Brexit and the implications for cyber security and data protection
The current lack of a definitive answer as to whether the UK will leave on a ‘Deal’ or ‘No Deal’ basis means that the implications of Brexit for cybersecurity and data protection issues cannot be stated with certainty.
The current situation
The General Data Protection Regulation (GDPR) became law across the whole EU in 2018. The UK applies GDPR using the Data Protection Act 2018 (DPA 2018), which means that when the UK does proceed with departure from the European Union, it will carry with it a carbon copy of GPDR. The UK Government has given every indication that it will maintain close alignment with GDPR after Brexit.
Unlike data, where both the EU and UK demonstrate a principal concern for the integrity of personal data, cybersecurity concerns a vast space of industries and markets in which almost all transactions are digitised.
With so much business activity now conducted online, Brexit could lead to changes in two crucial areas:
- The UK’s access to intelligence and support from EU cyber security agencies.
- The EU’s rating of UK cybersecurity in its broader assessment of the UK as a secure trading partner.
The websites and blogs serving the cybersecurity industry also warn that the industry’s skills shortages may be exacerbated in the UK, especially if living standards slip and EU ex-pats leave.
There is no EU law concerning cybersecurity from which the UK is about to extricate itself. However, the EU is actively developing its Network and Information Systems (NIS) Directive, which could feasibly be made law within the two-year transition period set out in the Withdrawal Agreement (Should that agreement be ratified). The NIS will require businesses to report cyber attacks and demonstrate corrective improvements to their cybersecurity, or risk fines.
Subject to a ratified Withdrawal Agreement, the UK intends to establish a single regime for general data processing activities known as the UK GDPR. The regime will combine the current Data Protection Act plus additional measures to address data processing concerns which are not within the current scope of GDPR (EU version).
It should also be noted that the EU requires any international trading partner acting on the personal data of EU citizens to respect GDPR. This limits the possibility of deregulation in the UK, which aims to establish a uniquely close trading partnership with the EU, post-Brexit.
There is a huge incentive for the UK and EU to make common cause against cyber criminals after Brexit. It is expected that the necessary deals will be done to preserve intelligence sharing – but there is also concern that future arrangements will not be as efficient as the integrated system of which the UK is currently part. Several cybersecurity commentators have predicted an increase in cyber attacks on the UK as criminals look to exploit expected gaps in the UK’s defences.
Data protection on the basis of ‘Deal’ or ‘No Deal’
Of immediate concern to the directors of companies which make use of personal data are the UK’s intentions should there be no ratified Withdrawal Agreement (‘No Deal’).
Looking at a managed exit first, the UK Government has prepared draft legislation entitled The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
The Explanatory Memorandum for the new regulations illustrates the UK’s intention to remain closely aligned with GDPR:
- The European Commission and European Data Protection Board (EDPB) would no longer have competence in relation to the regulation of personal data in the UK post-exit.
- The amendment introduces a single regime for general processing activities known as the UK GDPR.
- There are deficiencies that arise as a result of the UK’s Exit from the EU. Appropriate amendments have been made to correct these.
- This instrument maintains the data protection standards that currently exist under the GDPR and the DPA 2018 and introduces a newly merged regime for general processing activities (covering matters that were in and out of scope of the GDPR prior to Exit Day).
- It also maintains the extra-territorial scope of the GDPR, so that controllers or processors based outside the EEA which are processing UK residents’ data for the purposes of providing goods and services or monitoring behaviour will continue to be covered by the UK GDPR, and extends this to cover such processing by controllers and processors in the EEA.
- Functions conferred on the European Commission by the GDPR will be transferred to the Secretary of State and/or the Information Commissioner.
In the event of No Deal
The UK Government issued updated ‘No Deal’ Data Protection guidance in February 2019 entitled Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019, this updates the advice issued in the September 2018 Data protection if there’s no Brexit deal notice.
In abridged form, here is what the UK Government intends to do in a ‘No Deal’ scenario:
Data controllers and data subjects
In a ‘No Deal’ scenario, responsibilities of data controllers across the UK will not change. The same GDPR standards will continue to apply in the UK and the Information Commissioner will remain the UK’s independent regulator for data protection.
Transfers to EEA countries (including EU Member States) and Gibraltar
The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. This means that personal data can continue to flow freely from the UK to these destinations following the UK’s exit from the EU. The UK would keep all of these decisions under review.
Existing EU adequacy decisions
Where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to Exit day, the UK government intends to preserve the effect of these decisions on a transitional basis.
Recognising EU Standard Contractual Clauses
Provision will be made so that the use of Standard Contractual Clauses (SCCs) that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK in a ‘No Deal’ scenario. In practice this means that organisations that transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them.
Existing authorisations of Binding Corporate Rules (BCRs) made by the Information Commissioner will continue to be recognised in domestic law.
Maintaining extraterritorial scope
The EU GDPR applies to controllers or processors who are based outside of the EEA where they are processing personal data about individuals in the EEA in connection with offering them goods and services, or monitoring their behaviour.
The Government intends to retain the extraterritoriality of the UK’s data protection framework. This will mean that that the UK framework will apply to controllers or processors who are based outside of the UK where they are processing personal data about individuals in the UK in connection with offering them goods and services, or monitoring their behaviour. This includes controllers and processors based in the EU.
UK representation for controllers
Where article 3(2) of the EU GDPR applies, article 27 of the EU GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale. The Government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.
Advice to businesses from the Information Commissioners Office
The Information Commissioners Office has issued guidance for use in a no-deal situation, including case studies and scenarios, Data protection if there’s no Brexit deal.
Key to the ICO advice is the 6 steps:
Continue to comply: Continue to apply GDPR standards and follow current ICO guidance. If you have a DPO, they can continue in the same role for both the UK and the Europe.
Transfers to the UK: Review your data flows and identify where you receive data into the UK from the EEA. Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU.
Transfers from the UK: Review your data flows and identify where you transfer data from the UK to any country outside the UK, as these will fall under new UK transfer and documentation provisions
European operations: If you operate across Europe, review your structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply to you.
Documentation: Review your privacy information and your internal documentation to identify any details that will need updating when the UK leaves the EU.
Organisational awareness: Make sure key people in your organisation are aware of these key issues. Include these steps in any planning for leaving the EU, and keep up to date with the latest information and guidance.
The issue of ‘Adequacy’
The European Union requires that the countries it exchanges data with operate acceptable data protection standards. This is known as ‘Adequacy’.
A Withdrawal Agreement would be expected to provide adequacy status.
A ‘No Deal’ exit would require an application to achieve adequacy status.
The adoption of an adequacy decision involves:
- A proposal from the European Commission
- An opinion of the European Data Protection Board
- An approval from representatives of EU countries
- The adoption of the decision by the European Commission
“Adequacy findings take a lot of work even if [the UK] is fully compliant with the GDPR,” Giovanni Buttarelli, Europe’s data protection supervisor, told the Financial Times. “Adequacy could take years.”