By Sarah Pearce, Privacy and Cyber Security Partner at international law firm, Paul Hastings
Over the past two years, data privacy has become one of the world’s most widely regulated and closely followed areas of the law. The General Data Protection Regulation (GDPR) appeared on the scene in 2018, dramatically changing the privacy landscape not just within Europe, but also globally, given its extra-territorial application.
The new regulation sought to change the way businesses handled personal data, by introducing new, and bolstering old, obligations that were predicated on a set of key overarching principles. In many respects, it has achieved this goal: it certainly called attention to data protection in the world of business which is no bad thing.
In the lead up to Brexit, however, there was some uncertainty around the plans for maintaining European regulation, including the GDPR, within the UK. With it being unclear whether or not there would be a transition period, organisations were, quite rightly, concerned as to how this would impact regulation of data privacy in the UK and ultimately their resulting obligations relating to data. However, the ICO, the UK regulatory authority, has consistently said that GDPR principles will be maintained and now, given confirmation of the transition period, the regulation itself will continue to apply until the end 2020. Even post-2020, the UK government has confirmed we will have a “UK GDPR” in place.
The advice to businesses, therefore, remains the same. It is worth highlighting that if an organisation established in the UK offers goods or services to individuals in the EU, or monitors the behaviour of individuals in the EU post-Brexit, this organisation must comply with both the UK legislation and the GDPR. Any organisation that based its plans on the fact that the GDPR may cease to apply should simply continue to monitor the situation and revisit this plan of action in line with any updates. Conversely, any organisations that did not take the suggested steps to prepare for the change should use this year to prepare for a post-transition period data privacy world.
So, with the GDPR seemingly bringing about positive changes, what lessons can we learn from it, and what could it means for data privacy in a post-Brexit UK?
The GDPR brought all European countries together under one legislation, which was hailed as a much-needed move by both regulators and industry alike. Its success has led some experts to question whether this could be taken even further, moving towards federal legislation in the US rather than the state by state position that currently exists, a form of supra-national legislation, or the development and application for a global standard regarding the protection of individuals’ personal data.
Harmonisation of laws can be beneficial in terms of eliminating differences that exist between different countries’ laws and ensuring an equal playing field when it comes to operating standards for businesses. However, in reality, it is not something that is often achievable; there have been several areas of the law over the years that have been considered for a global legislative regime, but all have so far been unsuccessful. It is somewhat wishful thinking to believe that data privacy would be an area that countries would consider worthy of global regulation.
Notwithstanding the different levels of protection currently offered globally, the sheer number of practical concerns are enough to sway experts away from the idea. How would the creation, and ultimately enforcement, of any such global regulation be funded for example? Would there be one global regulator, and would one country take the lead on its operation? For these reasons alone, supra-national legislation appears extremely unlikely.
The adoption of principles similar to the GDPR more broadly around the globe would seem to be a more achievable goal.
So, what effects will Brexit have on data privacy?
The biggest area of data privacy that Brexit will affect is data transfers. Personal data can currently move freely around the European Economic Area (“EEA”), yet this free movement of personal data to a country outside the EEA (i.e. a “third country”) is not permitted, and any such transfer of personal data is known as an “international transfer”. Unless a third country has been deemed “adequate” by the European Commission (meaning the Commission has determined that the country handles data at a standard that is sufficient to allow personal data to be transferred there), any international transfer requires the organisation sending and the organisation receiving the data to put in place one of the transfer mechanisms provided for the in GDPR.
Post-Brexit the UK will be a third country for the purpose of international transfers, so if an organisation based in the EEA wishes to transfer personal data to an organisation based in the UK, it will have to ensure there is a transfer mechanism in place. With respect to transfers from an organisation in the UK to one in the EEA, the ICO has confirmed that no immediate action is required. If an organisation in the UK wishes to transfer personal data based outside the EEA, the current rules apply as these will be mirrored in the UK legislation i.e. a transfer mechanism is required. If there is already a mechanism in place to deal with a specific transfer, this mechanism will still be valid post-Brexit.
Another point to note is that if an organisation is required under GDPR to appoint an EU representative, it will need to appoint this representative in an EU member state where some of the individuals, whose personal data is being processed, are located. Given that the UK will have its own form of GDPR, such organisation would also need to appoint a UK representative if the requirements are met.
Following Brexit, the ICO will not be a supervisory authority for the purposes of the GDPR. Therefore, if the ICO has been established as the lead supervisory authority under the GDPR, the organisation must appoint a new lead supervisory authority in the EU.
Finally, If organisation based in the UK which is subject to the GDPR post-Brexit or a group organisation with entities in the UK and the EU suffers a personal data breach post-Brexit, they may find themselves having to report the personal data breach to two authorities i.e. the ICO and to a supervisory authority in the EU.
The key message and advice to clients at this stage is as follows: if not already completed, organisations currently subject to the GDPR which have business in the UK should carry out a data privacy compliance review, focusing on the effects highlighted above to confirm where action is required.
About the author
Sarah Pearce is a Partner in the Privacy and Cyber Security Practice of Paul Hastings and heads up the European team from the firm’s London office. She assists clients in identifying, evaluating and managing global privacy and information security risks and compliance issues and regularly navigates clients through data breach response and associated regulatory investigations and enforcement proceedings.
Paul Hastings is an international law firm, with a strong presence throughout Asia, Europe, Latin America, and the U.S. It is recognised as one of the world’s most innovative global law firms.