Ever since the referendum to leave the EU in 2016, pundits have been speculating as to how Brexit will affect Britain’s General Data Protection Regulation (GDPR).
Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR. One reason for this is the cross-over period between the GDPR coming into force and the UK exiting the EU. The UK will need to comply with the Regulation while it is still a part of the EU. Another reason is the extraterritorial reach of the GDPR. UK companies continuing to do business with the EU after Brexit will need to comply with the Regulation to avoid infringements.
UK’s withdrawal from the European Union will have an impact on the regulatory compliance and data flows between the country and the EU. In the event of a ‘no-deal’ Brexit, with no agreed arrangements covering data protection, the Government is advising organisations to prepare appropriate contracts to ensure any transfer of European Union citizens’ personal data to the UK is compliant with privacy laws
What is Brexit?
A referendum – a vote in which everyone (or nearly everyone) of voting age can take part – was held on Thursday 23 June 2016, to decide whether the UK should leave or remain in the European Union. Leave won by 51.9% to 48.1%. The referendum turnout was 71.8%, with more than 30 million people voting. The UK had been due to leave on 29 March 2019, two years after it started the exit process by invoking Article 50 of the EU’s Lisbon Treaty. But the withdrawal agreement reached between the EU and UK has been rejected three times by UK MPs. Having granted an initial extension of the Article 50 process until 12 April 2019, EU leaders have now backed a six-month extension until 31 October 2019. However, the UK will leave before this date if the withdrawal agreement is ratified by the UK and the EU before then.
Although the UK is intending to exit the EU within the next few years, the GDPR will still have an impact. This demonstrates the reach of this EU Regulation beyond the EU. International companies across the globe with any EU citizens as customers will need to be aware of their new legal obligations and comply to avoid fines. With the high level of international business involving the EU, the GDPR may influence stronger data protection procedures around the world.
Even if the UK withdrawals from the EU, it could be granted membership to the European Economic Area (EEA) trade group – like the relationship between Norway and Iceland and the EU.
The EEA adopted the GDPR in July 2018, so in the case of EEA membership, the use of personal data in Britain would still be governed by the GDPR. Given that one of the stated reasons for Brexit was to break free of the rules and regulations of the EU and the EEA, it is unlikely that the UK will join the EEA, so this model seems unlikely.
If Britain does not join the EEA post-Brexit, even if it does join the legally more relaxed European Free Trade Association (EFTA), then the GDPR will not directly govern over the UK.
This is the relationship that Switzerland has with the rest of the EEA. Britain joining only the EFTA and not the EEA seems to be most probable given the recent political commentary from Europe. If this is the case, data protection regulations and compliance requirements post-Brexit are not very clear.
Data Protection Representative?
Jan-Ulrich Lange, a data privacy expert with German-based Institut für Datenschutz und Compliance (IDC) and the association of German data privacy professionals (BvD), believes that UK companies may require a data protection representative in the EU post-Brexit.
He says: “Another provision, which has not been so much in focus, is the requirement to appoint a representative in the EU under article 27 of the GDPR. This requirement will have an impact regardless of the outcome of any agreement on the conditions for future data exchange.
“Any UK company that does not have a subsidiary in the EU and that intends to continue business with EU customers will most likely fall under the requirement to appoint a representative in one of the EU countries.
“This provision goes back to the idea of the lawmakers to be able to hold somebody responsible for breaches affecting EU citizens by non-EU companies. Once the UK has finally left the Union the provision becomes immediately relevant for UK companies.”