GDPR and the impact of a ‘no deal’ Brexit

by Jul 3, 2019

The UK is scheduled to exit from the EU on 29 March 2019

There are substantial negotiations underway for transitioning of legal, trade and other relations between the UK and the EU after Brexit happens. At this stage, many of the negotiations have been unsuccessful either within the UK’s own parliamentary system or between the UK and the EU. Without agreements for transitioning and new agreements for interacting with the EU, the UK faces numerous disruptions to trade, security, medicine availability, travel, workplace regulations and citizenship of UK citizens in other parts of the EU.

There are a few options between now and 29 March 2019.

The first is that a deal will be put together for transitioning. This would be the most favourable outcome for continuity of business transactions and commerce. The second is, if no deal can be agreed upon, the date of Brexit may be extended by agreement to allow more time for negotiations. The third scenario is what is being called a ‘no deal Brexit’.

What does a ‘no deal Brexit’ mean?

If no agreement for transitioning can be reached and the exit date is not extended, the UK exit from the EU will happen on 29 March 2019 and there will be a degree of chaos attached.

For the many laws and rules currently intertwining the UK within the EU, there will be no deals in place for transitioning and planning. This will affect many laws and current practices, however for the purpose of this article, we are only looking at the management of data under the GDPR.

Why is a ‘no deal exit’ important for privacy legislation and who would this effect?

Under the GDPR (General Data Protection Regulations), the UK is currently part of the EU however from 29 March 2019 (or later date if this is extended), the UK will be an independent country.

If a no deal exit happens, the transfer of data between the EU and the UK will be restricted under the GDPR from 29 March 2019. It is possible that the UK will be granted adequacy status (yes, that is a technical term), but this cannot be assessed until after the exit has happened (and will likely take several months). In the meantime, the transfer of personal information from the EU into the UK must be completed using a standard contractual clause (‘SCC’) in the format approved by the EU.

Sounds complicated? Let’s break it down and look at the implications: 

Location of business receiving personal data Scenarios and action required prior to 29 March 2019
Head office of business within the UK and collecting data from any person within the EU or monitoring the behaviour of any person within the EU

Examples:

  1. You operate any kind of online membership subscription service that has EU resident subscribers.
  2. You have an online retail store that is open for EU residents to make a purchase.
  3. You provide advisory services and have clients resident in the EU.
ACTION: Review your privacy policy, make sure SCC’s are in place with businesses within the EU that you deal with eg hosting, cloud storage.
If you process data of EU citizens and transfer this data to the US under the US privacy shield, you will need to look at your agreements with the US to ensure a SCC is added into each of these agreements as the US Privacy Shield will not work with the UK anymore.
Unless you have an office in the EU, you will need to appoint a privacy representative in the EU.
Head office of business within the EU (but not in the UK)Look carefully at where your data goes. There will no longer be a free flow of data from EU to UK. Do you transfer data to the UK? Data subjects will have to be told.

Head office of business outside of the UK and EU and collecting data from any person within the EU or monitoring the behaviour of any person within the EU

Not much changes here, you should already have in place a compliant GDPR privacy policy and SCC’s protecting the flow of data of EU citizens. A review of your privacy policy will be required if you rely on the US Privacy Shield for the transfer of data of UK citizens
Any business relying on the US Privacy Shield for the transfer of data in or out of the UKThere is a particular paragraph that needs to be added to the privacy policy of the US entity (yes, the wording is specific) to ensure that the privacy shield takes effect.

 

How can Onyx Legal help you?

We can help you work out if you have to comply with GDPR and prepare approriate privacy and cookie policies to comply with GDPR requirements. Contact us to find out more.