Updated thoughts on the GDPR issues following a no-deal Brexit

In my last post on this subject about 10 months ago the UK had published guidelines on data communications with the EU (and EEA) post-no-deal "Brexit" here: https://www.gov.uk/government/publications/data-protection-if-theres-no-... . Since that date, there has been delay and there have also been a substantial further publicity drive by the UK government in preparation for leaving the European Union on 31.10.19. This date is still not certain. However, assuming for now that it is to happen and that it happens without an agreement between the United Kingdom and the European Union, the following notes may assist a data controller who seeks to manage his risk:

As stated in my previous post there is of course the obvious fact that after we leave, in the absence of agreement to contrary effect, the UK will no longer be a Member State (whether or not there is a "deal"). As a result of the UK ceasing to be a Member State there will be immediate differences between the GDPR as enacted in Brussels and the Data Protection Act 2018 which purports to exercise derogations which it was permitted to do when a Member State. Such derogations may not survive the UK ceasing to be a Member State and as such may immediately bring about a difference between UK and EU data protection law which can be exploited by aggrieved data subjects (in particular those in the EU) against UK data controllers who rely on such derogations. These differences represent an additional risk for data controllers based in the UK who are dealing with the personal data of data subjects who are "in the Union".

For the avoidance of doubt, remember that the GDPR makes no distinction regarding the data of persons who are citizens, residents or visitors. It is the data subject's location which determines whether they are protected by GDPR. As such, a UK citizen who happens, for whatever reason, to be "in the Union" when he makes his complaint can in all likelihood avail of the full protection of the terms of the GDPR as they apply, whether or not the controller is in the EU.

From the date that the UK leaves the EU the UK will be a 'Third Country' as far as data transfers from the EU to the UK are concerned. HMG says that there will be no such constraint for UK data controllers transferring data to the EU. Therefore, there is a non-reciprocal legal basis for transferring data between the UK and the EU.

Data Controllers should consider taking a 'lowest common denominator' approach to their data policies and business practices so as to minimise the likelihood of falling foul of these differences in the law which will come into effect on the date of departure.

This particularly applies to organisations (data controllers) whose data flows back and forth between the UK and the EU, even and especially in relation to cloud services, backup storage and day to day business operations.

The non-reciprocal treatment also applies to the transfer of personal data outside of the UK to countries not in the EU. There will need to be adequacy determinations made by the European Commission in respect of the UK and also adequacy determinations by the UK in respect of other non-EU destinations which currently benefit from such EU determinations (e.g. New Zealand, Canada, Argentina) and a replacement for the EU-US privacy shield agreement in respect of the USA. As a result, it is likely that data controllers regularly sending data to third countries will want to consider other alternative arrangements to ensure that their data is being transferred lawfully in any hiatus following departure when such arrangements have not been put in place or finalised.

Any organisation that may be relying on UK purported derogations in relation to their handling of personal data should take legal advice in advance of the departure date to avoid the risk of litigation from aggrieved data subjects in the European courts.

Note also that it is a clearly set out GDPR requirement that data controllers who are not located in the EU may need to establish a representative in the Union. This is a factor that ought not to be overlooked.

Data controllers who are dealing with the personal data of an person who may, from time to time, be "in the Union" are strongly encouraged to take advice in respect of the risks raised by the UK's departure from the EU, as are their insurers, and to conduct a refresher audit to ensure that these and other risks are ameliorated to the greatest possible extent.