Brexit and data protection – Impacts for the UK and the EU

Covid 19 has understandably dominated the news headlines for many weeks and will no doubt continue to do so for some time to come.  But amidst talk of easing lockdowns and reopening schools another narrative could soon become more prominent than hitherto. The deadline for asking for an extension to the negotiations on the future relationship between the UK and EU comes at the end of June.  

Without an extension the transition period (during which the EU Treaties and secondary legislation apply to the UK as if it was still an EU Member State) comes to an end on 31st December 2020.

Politicians in the UK and EU have urged the UK Government to extend the deadline, given that the talks have been slowed by the pandemic. However, the UK Government is showing no signs that it wishes to prolong the negotiations. It was elected on the promise to “Get Brexit done”.  

Aside from the time pressures, the trade talks between the UK and the EU are reportedly going badly.  Without an extension to the negotiations or an improvement in the likelihood of success, the EU and UK face the prospect of trading with one another on WTO terms from the end of December.  This may be problematic. The WTO is currently in a state of uncertainty. The US is blocking the appointment of new judges to the Appellate body. This means that disputes under WTO rules cannot be finally resolved.  

Data protection

If the trade talks between the UK and the EU break down, what does this mean for the ongoing negotiations on EU adequacy for the UK?  The UK was at pains to point out in its negotiating position on the EU-UK future relationship that the adequacy negotiations are “separate” from the negotiations on the future relationship. But it’s not clear how realistic this position is. On the other hand, it is in the interests of both the UK and the EU to achieve a free flow of data between them. Enabling data flows to continue unimpeded would be one less headache for businesses across the European continent.

One aspect which has received far less attention than the EU adequacy decision for the UK is the fact that the UK is also conducting its own adequacy assessment of the EU in parallel.  So failed adequacy negotiations in relation to the UK may also result in a lack of “UK adequacy” in favour of the EU.  

If adequacy talks fail, this means that both UK and EU businesses will need to consider other mechanisms for transfers between the UK and the EU after 31st December 2020.  

Divergence in standards?

The UK has legislated to turn the EU version of the GDPR into a UK version of the same law at the end of the transition period. So, on the face of it, the risk of diverging standards between the UK and the EU seems low.  

The reality may be more problematic.  The UK will no longer be bound by the judgments of the Court of Justice of the European Union (CJEU) on data protection (and other areas) if they are handed down after the end of the transition period. But there are exceptions to this for “EU data” which came to the UK before the end of the transition period.  If there is no adequacy decision then that data has to be protected in accordance with the GDPR, taking into account post-transition period CJEU case law (see Article 71(1) of the EU-UK withdrawal agreement). To add to the complexity of the position, UK Ministers have powers to legislate to enable domestic Courts to depart from past CJEU judgments.  That may mean that both past and future CJEU judgments may not be binding when UK Courts are interpreting the UK version of the GDPR. This situation would result in relatively swift divergence between the meaning of the “UK GDPR” as compared with the EU version.  

For businesses caught by both the UK version of the GDPR and the EU version of the GDPR any regulatory divergence is bound to be unwelcome, as it will add to the cost of compliance.  

Application of UK data protection law to EU businesses

Many EU businesses may be unaware that the UK version of the GDPR contains the same extra-territorial provisions as the GDPR. For example, this means that the UK GDPR will apply to controllers or processors outside the UK who are offering goods or services to UK consumers, or monitoring the behaviour of data subjects in the UK. EU companies caught by the extra-territorial provisions of the UK GDPR will also need to appoint a representative in the UK.  

Other impacts

Given the potential lack of regulatory coordination between the UK and the EU, where data breaches are suffered by organisations operating across both regions there may be duplication of investigations, with the EU and UK regulators taking action separately.  There is also the potential for double fines for controllers and processors for regulatory breaches occurring in both the EU and the UK. The labour- saving mechanism of the one stop shop, whereby businesses established across a number of EU member states can deal with one lead supervisory authority, will no longer be available to UK businesses. 

What to look out for in the coming weeks

During June there will be huge pressure on the UK Government from business and opposition MPs to extend the transition period.  They will no doubt argue that the UK economy could come under severe pressure with a double blow from Covid 19 and a no-deal Brexit. This prospect will also be unwelcome for EU businesses trading with the UK.  It cannot be ruled out that the UK applies for an extension to the negotiations later in the year, even though the deadline has expired, if the situation is looking bad.  The paralysis in the WTO may be a further factor in the Government’s decision making.  

The outcome of the negotiations on adequacy for data protection is expected in early autumn, simply because there are a number of further stages required before any EU adequacy decision for the UK can come into force.  UK adequacy for the EU can be finalised more quickly.  

If the outcome of the talks on adequacy are successful, then that will make life easier for controllers and processors in both the EU and the UK.  But even if the negotiations on adequacy are successful, things will not be entirely smooth. At the end of the transition period the UK will no longer benefit from the mechanisms for cooperation between EU regulators, such as the one stop shop. The extra-territorial scope of both the GDPR and the UK GDPR means that there will be lots of businesses subject to both regimes. Those regimes will be moving apart at a pace which is as yet unclear.  Inevitably that will add to the challenge of data protection compliance.  

 

 

Eleonor Duhs, Director in Fieldfisher’s Privacy, Security and Information law team in London (Eleonor was previously a senior lawyer at the Department For Exiting the European Union and the lead UK lawyer in negotiations on the GDPR).

Phil Lee, CIPP/E, Partner (Privacy, Security and Information) Fieldfisher