Brexit is coming. Without further intervention, the UK will leave the EU on 29 March 2019. At the time of writing, the two most realistic options for the UK’s exit are either the Withdrawal Agreement endorsed by the European Council on 25 November 2018 or ‘no deal’.
The pan-European nature of data protection law – recently overhauled by the General Data Protection Regulation (‘GDPR’) – means that employers (especially those whose business has a UK/EU cross border element) need to take note of the changing landscape, which is likely to impact their operations.
We have therefore set out below a high level overview of considerations employers should bear in mind in either scenario.
Scenario 1 – The Withdrawal Agreement
If it comes in to force, this will cover a transition period up to and including 31 December 2020 (although this may be extended by up to two years).
The Agreement provides for the continuation of relevant EU data protection law during the transition period, in particular GDPR, which probably means it will function as if the UK was still a member of the EU (there may be a technical gap here, but this appears to be the intention). Therefore, nothing would change until the end of the transition period as far as employers are concerned. It should be business as usual – so far, so good.
The situation, if the transition period ends and there is no other deal, is a little messier. In essence, the UK would at that point become a ‘third country’ (see ‘No Deal’ below), but with a slight twist.
For example, the personal data of individuals from EU Member States outside the UK, which were processed in the transition period by UK data controllers will continue to be covered by EU law. A UK employer with employees in the EU would have to comply with both EU law and UK law (if it diverges) in respect of such data – that’s potentially two data protection regimes (and two regulators). These two regimes are likely to be highly complementary however, and it may well be that by the time the transition period has ended, the certification schemes and codes of conduct introduced by the GDPR are finalised and able to be relied on by employers finding themselves grappling with this issue.
Scenario 2 – ‘No Deal’
The European Commission has made it clear what the legal outcome will be if there is no Withdrawal Agreement in place before 29 March 2019– the UK will become a ‘third country’. This is the case despite the fact that the Data Protection Act 2018 will remain in force and the EU Withdrawal Act will ‘save and download’ all EU law, including GDPR, into UK law.
EU to UK
‘Third Country’ status has consequences immediately for EU to UK data transfers. It means that data controllers must put in place “appropriate safeguards” before making such transfers, or be able to rely on a derogation.
The most common of these will be relatively familiar to employers who already transfer data outside the EU (as it now stands), for example standard data protection clauses and binding corporate rules. It is worth keeping in mind here that the standard data protection clauses do not contain all of the mandatory provisions employers need to include in their contracts with their data processors, and so a need to review of critical contacts governing the transfer of employee data to the UK could well be on the horizon.
Practically speaking, this means employers need to put thought to which safeguard they are going to rely upon to ensure lawful data transfers can continue. So, if you have standard clauses in place between your French entity and your US entity, you will probably want to replicate that arrangement between your French entity and your UK entity.
UK to EU
The position for data transfers from the UK to the EU is (for now) simpler. The UK Government, on 13 September, clarified that the UK “at the point of exit would continue to allow the free flow of personal data from the UK to the EU”.
This is of course subject to change at any point. The wide powers granted to Ministers to change legislation post-Brexit means that such change could be effected quickly and without much notice. However, this seems unlikely given the disruption it would cause business.
The bottom line
The Withdrawal Agreement is clearly the easiest outcome for employers in the short term as it probably requires no immediate action.
The UK Government hopes that the EU will eventually issue an adequacy decision in respect of the UK – that would allow easier data transfers without further safeguards. This seems likely as the UK has already implemented the GDPR, but it won’t come in time for Brexit. The ‘no deal’ contingency plans published by the European Commission on 13 November 2018 make no mention of an adequacy decision.
The political declaration which was endorsed by the European Council on 25 November 2018 says the parties will work towards this by the end of 2020 and strikes an optimistic, if not legally binding, tone. This echoed the shorter declaration released alongside the Withdrawal Agreement.
As such, in the event of ‘no deal’, active steps by employers will be a necessity.
To keep updated with key developments which are likely to impact employers, please sign up to our newsletter here.