Due to the possibility of no deal being reached between the UK and the EU before the UK is set to leave the EU at the end of March 2019 the UK government has been issuing technical notices in a number of areas to help organizations plan for such an eventuality. Such a notice was recently made about data transfers between the UK and the EU.
What’s the issue?
Under the EU General Data Protection Regulation (GDPR) organizations can only transfer personal data outside the EU if there is a legal basis for doing so – these are very strictly defined. Because such transfers are not restricted within the EU, for the time that the UK remains within the EU there are no data transfer issues as such between the UK and the EU. But, upon exiting the EU the UK will become a “third country” as it will be outside the EU for the purpose of making data transfers, i.e. the GDPR legal criteria for transferring data from outside the EU will apply to the UK (despite the fact that GDPR applies in the UK [and will continue to do so] and in spite of the fact that the UK applies high data protection standards through the UK Data Protection Act 2018).
One existing way under GDPR to make data transfers to countries outside the EU is where the EU has made a so-called “adequacy decision” about a given country – so far this exists for about a dozen countries in the world. The UK hopes that the EU will make such an adequacy decision regarding the UK and is pushing for this to be done sooner rather than later. But, despite the UK’s confidence that such an adequacy decision can be eventually made (which is by no means certain), pending any such decision, in a no deal Brexit scenario the legal framework governing data transfers from organizations in the EU to organizations in the UK would change. Organizations would therefore need to ensure that they can continue to legally transfer data.
What’s the UK government position?
The UK’s technical notice about this issue, entitled “Guidance – Data Protection if there’s no Brexit deal”, which can be found here: https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal, states as follows:
- As regards personal data sent from the UK to the EU: “In recognition of the unprecedented degree of alignment between the UK and the EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU. The UK would keep this under review”; and,
- As regards personal data sent from the EU to the UK: “If the European Commission does not make an adequacy decision regarding the UK at the point of exit and you want to receive personal data from organizations established in the EU (including data centres) then you should consider assisting your EU partners for those transfers. For the majority of organizations the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner, and rights for the individuals whose personal data is transferred. In certain circumstances your EU partner may alternatively be able to rely on a derogation to transfer personal data. We recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners.”
What is the takeaway?
The takeaway is simply to have a Plan B in case there is a no deal Brexit:
- As the UK government guidance says, be proactive – do not leave this until the last-minute and instead approach the organization(s) concerned for discussions about this as soon as you can;
- Consider which of the relevant GDPR legal bases are possibilities for your organization – as the UK guidance says, standard contractual clauses/model clauses are the most likely candidate. This is because realistically it is very difficult to meet the criteria of the other legal bases or to rely on a derogation;
- Put in your diary dates for when to action your choices which would likely best be done between now and the end of the year – if you eventually choose standard contractual clauses/model clauses, whilst they can be turned around quite quickly given their nature (but without forgetting that the schedules to them need to be completed) the logistics of possibly having many sets of agreements to sign off may take some time to complete;
- Once the chosen measures (including standard contractual clauses/model clauses) have been agreed upon your privacy policies would also likely need to be revised to reflect the chosen arrangements.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
- For more on Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/.
See also our short film here on Brexit and Compliance where André Bywater & Jonathan Armstrong discuss how compliance might change post-Brexit. They look at a number of distinct areas of compliance including modern slavery, sanctions and data protection and walk through what businesses might want to do now to make sure they comply.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
Office: +44 (0)207 075 1784