Brexit and personal data – how to keep business flowing
Unless a deal is struck it is likely that after Brexit extra measures (such as ‘Standard Contractual Clauses’) will need to be put in place to legitimise transfers of personal data from organisations and individuals in the European Economic Area (EEA) to organisations in the United Kingdom (UK).
Alternatively, organisations could consider whether one of the GDPR transfer mechanisms would be appropriate, or whether one of the Article 49 ‘derogations’ applies. Transfers from the UK to the EEA are likely to be unaffected.
Under the GDPR personal data cannot be transferred outside of the EEA unless the rights and freedoms of the individuals concerned are protected. A ‘transfer’ includes not just sending personal data outside of the EEA, but also access to EEA personal data by individuals or organisations located outside of the EEA.
The safest transfer scenario is where the recipient is located in a country which has similar rules on data protection to the EEA, and which has achieved an ‘adequacy’ decision from the European Commission. If this is the case then no further steps are necessary to legitimise the transfer.
To date only 12 countries have received an adequacy decision1, although Japan will shortly be added to the list and South Korea may follow.
Given that the UK has already implemented the GDPR, which will be retained after Brexit as ‘retained EU law’, an adequacy decision by the European Commission in favour of the UK would be the obvious solution to make sure that data flows freely across the UK border.
Mind the gap
The snag? In order to receive an adequacy decision there must be the political will from Brussels and from the UK to push forward the adequacy decision process unusually quickly. The process is usually lengthy and can take years. The European Commission has indicated that it is not yet ready to start discussions on an adequacy assessment, certainly not before the UK actually leaves the European Union (EU).
The UK Minister for Digital and Creative Industries, Margot James, warned on 23 October 2018 that although the UK Government’s primary goal is to ensure that an adequacy decision is put in place, the Government cannot guarantee that an adequacy decision will be in place on the day that the UK leaves the EU. This means that there will be at least some gap between the date of Brexit and the date that an adequacy decision is reached (if it happens at all).
Margot James promised that “the UK Government will ensure the free flow of data” even if there is no adequacy decision at Brexit, although it is not clear how the UK Government will achieve this for data flows from the EEA which are outside its jurisdiction.
How to bridge the gap
In September 2018 the UK Government published guidance on data protection in the event of a ‘No deal’ Brexit, confirming that:
- UK data protection law will stay the same after Brexit, as the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside the UK Data Protection Act 2018.
- Transfers from the UK to the EEA would be unaffected by Brexit.
- In the absence of an EU adequacy decision, most organisations which transfer personal data from the EEA to counterparties within the UK will need to rely on either Standard Contractual Clauses or one of the other GDPR transfer mechanisms.
- An alternative, where Standard Contractual Clauses are not feasible, could be to rely on one of the ‘derogations’.
- The Information Commissioner’s Office will continue to be the UK’s independent data protection supervisory authority.
- The UK’s current intention is to maintain close data protection ties with the EEA, including on enforcement action.
What should you do?
1. Standard Contractual Clauses
- Organisations based in the EEA could consider putting in place Standard Contractual Clauses. Organisations based in the UK can expect to receive requests from European counterparties to do so as Brexit draws near.
- For now, these may be a quick and relatively easy solution (but remember whenever signing such agreements that your organisation will be signing up to obligations and liabilities).
- However, these clauses are currently being challenged in the Irish Courts and may have a short lifespan, depending on the outcome of a potential reference to the Court of Justice of the European Union.
- The Standard Contractual Clauses can be found here.
- If you choose Standard Contractual Clauses, consider whether the controller to controller clauses or the controller to processor clauses are more appropriate to reflect the parties’ relationship.
2. Consider Article 49 derogations
- It may be possible to rely on ‘derogations’ such as consent instead, depending on the circumstances, but be aware that they are construed very strictly. The European Data Protection Board has issued guidance on this which can be found here.
There are other transfer mechanisms available under the GDPR (consider Binding Corporate Rules if your organisation is part of an international group for example), but these may be time consuming in a situation where time is of the essence.
As is the case for all matters Brexit, consider your options now to avoid being caught out: organisations must be able to act quickly once the position becomes clear. Brexit is not far away: don’t let your UK data flows dry up.