As part of its preparations for a potential “no deal” scenario when the United Kingdom (UK) leaves the European Union (EU) on 29 March 2019, the UK Department for Digital, Culture, Media and Sport (DDCMS) has released guidance on “Data protection if there’s no Brexit deal”.
Whilst the UK remains part of the EU, there are currently no restrictions against transferring personal data (without consent from the individual) to the UK. These restrictions apply to data transfers outside Europe, other than to certain “adequate” countries such as Canada or Switzerland or if the importing business has a legally permissible mechanism such as model clauses or binding corporate rules in place or the Privacy Shield. On its exit from the EU, the UK will become a “third country”, meaning that unrestricted cross-border transfers of data will no longer automatically be able to take place between the UK and the EU.
The UK is directly subject to the European General Data Protection Regulation 2016/679 (GDPR). It has supplemented the GDPR with the Data Protection Act 2018 (DPA 2018). When the UK leaves the EU, it will implement the GDPR directly into domestic law through the European Union (Withdrawal) Act 2018, resulting in the UK having equivalent data privacy laws compared to the remaining EU member states. See our previous LawFlash on the implications of Brexit for data privacy.
The DDCMS highlights in its guidance paper that if the European Commission deems the UK’s level of personal data protection to be equivalent to that of the EU, the European Commission would make an “Adequacy Decision” allowing the transfer of personal data to the UK without restrictions. In the event that the European Commission does not make an Adequacy Decision regarding the UK, the DDCMS states that the most relevant legal basis would be to implement standard model clauses. The UK government is, however, very much reliant on a fast-track Adequacy Decision being part of successful Brexit negotiations. In the event of “no deal”, no such determination is likely to be forthcoming.
Under the GDPR, data transfers to third countries are permissible where there is an appropriate safeguard or permitted derogations.
Safeguards may be provided by way of the following:
The permitted derogations are the following:
There are some notable differences between the UK and remaining EU member states in their approach to state powers of monitoring and interception. The UK’s Regulation of Investigatory Powers Act 2000 (RIPA) and the new successor legislation, the Investigatory Powers Act 2016 (IPA), some of which is yet to be brought into force, remain controversial. The European Court of Human Rights (ECHR) recently ruled in Big Brother Watch and others v United Kingdom that aspects of the UK's surveillance regimes under RIPA breached the European Convention of Human Rights (the right to privacy and the right to freedom of expression). The applications to the ECHR followed Edward Snowden's 2013 revelations about the existence of surveillance and intelligence sharing programmes operated by the UK and US intelligence services. The applicants in this case believed that their electronic communications and/or communications data were likely to have been intercepted or obtained by the UK intelligence services. The ECHR analysed three different types of surveillance: the bulk interception of communications, intelligence sharing, and the obtaining of communications data from communications service providers.
Although governments have a margin of appreciation in deciding what kind of surveillance scheme is necessary to protect national security, the operation of such systems must meet basic minimum safeguards. The ECHR held by a majority that there was inadequate oversight at various stages of the operation and no real safeguards governing the selection of related communications data for examination. Therefore, there was a violation of the right to privacy. The ECHR held by a majority that the regime for obtaining communications data from communications service providers also violated the right to privacy as it was not in accordance with the law. Both the bulk interception regime and regime for obtaining communications data from communications providers infringed the right to freedom of expression as there was insufficient protection for journalistic sources or confidential journalistic materials. The regime for intelligence sharing with foreign governments, however, did not infringe the rights to privacy or freedom of expression.
The European Commission is likely to take into account the UK’s surveillance regime when assessing if the UK is “adequate” and the UK government may need to consider legislative changes to IPA, particularly in light of the Big Brother Watch case.
The usual process for applying for an Adequacy Decision is lengthy.
It seems unlikely that an Adequacy Decision for the UK will be granted without a wider deal on Brexit and a fast-tracked determination, because usually (a) such decisions are made in respect of third countries, which the UK will become only upon Brexit; and (b) the Adequacy Decision process can be quite lengthy. For example, it took 42 months for the European Commission to issue an Adequacy Decision for Israel, 27 for Andorra, 17 for Argentina, and four years for New Zealand. Japan has only recently (in July 2018) successfully obtained its Adequacy Decision, after many years of discussions, and an agreement on trade. It is certainly realistic that the differences between the EU data protection framework and the DPA 2018, as well as IPA, may cause the European Commission to decide against the adequacy of the UK regime on the basis that they undermine the overall EU data protection regime. An Adequacy Decision is, in any event, not granted in perpetuity and if it is granted, any changes to the UK Data Protection Regime post-Brexit might cause the European Commission to reassess its decision at the next adequacy review.
Although the UK government has referenced the use of model clauses for data transfers from the remaining EU member states to the UK in the absence of an Adequacy Decision in the DDCMS announcement, the validity of model clauses is currently under judicial challenge in a case involving Max Schrems and Facebook Ireland. If they are invalidated by the Court of Justice of the European Union, an alternative basis for data transfers will need to be found for data transfers to the UK and elsewhere outside Europe. The EU-US/Swiss-US Privacy Shield is due for its second annual review in October. The other alternative for the free-flow of data outside Europe is binding corporate rules, which can take some time to implement and need the approval of one of the European supervisory authorities which can, of itself, take a year or longer to obtain.
In this late stage of Brexit negotiations, there is still no certainty as to whether the UK will be granted an Adequacy Decision. As such, UK organisations should start thinking of alternative arrangements that will need to be put in place in order to ensure that data can flow in a practical manner to the UK where a permitted derogation does not apply. Other than binding corporate rules, the options of approved codes of conduct, approved privacy seals, and/or certifications will likely need to be considered by European organisations. The ICO has announced that trade associations and sector representatives can create codes of conduct for its approval and where a code of conduct covers more than one country, the European Data Protection Board (formerly the Article 29 Working Party) will submit its opinion to the European Commission for approval. The ICO has also announced that it will publish accreditation requirements for certification bodies to meet. The European Data Protection Board published draft guidelines on accreditation for certification bodies which were open for consultation and the supervisory authorities are still considering the responses. This further increases the pressure on the UK government to agree to a Brexit deal that includes a determination of adequacy for the UK.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Izzet M. Sinan
Gregory T. Parks
Mark L. Krotoski
W. Reece Hirsch
 Applications nos. 58170/13, 62322/14 and 24960/15)  ECHR 722 (13 September 2018)