Brexit, and how it will affect companies, has been the subject of much debate, especially following the election held on the 12th of December 2019. Boris Johnson will now press ahead with the legislation required to ratify the Withdrawal Agreement that he renegotiated in October 2019. This will need to be approved by the European Parliament by the 31st January 2020, which will be followed by an implementation period running to the 31st of December 2020.
There are probably only two kinds of trade deal which are achievable in the time that the UK has set for itself: a very basic zero tariff, zero quota deal which would not achieve any regulatory alignment with the European Union (EU), or a deal which involves close dynamic regulatory alignment between the UK and the EU. Given the numbers that the Conservatives gained during the election, Boris Johnson is likely not to feel compelled to listen either to the moderate wing that wants a strong regulatory alignment with the EU, nor will he feel obliged to listen to the hardline Brexiteers, who want to exit without any form of trade deal immediately regardless of the impact that this could have on industry. The UK government may now feel that it has free reign to negotiate with the EU using its own style.
A middle-of the-road attitude towards the manner in which Brexit is implemented is likely to be considered because, at the end of his five-year premiership when Boris Johnson campaigns for a possible reelection, he will not want to be remembered for being either the man who failed to achieve an actual form of Brexit, nor will he wish to be remembered for being the person that created destablisation within the UK by allowing a “hard Brexit” with no consideration for the trade relationships which require regulatory alignment between the UK and the EU.
Some have formed a view that there will be a UK-EU deal involving regulatory alignment, but based on a third party relationship with a form of independent adjudication and dispute settlement. This could mean that a third party would resolve disputes between the UK and EU should either disagree on the regulations that the EU proposes for its own members. This would mean that in return for distant access to the single market and customs union, the UK, at the very least, is required to consider any proposed EU regulations for implementation in the UK.
So what is this likely to mean for service providers or the customer of a service provider?
Contracting with companies whose labour pools are in Eurozone countries such as Estonia and Slovenia, or to those with locations in India and China, may increase as inexpensive workers from the EU will no longer benefit from freedom of movement. That means that following Brexit, the UK may well experience a skills shortage. A skills shortage is likely to increase wages in the UK, and hence increase the push towards looking for cost-effective talent in near-shore and offshore locations, where skilled resources are more generally available and freedom of movement applies.
Customers of these companies are advised to start to review any risks associated with key staff movement, knowledge retention, staff training, skills and capability and other associated staffing risks.
Service providers are advised to start to look internally to ensure that they can easily source any increased requirements from customers, particularly as their agreements may provide contractual obligations that the supplier has adequate personnel to deliver the services to the customer.
Organisations should consider the following key areas from a data privacy perspective:
1. Organisations should review the impact that Brexit will have on the processing of personal data and the steps which need to be put in place to address that impact.
The questions that organisations should ask themselves as part of any gap analysis are:
- How are transfers of personal data between the UK and the EU regulated post Brexit?
- Will UK businesses operating within the EU need to adjust to having a new regulator?
- Will UK businesses dealing with EU citizens and their personal data need to appoint a representative in the EU?
- Will organisations have to put additional measures in place in respect of their data flows from the UK to either the European Economic Area (EEA) or to a country outside of the EEA such as India, and vice versa, once the UK is no longer a member of the EEA?
Will the UK's data protection standard change?
The UK government has not given any indication as yet that it will do anything other than maintain the status quo. The Withdrawal Act will incorporate the General Data Protection Regulation 2016/679 (GDPR) into UK law, and the Data Protection Act 2018 will continue to sit alongside it. Reassuringly, the time and money that businesses have invested in becoming GDPR compliant will not be wasted. The government has also proposed additional legislation to take effect on exit day which will "anglocise" certain aspects of GDPR so that it makes sense when applied as part of UK domestic law.
However, although on its face the legal backdrop will not materially change, difficulties arise when considering the implications of the imminent status change of the UK when it ceases to be a member state of the EEA, in particular in relation to continued data flows.
What is the problem with data flows?
The GDPR allows for unrestricted personal data flows between EU and EEA member states, the theory being, that personal data can be considered to be in safe hands in those states which have adopted the GDPR. However, problems potentially arise with third countries outside the EEA, as they might not have such high standards to ensure the continued safety of personal data leaving the EEA to such destinations. So, if a company transfers data from France to Brazil, the theory is that this transfer is insecure, and therefore protections must be implemented before such a transfer occurs.
The GDPR treats transfers to non-EEA destinations as restricted transfers and requires organisations to only transfer personal data using a GDPR-compliant safeguarding mechanism. One of these mechanisms is that the destination country has had an adequacy decision made in favour of it by the European Commission (essentially, confirmation by the EU that it considers that country to be a safe destination for personal data caught by GDPR). Other mechanisms include EU approved standard contractual clauses, known as 'model clauses', which oblige the recipient in the destination country to sign up to contractual obligations to keep any data it receives safe. There are also other derogations referred to later on in this paper.
So, the question is, what will happen to data flows between the UK and the EEA?
