In case you missed it, the Cabinet in Westminster has “agreed” Theresa May’s draft Brexit Agreement for moving the UK out the EU next year.
Whilst the media continue to dissect the agreement and whether the Cabinet really does “back” the proposals, and discussions continue about the impact it has on the Northern Ireland border, the economy, what it will mean to business, etc… it’s also worth pointing out the the agreement also includes some bits about data protection compliance too, which could have an impact on any UK business who is currently or wishes to, in a post-Brexit world, process EU citizen data.
Remember that the GDPR requires that if you process EU citizen data outside the EU then it must only be done if adequate controls are in place for that processing. Essentially, you have to make sure that where the data is being processed has EU-equivalent data protection and privacy controls. That usually comes down to whether the country where the data is being processed has similar data protection laws approved by the EU or there is some kind of agreement in place (e.g. the EU-US Privacy Shield).
Of course when the UK leaves the EU we will no longer be part of the EU and potentially will be seen as one of these “third-countries” and therefore that has ramifications for UK business that could potentially become similar to any company operating outside the EU processing EU citizen’s data, particularly if they are either targeting EU citizens or if EU businesses are using them to process their data (remembering the wider definition of what processing means).
So, as with every thing else Brexit related it’s important that we understand the implications on our data processing. Essentially, we need to understand, will the UK have equivalent and therefore adequate data protection controls in place (approved by the EU as such) and if not what kind of agreement can be put in place to ensure that we can process EU citizens data going forward.
So, what does the Brexit draft say about data protection. Well it is mentioned, and as the EU very helpfully summarised in their press release yesterday:
“Use of data and information exchanged before the end of the transition period
During EU membership of the United Kingdom, private and public bodies in the UK have received personal data from companies and administrations in other Member States.
The Withdrawal Agreement provides that, after the end of the transition period, the UK has to continue applying the EU data protection rules to this “stock of personal data”, until the EU has established, by way of a formal, so-called adequacy decision, that the personal data protection regime of the UK provides data protection safeguards which are “essentially equivalent” to those in the EU.
The formal adequacy decision by the EU has to be preceded by an assessment of the data protection regime applicable in the UK. In the case where the adequacy decision were annulled or repealed, data received will remain subject to the same “essentially equivalent” standard of protection directly under the Agreement.”
What this means in practice is that we’re probably looking at the following regime (all subject to agreement in Parliament and across the EU of course):
- UK businesses will need to continue to process EU citizen’s data collected or processed before Brexit according to EU standards (currently the GDPR) until a decision is made on the UK’s status with regards to “adequacy”
- The EU are going to want the UK to prove that going forward it’s data protection laws are adequate (and in line with GDPR), but of course, the Data Protection Act 2018 makes sure that the GDPR is part of UK law once we’ve left
- There’s still a chance the EU could decide that UK data protection does not have adequate data protection rules and if that is the case then regardless pre-Brexit data will still need to be processed according to the GDPR
That all seems reasonable. Why wouldn’t the EU think the UK’s data protection laws don’t match those the EU – after all the ICO was involved in the discussions and drafting that led to the GDPR, they’re part of the EU group of data regulators (formerly the Article 29 Working Party) and we have the Data Protection Act 2018. Well, let’s hope it is that simple – after all the EU doesn’t quite like some other things the UK has in place regarding data, such as data retention policy.
The draft agreement is of course not the end of the Brexit-debacle nor the debates or rhetoric, so we all need to keep an eye on what Brexit could mean to our EU data processing activities, now, during the transition and after we’ve left (assuming we do of course!).