Nothing about Brexit is certain, prepare for the worst
With the 29th of March fast approaching, there isn’t much time left until the UK’s departure from the European Union (“EU”). It was anticipated that the UK would be leaving the EU with a formal withdrawal agreement, however it may not be the case potentially causing a “no deal” Brexit. No one is certain about what will happen in terms of data protection after the UK’s departure. For this reason, many organisations across the UK are creating plans and putting them into action in case a no deal Brexit occurs.
Under the Withdrawal Agreement.
In an ideal scenario, the UK will leave the EU on the 29th of March with a formal withdrawal agreement. This will ensure that an agreed transition period is in place. During this period of time, all things regarding data protection and the international transfer of personal data will remain the same. The UK’s Information Commissioner’s Office (“ICO”) will still be able to attend parts of the European Data Protection Boards meetings throughout the transition period, helping to maintain elements of uniformity between the different independent regulators. However, if the UK leaves the EU with “no deal”, things may not be as smooth sailing.
Under a “no deal” scenario.
Leaving without a formal withdrawal agreement will leave the UK with many uncertainties in regards to data protection, in particular the transfer of personal data between the UK, the EU and onward transfers to other countries outside of the European Economic Area (“EEA”). Leaving with no deal will mean that the UK will have to gain an adequacy decision from the European Commission. The process of gaining an adequacy decision usually takes several months, although the presence of GDPR in UK law may speed up this process. However, the process could be slowed down by the political will within the European commission. A no deal Brexit would also result in the UK’s ICO being excluded from all European Data Protection Board meetings causing a total breakdown of communication between the UK’s ICO and other European regulators. The lack of communication between the UK’s ICO and other regulators could result in cases of double enforcement. This strict regulatory enforcement could make the UK an unattractive place to do business.
In terms of data transfers from the UK to the EU in the case of a no deal Brexit there shouldn’t be any major issues according to the ICO. However, some data controllers do have some concerns about transferring personal data to data processors inside of the EU. Data controllers are concerned that the data processors may be hesitant when transferring the personal data back to the UK due to the lack of safeguards in place. More specifically for law firms, some clients are threatening to walk away if a firm is using the cloud to retain their personal data, especially products like Microsoft office 365. This is due to the uncertainty of where their data will be stored and who will have access to it. This is a large industry risk, as a high proportion of law firms use office 365 as their main storage facility. Although risk and compliance departments in such firms aren’t encouraging the use office 365, they aren’t discouraging it which is a worry in itself suggesting they don’t see it as a risk, but clearly their clients do. Office 365’s main servers are in the US, plus Dublin and Ireland in the EEA and subject to some concerns outlined above as a data processor in the EU might not return data to a data controller in the UK in a worst-case scenario.
More issues may arise when data is being transferred from the EU to the UK and then onto another country outside of Europe. For example, currently the storage and transfer of data to the US is covered by the EU-US privacy shield. However, in a no deal scenario this won’t be the case after the 29th of March. The lack of any agreed adequacy decision currently in place means that other safeguards will have to be used to facilitate such transfers, for example Binding Corporate Rules (“BCR”). Like adequacy decisions, BCR’s can several months or even years to implement and therefore is not a quick solution to the problems that organisations may face.
To get around the issues with the onward transfer of data to countries outside of Europe, many organisations are creating bespoke standard contractual clauses (“SCC”) to cater for the way they handle and use data to reflect the onwards transfer. Some law firms are even going to the extent of creating hard copy versions of the SCC’s ready to send out to their entire client base in the middle of March. Such bespoke clauses are to be accepted by conduct rather than the usual approach. Organisations argue that unless they hear from the clients/customers telling them otherwise, business should go on as normal.
Although many of these issues may seem daunting to UK organisations, all of the risks discussed above are just possibilities. Until the UK leaves the EU on the 29th of March, nothing will be certain. All organisations can do for now is prepare for the worst-case scenario.