GDPR: What Happens in the U.K. Post-Brexit?


First let's gets up-to-date on these two stories, GDPR and Brexit.

GDPR, which came into force on May 26 last year, is a European Union regulation binding on E.U. members. (Like, for example, the U.K.) It sets out rules for the collection, retention, management, and transferral of the personally identifiable information (PII) of European data subjects. That's a mouthful: we took a deep dive into the implications for North American brands here.

For U.K. brands, of course, it has meant special treatment for the PII of its domestic (resident) citizens, as well as European citizens resident in other countries; because, as we all, know U.K. citizens are also European citizens.

Until March 29, 2019, that is.

Okay, Brexit.  Deep breath. If things go according to plan (and they might not), the U.K. is due to leave the E.U. on March 29, 2019. It might leave under negotiated conditions; it might leave with no deal in place. U.K. Prime Minister Teresa May has negotiated the conditions of departure with other E.U. members, but the December 11 Parliamentary vote scheduled to ratify the deal was canceled on December 10, as it became clear that Parliament had no intention of supporting it.

The vote is now rescheduled for January 15. Some minor details of the deal may have changed, but odds still favor Parliament rejecting it, in which case May will have to pull a quite different deal out of thin air, or postpone the departure date, or leave with no negotiated deal at all.

All of which might well matter — politically at least — when it comes to the implications for GDPR.

I spoke with Dennis Dayman, chief privacy and security officer at Return Path, the email data and solutions vendor, about the uncertainty U.K. marketers currently face, someone fluent in international privacy policy issues. One thing he's keen to point out is that the world won't change overnight for U.K. marketers and brands. "A negotiated Brexit could take up to two years to take effect" — meaning there should be a relatively orderly transition period. And in any case, as with U.S. brands, non-membership of the E.U. won't mean U.K. brands don't need to comply with GDPR in relation to data subjects of remaining E.U. member companies.

So business as usual? Not necessarily, Dayman explained. Once out of the E.U., the U.K. will be a "third country," in GDPR terminology. This raises issues for the transfer of PII of European data subjects — for example between international offices or subsidiaries of a company doing business both in the U.K. and in the E.U. Dayman identifies this as a major challenge, because "the majority of UK-based organizations already possess personal data from individuals living in the remaining E.U. member states."

The good news is that the preparation U.K. brands should already have undertaken in preparation for GDPR should stand them in good stead. Forget Brexit: in order to comply with the current European legal environment, it's more than likely that brands should know what personal data they are storing, the consent conditions under which its being retained, and whether it's the data of a European data subject. When (if?) Brexit happens, that should at least enable them to identify the data-sets which require ongoing compliance with GDPR, especially when it comes to transferring data from (remaining) E.U. member countries to the U.K. — in simple terms, transferring it (post-Brexit) outside of the E.U.

Now to be clear, Dayman doesn't believe this is really going to be a major obstacle (and for what it's worth, I agree with him). The standard for any European regulations has always been that member countries must meet the regulations minimal requirements, but are entitled to enact more stringent laws within their own jurisdiction. For example, if the bacterial count allowed for raw milk from other animals is a maximum of 500,000 bacteria per ml under E.U. law, there is nothing to stop a member country restricting the bacterial count to a more stringent 400,000 per ml.

The U.K., as Dayman points out, has a good record when it comes to data protection legislation. "They've been protecting data for decades," he said, and indeed the legislative record stretches back to the U.K. Data Protection Acts of 1998 and 1984. This means that the U.K. should be able to qualify for an "adequacy decision" from the European Commission. Such a decision would certify the U.K. as a third country with an adequate level of data protection in place through its domestic legislation or treaty or other international commitments.

In other words, the U.K. is likely to get a clean bill of health. The U.S., note, did not get any such approval. The so-called Safe Harbor program was struck down by the European courts in 2015, partly due to the viral growth of uncontrolled online activity emanating from the U.S., and partly thanks to Edward Snowden. Remember him?

The U.K. might even be so bold as to seek an "enhanced adequacy decision." As Dayman explains, this would mean not only the the U.K. would be certified a safe country for data transfer purposes, but also that the U.K.'s Information Commissioner would participate in the European Data Protection Board, responsible for the application of GDPR.

This latter outcome, Dayman agrees, is unlikely; not least for political reasons. The E.U. has not been especially open thus far to the suggestion that the U.K. should be permitted to enjoy the fruits of membership while no longer being a member. In the case of a "no deal" Brexit — a perfectly possible outcome of the current situation — an application to sit at the data protection table is likely (by my estimation) to be flatly rejected.

But what if the U.K. (like the U.S.) is denied even a basic adequacy decision? It's still not the end of the world. Dayman points out that there are various mechanisms by which the data in question can be transferred from E.U. storage to non-approved third countries. "For example, there are standard contractual clauses," he said, "or binding corporate rules." Standard contractual clauses are clauses governing data transfer adopted in advance by the European Commission, and not requiring approval each time they're used. Think of them as data transfer templates.

BCRs exemplify self-regulation by brands (or corporations) which the European Commission considers adequate to GDPR compliance. The advantages of BCRs is that, once adopted, they create little administrative burden. And these options don't exhaust the field: there are other exemptions, such as the "compelling legitimate interests" of the body  (brand, corporation, authority) controlling the data. Such interests can include the public interest, necessity for performance of a contract, necessity for the defense of legal claims, or simply possession of explicit consent from data subjects for the data transfer. All of which will doubtless be tested and clarified at some stage for the courts.

But the bottom line is that the U.K., as a disapproved third country, would be no worse off than the U.S.

Dayman told me that the over-arching message from all activity on the data protection front — from GDPR to CASL to the CCPA — is not to stop collecting and storing unnecessary data. A focused data strategy? That's a good thing, for brands and marketers, surely? And the current Brexit limbo creates even more reasons for U.K.-based brands and marketers to future-proof their strategies against a range of possibilities.