With regard to the approaching date of 29 March 2019, when the United Kingdom of Great Britain and Northern Ireland is due to withdraw from the European Union, the law firm Taylor Wessing Czech Republic provides information on the possible impacts of hard Brexit on the processing of personal data on the territory of the UK. Hard Brexit means a situation in which the British Parliament does not agree to an EU withdrawal agreement, nor does it agree to postpone Britain's exit from the EU, and Britain will leave the EU without any agreement.
At present, there is a directly applicable regulation throughout the EU – the General Personal Data Protection Regulation 2016/679 ("GDPR"). Karin Pomaizlová confirms that: "In case of hard Brexit, the GDPR will cease to apply in the United Kingdom. However, on the basis of the extended territorial scope of the GDPR, this legislation will continue to apply to British businesses that process personal data from persons from EU Member States, for example as is the case with information service providers based in the United States of America. Under Article 3 of the GDPR, the GDPR applies to the processing of personal data of persons in the EU by a controller or a processor who is not established in the EU when offering such goods or services to such persons, regardless of whether for a consideration or not, or if it monitors the behaviour of these people within the EU. The GDPR will also continue to apply to the processing of personal data in connection with an establishment of a controller or processor within the EU. Most often, these are cases were British companies have an branch office in the EU and process the personal data of their employees, customers and suppliers across the EU. This shall not be a major problem, since in May 2018 British companies introduced procedures in line with the GDPR requirements."
As regards transfer of personal data in case of hard Brexit by EU enterprises tto organizations in the UK, the GDPR rules for the transfer of personal data to third countries shall apply to such transfer.
Martin Loučka, an associate lawyer at Taylor Wessing Czech Republic, adds: "Article 45 GDPR stipulates that the transfer of personal data to a third country without special authorisation is possible if the European Commission has decided that the third country in question ensures an adequate level of protection of personal data. Although, in the case of the UK, that will be a formality, until the European Commission decides that the UK provides an adequate level of protection, personal data can be transferred to entities established in the UK only by providing appropriate safeguards; in particular, according to the standard contractual clauses approved by the European Commission, in which case there is no need for a special authorization of the supervisory authority or on the basis of binding corporate rules approved by the competent supervisory authority of an EU Member State."
A Pomaizlová adds: "In case of hard Brexit, the change will further affect the processing of personal data of persons in the UK by contollers or processors established in the EU, i.e. the reverse transfer of personal data from the UK to EU Member States. This transfer will be governed by British law. Similarly to the GDPR, the UK Personal Data Processing Act will apply to all processing of personal data of persons in the United Kingdom, even if these are carried out by administrators or processors established outside the UK. This could have a real impact on Czech administrators and processors, such as ISPs, if among their customers are individuals from the United Kingdom. Although Britain has prepared a new national law on the processing of personal data within the terms of the GDPR, the EU controlles and data processors will need to become familiar with the regulations and their interpretation by the UK supervisory authority in detail."
Following the transfer of personal data between entities in the EU and the UK, in case of hard Brexit, it will be necessary to carry out a review of personal data processing agreements already in place or agreements between joint data controllers.
And Pomaizlová further states: "As regards the transfer of personal data of British persons to the EU Member States, the British Government has declared that even in case of hard Brexit, EU Member States will be considered as countries with adequate protection of personal data, in this current unclear and uncertain situation, until the UK authorities formally decide that the EU Member States provide adequate protection, it is good to be prepared to perform the transfer of personal data only on the basis of contractual clauses or binding corporate rules approved by the British authorities under British law ."
Similarly, as required by Art. 27 of the GDPR, controllers and processors established within the EU who process personal data of persons in the UK for the purpose of offering goods or services, whether for consideration or not, or who monitor the behaviour of such persons, shall be required to appoint a representative in the territory of the UK Kingdom. Furthermore, as regards binding corporate rules, these will have to be re-approved by the competent UK authority (see https://ico.org.uk/).
Loučka adds: "As a result of Brexit, the lead supervisory authority will also need to change if it has been the British office of the Information Commissioner. Similarly, if a Data Protection Officer established in the UK has exercised this role also for other affiliates within the EU, it will be necessary to appoint a new one established in the territory of an EU Member State. For controllers and processors who are required to appoint data protection officers under the GDPR, there will be a new obligation to appoint special data protection officers under UK law if they process personal data in relation to the UK."
If the event of an agreement on Brexit, the GDPR would continue to apply in the UK until 31 December 2020, until such time the transfer of personal data between the EU and UK would work as before. Depending on what transpirs on March 29, 2019, the law firm Taylor Wessing Czech Republic shall provide further information.
We refer to more detailed information from colleagues at TaylorWessing London: