Fintechs and post-Brexit data protection compliance
Access to data is essential for any fintech, but increasingly strict privacy laws around the world are becoming the greatest impediment to the exploitation of data. Moreover, fintechs need the trust and confidence of the market in order to survive and thrive.
Failure to implement lawful compliance mechanisms can trigger regulatory investigations, fines, and damages claims, all of which could undermine that trust and confidence. Fintechs should therefore be wary of the additional data protection compliance challenges that will be triggered by the UK’s exit from the EU, which is currently scheduled for 31 October 2019 – Brexit – and implement strategies to address those challenges.
Overall impact of Brexit
At the point of Brexit, the UK will become a “third country” for the purposes of EU law (i.e. it will no longer have the rights or obligations of an EU Member State). Third countries are not subject to the application of EU law, or the jurisdiction of the EU institutions, such as the Court of Justice of the European Union, the European Commission, and the European Parliament. As a result, UK-based fintechs will face a changing legal environment as a result of Brexit.
Data protection compliance obligations post-Brexit
EU data protection law is predominantly set out in the European General Data Protection Regulation (GDPR) which applies directly in all EU Member States. The principles set out in the GDPR will continue to apply in the UK post-Brexit, due to the European Union (Withdrawal) Act 2018 (the Withdrawal Act) and the Data Protection Act 2018 (the 2018 Act).
The Withdrawal Act enshrines into UK domestic law all EU laws that apply as at the date of Brexit, including the GDPR. The 2018 Act incorporates the principles set out in the GDPR and addresses a range of topics not governed by EU law (e.g. law enforcement, freedom of speech and national security). Brexit is not going to take away the obligation to satisfy the principles set out in the GDPR. Thus, in practical terms, UK fintechs will continue to be subject to essentially the same compliance obligations that they face currently.
Data protection compliance post-Brexit – the key changes
Data protection laws in the UK are enforced by the Information Commissioner (ICO). Post-Brexit, the ICO will no longer be a member of the European Data Protection Board (EDPB), an EU-level advisory body made up of representatives from the regulator of each EU Member State. This means that the UK will no longer be able to directly influence the data protection-related guidance and decisions issued by the EDPB. This may lead to divergence between the UK and the EU over time.
Establishment: The location of a fintech’s establishment is a key factor when determining the data protection laws applicable to it.
A fintech will be considered established in the UK if it was incorporated or formed under the laws of the UK, or if it has an office or branch in the UK. For instance, a fintech incorporated as a UK limited company will be subject to the GDPR and the 2018 Act.
Similarly, a US fintech that has an office or branch in the UK will also be subject to the GDPR and the 2018 Act. In this example, the fact that a US-based fintech has an office or branch in the UK does not necessarily expose the entire business to the application of the 2018 Act, but the processing of personal data carried out in the context of that specific office or branch will be subject to the 2018 Act.
Post-Brexit, the principle of establishment does not change; however, fintechs established only in the UK will be subject to only the 2018 Act (and the UK version of the GDPR principles, set out in the 2018 Act) but will not be subject to the GDPR itself, with respect to its UK-facing business activities. Fintechs established in the UK which continue to conduct EU-facing activities post-Brexit (e.g. offering services to EU consumers, or monitoring the behaviour of individual in the EU for KYC/AML purposes) will be subject to the 2018 Act and the GDPR. In addition, local data protection law in the relevant EU Member State(s) may also apply. In practical terms, this will make it more complex for fintechs doing business in both the UK and the EU to identify their compliance obligations.
The one-stop-shop: The GDPR introduced a regulatory “one-stop-shop”, which essentially allows businesses established in the EU to interact with a single regulator for data protection purposes, rather than having to face separate national regulators in each EU Member State. In principle, this makes it easier to do business across the EU.
For example, at present, a fintech established in the UK, processing personal data of individuals in France, Spain, and Italy, will have the ICO as its lead regulator. This ICO will manage enforcement and complaints against that fintech, and it will do so on behalf of (and in cooperation with) the regulators in France, Spain and Italy. In this way, the one-stop-shop streamlines enforcement, and simplifies interactions with EU regulators.
