As the UK’s transition period draws to an end, businesses need to understand the possible scenarios and their impacts on data privacy, data processing, and data residency in the different BREXIT scenarios.

Background

The General Data Protection Regulation (GDPR) is the primary European Union-wide regulation, incorporated into the laws of each member state of the European Union (EU) relating to data protection and privacy for all EU citizens and citizens of the European Economic Area (EEA) and the export and processing of that data outside the EU and EEA.  GDPR came into effect across the EU and EEA on 25th May 2018, establishing EU data residency requirements and more.

On the 26th June 2016, a non-binding referendum on the question of “Should the United Kingdom remain a member of the European Union or leave the European Union?” was held in the UK.  This referendum was passed by 51.89% to 48.11%.

A revised Withdrawal Agreement was reached between The United Kingdom and European Union at the European Council. This revised Withdrawal Agreement and Political Declaration were agreed at the European Council on 17th October 2019. This withdrawal agreement will terminate with at 23:00 GMT on 31st December 2020.

Possible Brexit scenarios

This blog examines the following possible Brexit scenarios:

• The UK leaves the EU under the terms of a new comprehensive agreement, either at the end of this year or on a mutually agreed extended date, a so-called Soft BREXIT; or
• The UK leaves with no new agreement in place, a so-called “Hard BREXIT”

There is another scenario: The UK does not leave the EU, which would result in no changes, this is therefore not addressed in this blog.

Soft BREXIT scenario

Departure under the terms of a new agreement would almost certainly preserve the conditions already explicitly addressed in the transition agreement; that the handling of data during the transition period and “After the end of the transition period, the UK will continue applying EU data protection rules to the current ‘stock of personal data’, until the EU, through an adequacy decision, establishes that the UK’s data protection rules provide safeguards which are essentially equivalent to those in the EU”.

The effect of this is that a UK data controller (for example, a company) can store and process personal data pertaining to EU citizens in the UK and the EU.  This is reciprocated so that an EU based data controller can process UK citizen’s personal data in the UK or the EU.

The UK maintains the necessary standards is only guaranteed during the transition period.  But assuming the necessary provisions are part of a final long-term agreement real risk that EU data in the UK would have to be repatriated would be mitigated.

Hard BREXIT scenario

The requirements of GDPR are already incorporated into UK law, therefore the UK government has created a position whereby the personal data of UK citizens can be processed in the UK or EU.

From the perspective of an EU based data controller, the situation is slightly different.  The EU GDPR places specific requirements on the processing of data outside the EU & EEA.  There are two primary requirements:

1. The processing of the data is conducted in compliance with EU legislation, which it would be in the UK has implemented GDPR and the necessary security and data processing standards.  To assist with this, the UK should rapidly work to become one of the countries with an adequacy decision from the EU.
2. There is consent.  Here the data controller needs to satisfy this requirement, and must establish or their current agreements with customers allows the processing of data in the UK, and if not, they would need to either:
   1. Secure consent; or
   2. Repatriate the data to the EU, EEA or an “adequate” jurisdiction.

A final consideration is just how the EU regulators will interpret Article 47, which may become more important for European companies with different data centre locations. They will need to demonstrate stricter data processing standards and show sufficient guarantees for data processing.

The effect of all this is that current UK law means the UK data can be stored and processed in the UK, in the event of a hard BREXIT it is possible that the situation could arise whereby EU data in the UK would need to be repatriated to the EU. It should be imperative for the UK government to ensure the UK becomes an accepted nation with EU recognised adequacy.

Conclusion

The eventuality of BREXIT need not present any insurmountable issues of data residency for data controllers in the UK or the remaining EU states.  Controllers in the EU, EEA and UK need to ensure that their data processing takes place in line with current GDPR and Security practices and also assure they have the necessary consent in place to guarantee compliance with GDPR.

This means that organisations wishing to store and process EU citizen’s data face immediate compliance risks in the event of a no-deal BREXIT at the end of the transition deal period.   

In short, the table below summarises the viable options: