The impact of Brexit on cybersecurity and data protection
The definitive departure of the United Kingdom from the EU will cause the formal inapplicability in its territory of the regulations that the EU has been promulgating on cybersecurity and data protection. In the absence of an agreement that prevents it, there is a risk that data breaches and cyber incidents will increase, affecting the way of life of European societies if both parties fail to materialize solid agreements that ensure that the measures adopted so far are to be maintained – or even improved – after Brexit.
The starting point for materializing these agreements is the Withdrawal Agreement. This ARI analyzes the impact of the United Kingdom’s departure from the European Union on two matters of capital importance for the normal development of institutions, companies and citizens of the European continent, British or not: cybersecurity and data protection .
At midnight on January 31, 2020, the United Kingdom formally left the EU, triggering the entry into force of the so-called “ Withdrawal Agreement ”.”, a withdrawal agreement that initiates a transitional period that will last until December 31, 2020. The purpose of the agreement is twofold: firstly, to determine the principles that underpin its development to guarantee an orderly exit; In addition, it develops the appropriate measures to enable the institutions, companies and citizens of both parties to adapt to changes. The measures will range from the protection of the rights of EU citizens living in the United Kingdom – and, correlatively, of British citizens residing in the EU – to the financial agreement between the United Kingdom and the EU and the guarantees to avoid a difficult border between the Republic of Ireland and Northern Ireland, among others.
As it is easy to imagine, the impact of Brexit on the immediate development of the EU is very important, which makes it necessary to anticipate the undesirable consequences and adopt the appropriate measures to avoid them or, at least, mitigate them. This paper develops some initial reflections on two matters of capital importance: cybersecurity and data protection. In a connected world like ours, where threats from cyberspace do not stop at land borders, cybersecurity and data protection are not mere local issues: they interest and concern everyone and, consequently, must be dealt with in coordination and together for all those who, in one way or another, are affected. During years, The EU and the United Kingdom as a Member State have been aware of this reality and how to address it, building a regulatory model capable of giving a common response to a common problem. Together they have analyzed the risks of cyberspace for the security of European citizens, their companies and their institutions in aspects as important as privacy and data protection or the security of networks and information systems.
Cybersecurity and data protection in the Withdrawal Agreement
The agreement contains few details on cybersecurity and only dedicates a few specific actions within section IV (“Thematic Cooperation”) of part III (“Security Partnership”) of the document. Both parties maintain cooperation, but on a voluntary basis, even in a matter of capital importance for European cybersecurity such as the exchange of information on incidents 1 . The same willingness to collaborate but without firm commitments is formulated in relation to the participation of the United Kingdom in the European Cybersecurity Agency (ENISA), in the Cooperation Group of the Directive on Security in Networks and Systems of Information (NIS) and in the European network of Incident Response Teams (CERT-EU) 2. Looking to the future, both parties commit to continue dialoguing and collaborating in the international governance of cyberspace 3 .
The forecasts around data protection offer, however, more reasons for optimism. In section I (“Basis for Cooperation”) of part I (“Initial Provisions”), the two parties agree to protect the data of their citizens and facilitate the transfer between both systems, but with autonomy to decide the standards of each system 4 . For this, the Commission and the United Kingdom will have to accredit the protection standards of their respective data protection systems, which will be autonomous from the withdrawal (p. 9).
As is well known, the General Data Protection Regulation (GDPR) 5 , in addition to being applicable to all entities based in the EU and to those that have EU citizens as users/clients, has extraterritorial effect, therefore which can also affect non-EU countries. For this reason, while the transition period is maintained, in addition to complying with the GDPR, UK companies that continue to process personal data after it must continue to comply with the GDPR if they want to avoid the corresponding sanctions 6 .
Currently and until the end of the transition period, organizations processing personal data in the UK are required to comply with two regulations: the GDPR and the Data Protection Act (DPA ) 2018 7 and its modifications, operated by the Data Protection, Privacy and Electronic Communications Regulation of 2019 8 , which integrates the requirements of the GDPR with the DPA in what has been known as “UK-GDPR”. The differences between the latter and the GDPR are not very significant, but some deserve a comment.
In relation to the rights of the holders, the DPA protects the right to a copy of their own personal data (access); to prevent data processing that causes or may cause damage or other harm (limitation); to prevent processing for marketing direct (prevention); to prevent decisions from being made by automated means (opposition); to have inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances (rectification), and to claim compensation for damages caused by breach of law (compensation). The GDPR, for its part, contemplates new rights and reinforces some of the rights currently present in the British DPA, namely: the right to be informed about the data that is requested, the planned treatments, possible assignments to third parties, the time custody thereof, etc.; to access the data that is being processed in the manner described above; to rectify personal data that is inaccurate or incomplete; to the deletion of one’s own personal data (right to be forgotten) and to prevent its processing in certain circumstances; to block or suppress the processing of personal data; to obtain and reuse their own personal data for their own purposes (portability), and other rights, such as potentially harmful decisions being automated without human intervention.
