What Does the Draft Brexit Deal Mean for Data Protection?
Until yesterday it was unclear whether UK businesses relying on consent in processing EU personal data could continue to do so following Brexit.
The United Kingdom will abide by European Union data protection laws when it leaves the EU next year. The news was included in the long awaited draft UK-EU withdrawal agreement published Wednesday.
The draft agreement, which has since prompted several of Theresa May's senior cabinet ministers to resign, goes into effect on Brexit day, March 29, 2019, at 11 p.m. UK time.
In many ways the agreement essentially allows for the status quo; it stipulates that following the transition period the UK has to continue applying the same EU data protection rules to personal data that organizations may have received from users in other EU states. This means the EU will treat personal data from the UK the same as personal data obtained in the EU, even though the UK is leaving.
According to the European Commission the UK must continue applying the EU data protection rules “until the EU has established, by way of a formal, so-called adequacy decision, that the personal data protection regime of the UK provides data protection safeguards which are ‘essentially equivalent’ to those in the EU.”
The deal understands that private and public bodies in the UK, while a member of the EU, received personal data from companies in other member states. The EU wants to ensure that data is still handled securely and that the privacy of those individuals is protected when it flows across those borders.
According to the lengthy, 585-page draft agreement, viewable here, personal data can continue to flow between the UK and EU until at least the transition period closes, the end of 2020. For those curious, data protection is addressed in Article 71 (on page 128 of the PDF) of the agreement.
The news also ensures the UK apply the same standards when it comes to public procurements and grants. The draft also says the UK needs to prevent the export of cryptographic products that use classified cryptographic algorithms approved by the EU and present in the UK by the end of the transition period.
Without this news there was fear the EU could block data transfers with the UK post-Brexit.
As early as three months ago it wasn't entirely clear what would happen to the UK post-Brexit with regards to data protection. In a speech around a no-deal Brexit back in August the UK’s Secretary of State Dominic Raab – who resigned earlier today - hinted there hadn’t been any progress between the UK and EU around data protection.
A month later, in September, the UK said the free flow of personal data from the EU wouldn't necessarily be guaranteed in September; in the result of a no-deal Brexit organizations there would need to agree to new contracts in order to ensure that they can keep receiving personal data about customers or workers in the EU.
That same month the Information Commissioner's Office (ICO), the non-departmental body that upholds information rights in the public interest, issued guidance around international data transfers under the General Data Protection Regulation.
The ICO said at the time that transfers would be restricted under the following conditions:
- The GDPR applies to the processing of in-scope personal data. GDPR Articles 2 and 3 set out the GDPR's scope. The ICO states that the GDPR generally applies "if you are processing personal data in the EU". The GDPR may also apply "in specific circumstances if you are outside the EU and processing personal data about individuals in the EU".
- An organisation sends personal data, or makes it accessible, to a receiver to which the GDPR does not apply. This will usually be because the receiver is located outside of the EU.
- The receiver is a separate organisation or individual. The receiver could be an affiliate or subsidiary company, but not an employee of the transferring organization.