By Peter Schaar, Chairman, European Academy for Freedom of Information and Data Protection, Berlin
What the consequences of the the UK Brexit referendum are for data protection currently cannot be said conclusively. Considerable uncertainties remain until the end of the upcoming exit negotiations at least. Unless specific arrangements on data protection are made between the EU and the UK, the United Kingdom will be seen from the EU perspective as a regular third country like any other non-member state, such as Japan or South Africa.
At best, the country gets a status like Norway, which belongs to the European Economic Area and is thus largely obliged to apply EU law, without, however – as the EU member states – to have effective decision power and participation rights, in particular in the European Data Protection Board set up by the EU General Data Protection Regulation (GDPR).
I am sceptical that the UK Parliament will implement the GDPR completely by changing the British law by May 2018 when the GDPR starts to be applicable. This seems to be very unlikely, especially since the United Kingdom has already struggled with the adoption of the new EU privacy rules. For example the British Government “opted out” from Art. 48 of the GDPR, the so-called “NSA clause” that is to protect European citizens against third country government access to personal data. Nevertheless the provisions of Art. 48 would probably apply in future to the United Kingdom after the leave from the EU. The transmission of personal data to government authorities protected by the GDPR based on British court rulings or administrative orders will be legal then only within the framework of mutual legal assistance agreements between the UK and the EU or its member states. This is particularly important because the British Parliament has recently stepped up drastically the already strong surveillance powers of security agencies and its corresponding obligations of companies with the amended “Investigatory Powers Bill”. The “national security exemption” of article 4 TFEU will not longer be applicable for the UK. The practices of GCHQ and other government agencies will have to be taken into account even in the assessment of the EU Commission about a possible adequacy decision for the UK (see below).
It seems likely to me that the very requirements of the GDPR provisions on transfer of personal data to third countries (art. 44 and following) will apply in the future on the UK. Thereafter, any transfer of personal data will be permissible only if the data controller and the data processor comply with the conditions laid down in the GDPR. This also concerns the possible onward transfer of personal data to another third country or to an international organization. The GDPR allows the transmission on the basis of “adequacy decisions” of the European Union or other appropriate safeguards, in particular on the basis of standard contractual clauses or under a system of binding corporate rules(BCR).
The UK Information Commissioner (ICO) already pointed out that the United Kingdom continues to need clear and effective privacy laws, irrespective of the question of EU membership (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/04/statement-on-the-implications-of-brexit-for-data-protection/). If the British legislator follows this advice, the European Commission could make a decision under article 45 on the existence of an “adequate level of data protection” in the UK. However, such a finding is not supposed to run by itself and it would require negotioations and a thorough examination and assessment of the British data protection system. This could hardly be managed within the available two-year period for the implementation of the EU exit.
In the light of the above companies running business in the UK as well as public bodies of member states and EU institutions have to prepare for the situation that the transmission of personal data from the EU to the UK (including the hosting of personal data on the British soil) will be much more difficult in the future as it is today. This concerns in particular those companies with business processes which are based on combining personal data of various member states or using servers or switching centers located in the UK.