Rules and regulations differ vastly from country to country. Something normal in one country can be a severe crime in another. Every single citizen must abide by the laws and regulations of the country. This helps to bring peace in the working of the country’s economy. There are different rules for different things which the country does. These can range from employment rules to residential rules or even Data protection rules. Yes, yet data protection and storage has different laws in different countries. Let’s have a look at Data considerations for Brexit.
One of the most important resources that a company possesses is its Data. Data can include strategic information or the database of the customers of the firm. The company might maintain some information which is sensitive and needs to be secured. However, Data Storage or Data Transfer rules for companies differ from country to country.
The Birth of Brexit
Brexit is one of the biggest things which is going on in the EU as per today. Brexit is a word which is used by the people in place of ‘British Exit’. The United Kingdom decides to leave the European Union (EU). On June 23 2016, there was public voting, known as a ‘referendum’. The main question was if the UK should stay as a part of the EU or leave. About 48% of votes went to the ‘Stay’ side. However, 52% went to the ‘Leave’ side, thus finalising that the UK will leave the EU.
The General Data Protection Regulation, i.e. GDPR (EU) is a regulation present in the EU’s law about data protection and privacy for all the individual citizens of the European Union (EU) and the European Economic Area (EEA). Additionally, it also addresses the export of personal data outside the areas of EU & EEA.
The primary aim of GDPR is to grant the individuals, control over their data. Moreover, it also helps to simplify the regulatory environment for international business by standardising the regulation within the EU. The GDPR has become applicable on all the EU member states including the UK as of May 25 2018. However, what lies in the future of the UK is unpredictable.
A detailed study of Brexit and Data Consideration
As per the Referendum, the UK had to exit the EU by March 29, 2019. But, the withdrawal agreement of the UK and EU has been rejected three times by the MPs of the UK. They were, therefore, granted an extension till October 31, 2019. However, if the agreement between the UK and the EU ratifies before the date, the UK might have to leave at that time. There would be a lot of problems if the UK leaves the EU. One of those is the Data Considerations, i.e. the permissions and rules of Data Transfer, Storage and Protection.
If the UK leaves the EU, the transfer of data from the UK based to non-EU based companies will be having several consequences. They would depend upon whether or not the firm is based in a country which holds an adequacy decision from the EU Commission.
Let us have a look at what would be the consequences of if the UK gets separated from the EU:
A) Brexit Effect on UK Companies
If there is no Exit Agreement or no-deal Brexit between EU/EEA and the UK, the UK will become a third country w.e.f 00:00 am, November 1 2019. Therefore, in the absence of an adequacy decision, the transfer of personal data from the EU/EEA to the UK will have to be based on one of the following instruments, as on November 1 2019:
a] Standard or Ad hoc Data Protection Clauses.
b] Binding Corporate Rules
c] Codes of Conduct and
d] Certification Mechanisms or Derogations.
As of now, the UK Government allows free flow of personal data from the UK to the EU/EEA, and this is going to continue in the event of a no-deal Brexit.
B) Non-EU-based companies (including the US companies which do not have the Privacy Shield Framework certification.)
Companies established in countries that benefit from an adequacy decision should be distinguished from those who don’t. As of now, there are only a certain number of countries/regions like Andorra, Argentina, Faroe Islands, Japan, Jersey etc. have been granted an adequacy decision by the EU Commission.
a) If there’s an adequacy decision-
If a company is based in a country that is benefitted from an adequacy decision from the EU, there are two possible situations which should be kept in mind:
- Exit Agreement with the UK
Under these circumstances, a Transition period will be put in place, which will allow the data to flow continuously in the same way as they are currently.
- No Exit Agreement (or after Transition Period)
If the company is non-EU-based, they won’t be able to rely on the adequacy decision to transfer data with the UK. If the company wants to make the transfer lawful, it will have to rely on other data transfer mechanisms such as Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct and Certification Mechanisms or Derogations.
b) If there’s no adequacy decision
If the company is based in a country’s which does not have an adequacy decision from the EU, the exit of UK won’t affect them, and the conditions applicable to data transfers with the UK won’t change. However, as the UK Data Protection Act, which is the national law, will still be applicable after UK’s exit, the following data transfer mechanisms will be relevant: Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct and Certification Mechanisms or Derogations.
C) Privacy Shield and Brexit Data consideration
This section is about the US-based companies that are Privacy Shield Certified. The Privacy Shield is the name given to the adequacy decision granted by the EU Commission under article 45 of GDPR. This shield ensures that the protection level provided by a US company having this certification is equivalent to the one which exists in the EU. Therefore, the transfer of Data from the EU to this US company is more straightforward and implies less legal restrictions.
D) Position of Iceland, Liechtenstein and Norway
The EEA Agreement incorporated the GDPR on July 6 2018. This implies that Iceland, Liechtenstein and Norway apply the GDPR rules. The UK Government published an agreement on the issues of separation with Iceland, Liechtenstein and Norway on December 20 2018. Precisely, this agreement includes a deal about the rights of the citizens, that protects the rights of EEA EFTA nationals in the UK and the UK nationals in EU/EEA, so that they can continue contributing to their communities and live a free life as they do now.
Title IV of this agreement concerns “Data and Information processed or obtained before the end of the Transition Period, or based on the Agreement.” The provisions in this title aim at maintaining the exact level of protection of data processing, which exists currently. The rules would be the same for the EEA countries, similar to the situation explained under the Privacy Shield Framework. Therefore, in the event of a transition period, the UK will still have to guarantee an adequate level of protection.
To know more about Data Considerations of Brexit, get in touch with us today!