On Thursday 23 June 2016, after 43-year EU membership, the UK voted in favor of a Brexit. Although UK's referendum result has no immediate effect for the free flow of data, continental organizations doing business with the UK and UK-organizations doing business in the EU should have an action plan in place for their data transfers to and from the UK in due time.
Given the importance of the digital economy, data protection issues are increasingly demanding the attention of organizations. The Brexit consequences will urge organizations to add even more tasks to their privacy to do-list. On short term, Brexit will not have an impact on data transfers to and from the UK. If and when the UK will decide to invoke the Article 50 notification, imposing an obligation for the EU to negotiate the UK's departure, then the UK will have about two years to leave the EU. As a result, the UK will still form part of the EU for at least the next two years. Meanwhile, the UK Data Protection Act 1998, being the UK transposition of the EU Data Protection Directive 1995, will therefore continue to apply. The UK may also have to deal with the EU's General Data Protection Regulation (GDPR) that will be directly applicable as of 25 May 2018, replacing the directive.
UK Privacy Watchdog
In its immediate statement, the day after the vote, the UK's privacy watchdog Information Commissioner's Office (ICO) emphasized that, also when the UK would no longer be a member of the EU, the UK data protection standards would nevertheless have to be "equivalent" to the GDPR.
Upon the moment of UK's withdrawal from the Union, the UK will be considered as a "third country". In view thereof it is to be expected that the UK government will ask for an adequacy decision of the European Commission allowing the transfer of personal data from the EU to the UK, similar as has been provided for example for Switzerland. The legality of such adequacy decision may however be scrutinized extensively. This is in view of UK's intelligence practices, which may lead to discussions potentially similar to the invalidation of the Safe Harbor Framework by the European Court of Justice in October last year. This could add more uncertainty with regard to data transfers to the UK, and lead to increased compliance costs.
GDPR and the UK
Organizations headquartered in the UK that are doing business in the EU also need to take into account that while the GDPR will not apply directly anymore when the UK departs, they may need to take the GDPR requirements into account. For example, the GDPR may still be applicable if the organization has establishments in the remaining EU member states. The GDPR may also apply if the organization does not have establishments in the EU, as the GDPR has a broad territorial scope. This also means that instead of having to deal with the ICO only under the one-stop-shop mechanism, it may have to deal with another EU member state's Data Protection Authority as the lead authority.
In anticipation of Brexit and the model that will be chosen, continental organizations doing business with UK business, are now recommended to check their agreements on the processing of personal data in order to avoid any uncertainties that could arise post-Brexit. Parties entering into agreements or having concluded long-term agreements are advised to discuss clauses taking into account UK's special position, by agreeing that their UK counterparty will be obliged to fully cooperate that all requirements will be met to legitimize any transfer to and from the UK.
For further information, please contact Elisabeth Thole, Partner Privacy Law or one of her team members.