In relation to the procedures, the following differences can be noted:
- The scope of application. While the UK DPA only applies to the UK, the GDPR applies to any organization that processes personal data of EU citizens, even if that organization is not based in the EU, which means that UK organizations that that process data of EU citizens will have to comply with the GDPR even after the transition period.
- Commercial communications. In the DPA, if an entity sends commercial communications directly to its clients or potential clients, all that is required is to offer the possibility for the recipient to express their refusal to the treatment. In the GDPR, companies must ensure that their recipients consent in advance, ensuring that, when requesting consent to collect data, such a request must be expressed in simple language and clearly explain how the data will be used.
- The requests. In the DPA, individuals have the right to obtain a copy of the information that organizations hold about them. Exercising this right allows UK organizations to charge a fee of between £2 and £50 depending on the type of request. This right also exists in the GDPR, although it does not contain pre-fixed rates, but compensation for costs in certain cases, expressly stating the obligation to satisfy the claims within the month following the request.
- Notification of data breaches. In the UK DPA, notification of a data breach is mandatory only if it was also covered by the Privacy and Electronic Communications Regulations .) of 2003, which referred to any data security breach in telecommunications providers or Internet service providers. In the RGPD, the notification is mandatory if the data violation involves a risk to the rights and freedoms of the person, and such violation must be reported to the control authority as soon as possible and within 72 hours of its discovery. Additionally, if the data breach is likely to pose a “high risk” to individuals, the data subjects should also be notified directly.
- Sanctions. The DPA provides penalties of up to £500,000 for serious breaches. In the GDPR, penalties are capped at €20 million or 4% of global annual turnover (whichever is higher).
From all this it can be deduced that, since the GDPR is more demanding than the British DPA, many of the organizations in the United Kingdom that manage data could already be satisfying both regulations. As far as international data transfers are concerned, even if the UK has been reclassified as a ‘third country’, this reality should not make any significant difference to those same organizations as long as the transition period continues. Indeed, under the provisions of the GDPR, the transfer of personal data from the European Economic Area (EEA) to third countries and international organizations is only permitted in certain circumstances, namely:
- If the European Commission has issued an adequacy decision declaring that there is an adequate level of data protection.
- Whether appropriate safeguards have been established, such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs).
- If the transfer is based on approved codes of conduct, such as the EU-US Privacy Shield . US 9
On the other hand, most organizations that provide goods or services to EU residents or monitor their behavior will also have to appoint an EU representative in accordance with Article 27 of the GDPR. Therefore, it is to be expected that, having incorporated the United Kingdom into its legal system the requirements of the GDPR -at least in its most significant aspects-, the Commission will adopt an adaptation decision in this sense, as it has already done with other countries and territories 10, a situation that both parties hope to reach before the end of the transition period. However, if an adequacy decision is not reached despite everything, on December 31, 2020 those organizations in the United Kingdom that process personal data of EU residents will have to resort to other safeguards, such as binding corporate rules or the standard contractual clauses.
From an administrative point of view, after the transition period, the British authority ICO (Information Commissioner’s Office) will no longer be a supervisory authority under the GDPR, which means that it will not be able to approve binding corporate rules (BCRs) for transfers of personal data from the EEA to the UK, which will need to be approved by a supervisory authority in the remaining 27 states. Since the sanctions for non-compliance with the GDPR in terms of data transfers to third countries or international organizations are high (up to 20 million euros or 4% of annual global turnover, whichever is greater), in case of failure to approve an adequacy decision,
We cannot conclude this section without mentioning the Electronic Communications [Amendment etc.] EU Exit Regulation of 2019, a legal instrument that introduces technical modifications in the regulations regarding the notification of personal data breaches by electronic communications service providers and repealing redundant or inappropriate direct EU legislation to remain in post-Brexit UK law.
Cybersecurity of networks and information systems
In 2018, the United Kingdom made public a proposal in relation to the application of the NIS ( Information Systems Regulations ) of 2018 directed to those non-British digital service providers (PSD) in order that such entities, established inside and outside the United Kingdom and once the exit from the EU is consummated, they know the implications of such an exit in terms of cybersecurity.
The British NIS Regulation of 2018 transposes into its legal system the so-called EU NIS Directive , which aimed to create common standards in the EU related to guaranteeing the security of networks and information systems of the most significant actors for the normal development of States. It sought to address the risks that cyber incidents pose to European society by developing national cybersecurity capabilities and increasing the obligations of cooperation and notification of incidents of the entities within its scope, among others 11 .
