December 17, 2018
The notice provides more detail about how UK data protection law will work in the event the UK leaves the EU without a deal. It follows the Technical Notice the Government published in September 2018.
The EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.
To ensure the UK data protection framework continues to operate effectively when the UK is no longer a EU Member State, the Government says that it will make appropriate changes to the GDPR and the Data Protection Act 2018 using regulation-making powers under the EUWA.
Data controllers and data subjects
In a “no deal” scenario, the Guidance explains that responsibilities of data controllers across the UK will not change. The same GDPR standards will continue to apply in the UK and the Information Commissioner will remain the UK’s independent regulator for data protection.
Transfers to EEA countries (including EU Member States) and Gibraltar
The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. This means that personal data can continue to flow freely from the UK to these destinations following the UK’s exit from the EU. The UK would keep all of these decisions under review.
As regards the flow of data into the UK, jurisdictions outside of the UK will provide their own rules. The Guidance states that UK organisations will need to work with their EU counterparts to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place.
Existing EU adequacy decisions
Where the EU has made an adequacy decision in respect of a country or territory outside of the EU before exit day, the UK Government intends to preserve the effect of these decisions on a transitional basis.
Recognising EU Standard Contractual Clauses
Provision will be made so that the use of Standard Contractual Clauses (SCCs) that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK in a “no deal” scenario. Under the proposed regulations, the Information Commissioner will have the power to issue new SCCs after exit day.
Binding Corporate Rules (BCRs)
Existing authorisations of BCRs made by the Information Commissioner will continue to be recognised in domestic law. After exit day the Information Commissioner will continue to be able to authorise new BCRs.
Maintaining extraterritorial scope
The Guidance explains that the GDPR applies to controllers or processors based outside the EEA where they are processing personal data about individuals in the EEA in connection with offering them goods and services, or monitoring their behaviour.
The Government intends to retain the extraterritoriality of the UK’s data protection framework. This will mean that the UK framework will apply to controllers or processors based outside of the UK where they are processing personal data about individuals in the UK in connection with offering them goods and services, or monitoring their behaviour. This includes controllers and processors based in the EU.
UK representation for controllers
Where Article 3(2) of the GDPR applies, Article 27 of the GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
The Government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.
The Government says that Regulations and more detailed guidance covering all the above points will be published in the next few weeks. To read the Government’s Guidance in full, click here.