Data protection and Brexit – clearing up some misunderstandings

Now that Exit Day on 31^st January is drawing close attention is focussing on what will happen during the transition period that will run from 31^St January until the end of the year. There seems little doubt that the European Union (Withdrawal Agreement) Bill (see our recent publication regarding the key provisions of the Bill) will complete its passage through Parliament in time meaning that it is now clear that the GDPR itself (rather than the so called UK GDPR) will continue to apply in full to controllers and processors in the UK until 31 December 2020. Nevertheless there have been some misunderstandings about the position of the ICO, as the UK’s supervisory authority, during this period, particularly in relation to the one stop shop.

These misunderstandings are hardly surprising given the length and complexity of the EU Withdrawal Agreement. The Agreement runs to more than 500 pages and does not start to address the transition period until Article 126 on page 186. This means that those who start at the beginning risk being misled when they come across the first substantive mention of data protection in Article 71, which is all about the protection of the personal data of data subjects who are outside the UK once EU law has ceased to apply to their data. Furthermore, the ICO’s guidance on its website still focuses on the position in the event of a no deal Brexit, when the GDPR would no longer be applicable directly in the UK. It is therefore relevant to the situation businesses may face after 31^st December, particularly if there is no adequacy finding for the UK by then, but much less so to the situation during the transition period.

The ICO and the One Stop Shop

Because the GDPR continues to apply in the UK during the transition period those provisions that relate to supervisory authorities will continue to apply to the ICO. This means that the ICO will remain a "competent authority" until the end of this year. It will participate in the cooperation and consistency mechanisms, including the one stop shop as it is commonly known, meaning that the ICO will continue to be the lead authority for cross-border processing by businesses that are established in more than one member state and have their main establishment in the UK. The ICO can also continue as the lead for Binding Corporate Rules.

The exception is the ICO’s membership of the European Data Protection Board (EDPB). On Exit Day the UK will cease to be a member of the European Union and so, despite the transition arrangements, will cease to be eligible for membership of EU bodies including the EDPB. Nevertheless the ICO can be invited, on an exceptional basis, to attend the EDPB, but only without voting rights and only for matters where either:

• the discussion concerns individual acts to be addressed during the transition period to the United Kingdom or to natural or legal persons residing or established in the United Kingdom; or
• the presence of the United Kingdom is necessary and in the interest of the Union, in particular for the effective implementation of Union law during the transition period.

The expectation is that this provision will enable the ICO to continue to participate effectively in the cooperation and consistency mechanisms, including in EDPB deliberations on cross-border cases where the ICO is the lead supervisory authority. Whether it will also enable the ICO to participate in the Article 65 EDPB dispute resolution mechanism where the ICO is merely one "supervisory authority concerned" amongst several is less certain.

Although little will change for businesses during the transition period this is only likely to be short-lived. The period is due to end on 31^st December and, whilst it could be extended, the UK Government has said that it has no intention of seeking an extension. Once the transition period has ended, as things stand, the ICO will cease to be a "competent authority" under the GDPR, will no longer participate in the one stop shop and will not be able to continue as the lead authority for cross-border processing within the EU. Those businesses that currently have the ICO as their lead authority, and which will continue to engage in cross-border processing within the EU after the year end, would be well advised, if they have not already done so, to start identifying whether they will then qualify as having an alternative "main establishment" within the remaining　 EU member states and, consequently, which EU authority will fulfil the role as their lead supervisory authority.

Article 71 of the Withdrawal Agreement

There has been some misunderstanding about this Article given that it is headed "Protection of Personal Data". However it is necessary to keep in mind that the Article is concerned with the processing of personal data of data subjects outside the UK rather than of anyone in the UK. Its main provision is that the personal data of such data subjects, which was processed in the UK under Union law (i.e. under the GDPR) before the end of the transition period, will continue to be subject to the GDPR itself rather than just UK law after the end of that period. The intention appears to be to stop the UK "pulling up the drawbridge" on personal data that was transferred freely from elsewhere in the EU to the UK, on the basis that the GDPR applied directly in the UK, once that ceases to be the case. 　This would potentially leave the data in the UK without an　 "adequate level of protection". Put another way the intention is to stop the UK changing the rules that apply to EU personal data that was only able to come to the UK because EU data protection law applied　in the UK, once the UK would otherwise be free to change these rules.

Potentially this Article could be a nightmare for controllers in that it could, after the end of the transition period, require them to separate out and treat EU data, to which the GDPR itself will continue to apply, differently from UK data, to which the UK’s own data protection law will apply. However, this is only likely to be a practical problem if UK data protection law departs significantly from the GDPR after the end of the transition period. Encouragingly, there is no sign that this is likely to happen, at least not in the short term. Furthermore the restrictions in Article 71 will cease to have effect if and when the UK is subject to a European Commission finding of adequacy. It is therefore another reason to hope for such an early and positive finding.