This British standard –coinciding in its scope with the NIS Directive– was addressed to two groups of entities: “essential service operators” (such as organizations that operate in the energy, transport, health, water, and digital technologies) and “digital service providers” (such as online marketplaces , search engines and cloud computing services). It comes as no surprise that the UK Government has confirmed that the NIS Regulation 2018 will continue to apply in practice in the UK after Brexit, meaning that, at least and until this rule is repealed, the essential requirements of the NIS Directive will continue to apply in full in the UK.
As is known, the NIS Directive requires PSDs not established in the EU but offering their services to the EU to appoint a representative in an EU Member State where the provider offers its services (art. 18.2). Thus, once an EU representative has been appointed, the PSD will need to comply with national law transposing the NIS Directive in the EU Member State where the representative is established. This must act on behalf of the PSD and be the point of contact with the relevant authorities in the country where it offers its services. In practice, this circumstance may result in some PSDs established in the United Kingdom having to comply locally with the provisions of the British NIS Regulation of 2018 and, simultaneously,12 .
For its part, in relation to PSDs not established in the United Kingdom after Brexit, the British Government – which, for this purpose, must apply the legislation that modifies the 2018 NIS Regulation – has expressed its intention to require that such providers , when offering their services in the UK, appoint a representative. It can be any natural or legal person established in the United Kingdom. It should be made available to the Information Commissioner’s Office (ICO), responsible for regulating PSDs, and communications (Government Communications Headquarters, GCHQ), responsible for ensuring compliance with the 2018 NIS Regulation.
When it comes to data protection, what happens after the transition period will depend on the outcome of the negotiations between the EU and the UK. The default position is that the GDPR will be incorporated into UK law through the so-called “UK-GDPR”, although there could be developments in relation to the way in which specific issues such as data transfers between the UK and EU, for example.
In relation to the legislation derived from the NIS Directive, PSDs, whether established in the UK or not, providing services to the EU must appoint a post-Brexit EU representative. Similarly, PSDs established outside the UK that offer services there post-Brexit will need to appoint a representative within the UK.
PSDs that are subject to both the UK NIS Regulation 2018 and the national transposition of the NIS Directive in a Member State should consider establishing procedures to ensure effective monitoring and compliance with each regulatory body, under penalty of significant penalties. .
In any case, during the transition period derived from the Withdrawal Agreement, the corresponding agreements must be concluded to maintain or improve what has been the legal status quo in the field of cybersecurity and data protection in Europe in recent years. We hope so, for the benefit of all.
Graduate and PhD in Computer Science, Law graduate and lawyer specializing in ICT Law, professor at the Carlos III University of Madrid
1 “The Parties reaffirm their commitment to promote security and stability in cyberspace through increased international cooperation. The Parties agree to exchange information on a voluntary, timely and reciprocal basis, including on cyber-incidents, techniques and origin of the attackers, threat-analysis, and best practices to help protect the United Kingdom and the Union from common threats”, p. . 108.
2 “In particular, the United Kingdom should cooperate closely with the Computer Emergency Response Team – European Union (CERT-EU) and, subject to the conclusion of an agreement as provided for in Union law, participate in certain activities of the Cooperation Group established under the Union’s Directive on Security of Network and Information Systems and of the European Union Agency for Network and Information Security (ENISA)”, p. 109.
3 “The Parties should cooperate to promote effective global practices on cyber security in relevant international bodies”, p. 110. “The United Kingdom and the Union will establish a cyber dialogue to promote cooperation and identify opportunities for future cooperation as new threats, opportunities and partnerships emerge”, p. 111.
4 “In view of the importance of data flows and exchanges across the future relationship, the Parties are committed to ensuring a high level of personal data protection to facilitate such flows between them”, p. 8.
5 Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which Directive 95/46/CE (General Data Protection Regulation) is repealed.
6 The Withdrawal Agreement provides for the application of “EU data protection legislation” until December 31, 2020, with the possibility of extending this period for two more years. The General Data Protection Regulation (GDPR), the Law Enforcement Directive (EU) 2016/680, the Electronic Privacy Directive and any other provision regulating the protection of personal data are considered “data protection legislation”. EU data” (European Data Protection Supervisor: “Information note on international data transfer after Brexit”, July 16, 2019).
7 Data Protection Act .
8 Data Protection, Privacy and Electronic Communications (EU Exit) Regulations.
9 At the time of writing these paragraphs, no equivalent agreement has been signed for transfers from the EEA to the UK.
10 Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, Japan, Jersey, the Isle of Man, New Zealand, Switzerland, Uruguay and the United States (for companies adhering to the Privacy Shield). Talks with South Korea are ongoing.
11 The NIS Directive was transposed into the Spanish legal system by Royal Decree Law 12/2018, of September 7, on network security and information systems.
12 For example, a UK-based PSD affected by a cybersecurity incident may have to notify and liaise with multiple UK and EU regulators, each with their own reporting requirements and expectations.