 EU member states and the UK itself (Tidey 2019).
In conclusion, there are currently three possible Brexit-scenarios and, consequently, three different perspectives on the application of the GDPR in the UK. The first scenario implies a “hard” Brexit or a no-deal Brexit, favored by those who voted to leave. This would specifically lead to the following consequences:
- the UK will become a third country when personal data are being transferred;
- UK controllers offering goods and services to the EU data subjects might need to appoint representatives in the EU in certain cases;
- UK organizations operating across Europe will need to cooperate with both UK and EU data protection authorities;
- the UK will fall under the scope of, on the one hand, the UK Data Protection Act 2018 and the GDPR implemented into national law (“Data Protection, Privacy and Electronic Communications (Amendments etc.), and, on the other hand, of the GDPR as an EU regulation.
The second alternative is a “soft” or a deal-Brexit, entailing a close alignment of the UK with the EU, based on an adequacy decision. A second referendum leading to the revocation of the Withdrawal Agreement can be still seen as a third option. Data protection-wise, it would indeed help to avoid many potential political and economic issues, however this may trigger a major crisis for constitutional Britain.
AFP, “UK Brexit vote set for January 15 as MPs oppose ‘no deal’ scenario”, Standard Media 9 January 2019, https://www.standardmedia.co.ke/article/2001308839/uk-brexit-vote-set-for-january-15.
Amberhawk, “Draft Brexit Data Protection Regulations would undermine adequacy determination for the UK”, Amberhawk Hawktalk 18 January 2019 https://amberhawk.typepad.com/amberhawk/2019/01/draft-brexit-data-protection-regulations-would-undermine-adequacy-determination-for-the-uk.html.
Amberhawk, “Draft Withdrawal Agreement does not guarantee frictionless free flow of personal data from European Union”, Amberhawk Hawktalk 20 November 2018, https://amberhawk.typepad.com/amberhawk/2018/11/draft-withdrawal-agreement-does-not-guarantee-frictionless-free-flow-of-personal-data-from-european-union.html.
Byrne Hill Miranda, Evans, Marcus, and White, Lara, “Parliament fails to approve the EU Withdrawal Agreement: Data protection implications”, Compliance and risk management 16 January 2019, https://www.dataprotectionreport.com/2019/01/parliament-fails-to-approve-the-eu-withdrawal-agreement-data-protection-implications/.
Case C‑621/18 Wightman v. Secretary of State  ECLI:EU:C:2018:999
Chaplain, Chloe, “UK has the power to cancel Brexit on its own, European Court of Justice rules”, iNews 10 December 2018, https://inews.co.uk/news/brexit/brexit-ecj-ruling-revoke-leave-eu-european-court-justice-latest-news/.
Chaplain, Chloe, “What is a Norway-style Brexit? The option explained – and how likely it is”, iNews 28 November 2018, https://inews.co.uk/news/brexit/norway-style-brexit-model-explained-option-how-likely/.
Clarke, Seán and Voce, Antonio, “How did my MP vote on May’s Brexit deal?”, The Guardian 15 January 2019, https://www.theguardian.com/politics/ng-interactive/2019/jan/15/how-did-your-mp-vote-on-mays-brexit-deal-meaningful-vote.
EDPB, Guidelines 3/2018 16 November 2018of on the territorial scope of the GDPR (Article 3).
Ellyatt, Holly, “British Prime Minister May to reveal her ‘Plan B’ for Brexit”, CNBC 21 January 2019, https://www.cnbc.com/2019/01/21/british-prime-minister-may-to-reveal-her-plan-b-for-brexit.html.
European Commission, “Rules on international transfers of personal data”, Policies, Information and Services, https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/rules-international-transfers-personal-data_en.
European Union (Withdrawal) Act 2018, can be accessed at: https://www.legislation.gov.uk/ukpga/2018/16/contents/enacted.
Faulconbridge, Guy, “Various Scenarios for Brexit: Deal, No Deal, New Referendum?”, Insurance Journal 13 August 2018, https://www.insurancejournal.com/news/international/2018/08/13/497794.htm.
Heffer, Greg, “Brexit: What is a Canada-style trade deal?”, Sky News 24 October 2017, https://news.sky.com/story/brexit-what-is-a-canada-style-trade-deal-11096397.
ICO, “Blog: Data protection and Brexit – ICO advice for organisations”, ICO Blog 13 December 2018, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/12/data-protection-and-brexit-ico-advice-for-organisations/.
McDonald, Karl, “Brexit vote result: what happens next after Theresa May’s deal suffered defeat in Parliament”, iNews 16 January 2019, https://inews.co.uk/news/brexit/brexit-vote-result-theresa-may-deal-parliament-what-happens-next/.
Reid, David, “UK leader Theresa May suffers resounding defeat on her Brexit divorce deal”, CNBC 15 January 2019, https://www.cnbc.com/2019/01/15/theresa-may-loses-brexit-vote-in-parliament.html.
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, can be accessed at: https://www.legislation.gov.uk/ukdsi/2019/9780111178300/contents.
Tidey, Alice, “British MPs prepare motions to block no-deal Brexit, undermining May”, Euronews 22 January 2019, https://www.euronews.com/2019/01/20/british-mps-prepare-motions-to-block-no-deal-brexit-undermining-may.
Authors: Justine De Meersman & Iryna Shakhnenko