UK data flows to the EEA
Current proposals are that transfers of personal data from the UK to the EEA will continue to be permitted without the need for organisations to put additional measures in place. In theory, this should mean that no further action is necessary in order to send personal data to EEA-based third parties. As a matter of good practice however, it will be worth keeping an eye on any changes to the domestic laws of relevant Member States in the event that new laws create further hoops for the UK to jump through in the future.
UK data flows to other third countries outside the EEA
The EEA has passed adequacy decisions with respect to a number of third countries. Proposed draft legislation which will come into effect on Brexit-Day state that the UK will continue to recognise these adequacy decisions when it comes to transferring UK personal data to recipients based in those countries.
The same draft legislation states that EU model clauses will continue to be recognised where appropriate as a valid safeguarding mechanism under which organisations in the UK can transfer personal data. Similarly, existing model clause contracts, which are in place to govern the export of data out of the UK, will continue to be recognised.
EEA data flows to the UK
However, transfers of personal data within the GDPR’s scope from the EEA into the UK are, unfortunately, not quite as simple. Unless such matter is addressed in any deal that Boris Johnson strikes, or the EU passes an adequacy decision in respect of the UK in time when the UK leaves the EU and becomes a third country, organisations transferring personal data from the EEA to the UK will need to do so using a GDPR compliant safeguarding mechanism in the same way as they do for any other third country. So should a company in France wish to transfer data to a company in the UK, it will need to use the same process that it uses should it wish to transfer data to a company in Brazil.
What can businesses do?
EU model clauses are, for now, the obvious answer for many businesses based in the EEA seeking to transfer personal data to the UK. However, this will create an extra layer of administration which will not be appreciated, particularly by dynamic companies who are looking for a solution to what they deem to be regulatory burdens.
In addition, the model clauses are currently being examined for their validity as a safeguarding mechanism in the CJEU (a decision is widely expected early in the year 2020) as part of Max Schrems' ongoing efforts against Facebook. However, for now, they are the most practical and widely available solution for businesses which rely on the inflow of data from the EEA. In any case, if there is a transition period before the UK exits, this will buy extra time for organisations to wait and see the outcome of the CJEU litigation.
Are there any other options?
It may be possible for businesses to rely on the derogations set out in the GDPR for specific situations, which allow for the transfer of data from the EEA to a third country in the absence of an adequacy decision, model clauses, or binding corporate rules (a complex mechanism which could provide a solution for some corporate groups, but can take between six to twelve months to implement, which makes them less relied upon).
Examples include explicit consent, contractual necessity, and cases relating to legal claims. However, use of these derogations was intended to be limited and only permitted if they are used in specific situations and if certain conditions are satisfied. For example, not only will explicit consent need to be GDPR compliant, but the information made known to the data subject must include the possible risks of the transfer. Furthermore, the controller and/or processor must continually review continually the consent obtained from the data subject remains fit for purpose, which can prove challenging.
Moreover, many of the derogations under Article 49 of the GDPR - including the contractual necessity and legal claim derogations - can only be used occasionally and when necessary ("requiring a close and substantial connection between the data transfer and the purposes of the contract"). This means that in practice, whilst the derogations could be useful for occasional transfers in particular circumstances, they are unlikely to be an effective solution in the long term.
Will the EU Pass an Adequacy Decision in Respect of the UK?
It had been hoped that a deal would be done on this, particularly given that the GDPR is in place in the UK and will remain so, to save many businesses the extra administrative burden which comes with losing the ability for personal data to move freely from the EEA to the UK. However, the EU doesn't seem to be in a hurry on this, appearing to take the view that the existing safeguarding mechanisms provided in the GDPR provide a good enough interim solution. As mentioned above, it is unlikely that the EU will move from its current position in the deal which is already on the UK’s table.
It is also worth bearing in mind that:
- The Commission can only make an adequacy decision in relation to a third country, but the UK will not become one until the day it leaves the EU
- Adequacy decisions have historically not been particularly forthcoming. Adopting an adequacy decision involves a multi-stage procedure including obtaining the approval of the remainder of the EU, which is likely to be time consuming. Depending on the manner of the UK's exit, which may be less than straightforward, it is also possible that Member States may be reluctant to agree to this solution, which would further prolong the process.
- Adequacy decisions are not indefinite. These decisions are subject to ongoing review, and therefore are capable of being withdrawn at any time. This would bring UK businesses back to square one regarding their ability to process data from the EEA.
Clearly, there are a number of factors to consider when evaluating a company’s future ability to transfer personal data from the EEA into the UK. Whilst many will be keeping their fingers crossed for a speedy adequacy decision, it would be prudent to analyse the data transfers into the UK and their current legal basis to identify the data flows at risk post-Brexit. Businesses should also review their existing contracts for clauses with absolute prohibitions on transferring personal data outside the EEA.
Organisations should analyse their data flows from the EEA into the UK (together with any onward transfers of such data to other third countries) and the current legal basis, to identify those flows which are most at risk post Brexit. They should also review their existing contracts for clauses with absolute prohibitions on transferring personal data outside the EEA.
The most sensible option to ensure a company is able to continue receiving data from the EEA seems to be the implementation of model clauses. The key is to invest time sooner rather than later to pinpoint the company’s material data transfers, work out the data flows, and identify with whom the company might need model clauses to govern the transfer.