Following Brexit, UK-based fintechs will no longer benefit from the one-stop-shop system. This is likely to result in UK fintechs being required to deal with multiple EU regulators, each with varying interests and issues. UK fintechs doing business in the EU will be exposed to any divergences in enforcement and interpretation between the ICO and the relevant EU regulators. There is no clear means of reducing this risk, other than being aware of it and being prepared to engage with multiple regulators if required.
International transfers: Restrictions on international transfers of personal data will have a significant impact on UK and EU fintechs following Brexit. At present, fintechs (like any other business) can freely transfer personal data within the EU, and with other “adequate jurisdictions“, without the need to implement any international transfer mechanism. However, following Brexit, the UK will not automatically be regarded by the EU an adequate jurisdiction (despite having essentially identical data protection laws to the EU). Unless the UK is able to negotiate adequacy status, transfers of personal data to the UK from the EU after Brexit will be subject to the same strict compliance requirements that currently apply to transfers of personal data from the EU to other third countries that lack adequacy decisions.
For its part, the UK Government has confirmed that transfers of personal data from the UK to the EU will continue to be permitted post-Brexit (i.e. transfers of personal data out of the EU are likely to pose a challenge post-Brexit, but transfers into the EU are not).
Fintechs that have interests, operations or business relationships in both the UK and the EU may need to re-evaluate their data transfer strategies. For many fintechs, this will involve the implementation of data sharing agreements in the form of Standard Contractual Clauses (i.e. standard form contracts issued by the European Commission that cannot be amended). Alternatively, some fintechs may wish to implement Binding Corporate Rules, which are much more flexible in their drafting, but which: (i) are slow to implement because they must be negotiated with EU regulators, and (ii) only cover intra-group transfers. Fintechs that only have interests in the UK are still likely to be affected by this issue, as it will become more difficult to do business with EU-based customers and service providers without implementing a valid data transfer solution.
UK fintechs should also consider the language in existing contracts relating to international transfers of personal data. It is common for contracts to include language that prohibits the transfer of personal data to recipients located in “non-EEA jurisdictions”. Such language could inadvertently restrict the transfers of personal data within the UK itself. For example, an Edinburgh-based fintech that is subject to a contractual obligation prohibiting the transfer of personal data to any recipient located outside of the EEA, may effectively be prevented from continuing to use a processor based in London, on the basis that London will be outside the EEA after Brexit.
Appointment of an EU representative: Post-Brexit, UK businesses that offer goods or services to individuals in the EU, or that monitor the behaviour of individuals in the EU, will be subject to the GDPR and will be required to appoint a “representative” in the EU, subject to some limited exceptions. The representative must be located in one of the EU Member States in which that UK business offers goods or services, or monitors individuals. The representative acts as an EU point of contact for both regulators and from individuals. There are a number of commercial service providers that will serve as representatives for a fee. However, as representatives often face liability for non-compliance by the non-EU parties they represent, it is important to check the liability provisions in any agreement with such service providers.
Changes to privacy notices: Fintechs, like all businesses, are required to tell affected individuals how their personal data will be processed. This is usually done through internal and external privacy notices, or privacy policies. UK fintechs should review existing privacy notices and policies, to assess the extent to which these documents require updating.
For example, it may be necessary to revise the details of any representatives appointed, and to add details of any international transfers of data from the EU to the UK. Such updates can generally be carried out quickly and cheaply, but their importance should not be underestimated. In the event of a complaint against a fintech by an individual, the first document a regulator is likely to review will be the fintech’s public-facing privacy notice. If that document is out of date, or otherwise non-compliant, the risk of the regulator launching an investigation is significantly higher.
Overall impact on business
In light of Brexit, compliance with data protection law in the UK and EU will become more complex and challenging for businesses operating across these jurisdictions.
Fintechs wishing to ensure a smooth transition once the UK leave the EU should take steps now to understand the likely impact of Brexit on their data protection compliance obligations, and develop a clear plan to address those obligations as early as possible. Implementing sensible and pragmatic compliance strategies early will help ensure a minimum of business disruption, as well as reducing the risk of investigations and fines for non-compliance, in the wake of Brexit.
By John Timmons, associate, and Tim Hickman, partner, at White & Case