There is considerable uncertainty regarding the future relationship between the UK and the EU in relation to data protection. This news blog sets out the options open to UK businesses after withdrawal from the EU whether with an agreement or not. The piece only considers UK/EU data flows and does not cover the rest of the world. Neither does it consider any exemptions or derogations that may apply.
1). If a Withdrawal Agreement is reached
If an agreement is reached between the EU and the UK then a transition period will start on 29 March 2019 and will end on 31 December 2020. During this time the GDPR will continue to apply in the UK. Even after 31 December 2020 the GDPR provisions would still apply in the UK, as the European Union (Withdrawal) Act 2018 will incorporate the GDPR into UK law. (Essentially, what all of this means is that after the 29 March 2019 the GDPR provisions will still apply to the UK through the new Data Protection Act 2018 and any subsequent Withdrawal Agreement terms).
2). If a Withdrawal Agreement is not reached – (No-Deal Brexit)
A ‘no-deal’ Brexit will mean the UK will become a “third country” on the 29 March 2019 for the purposes of data protection law.
The UK’s status as a third country will have important consequences for incoming data flows from the EU. Under the GDPR, the transfer of personal data from a controller or processor organisation in an EU member state to a recipient located in a third country may only take place if specified conditions are met (Article 44 – GDPR). A number of these conditions are considered below, namely an ‘Adequacy Decision’, EU Standard Contractual Clauses (SCC’s) and Binding Corporate Rules (BCR’s).
2.1). Adequacy Decision
The GDPR provides that the European Commission can examine and then formally recognise a third country’s laws as ‘adequate’. This finding is known as an ‘adequacy decision’, and is based on a number of criteria, including that country’s data protection laws, rules of law and arrangements on law enforcement.
While the UK has indicated its willingness to start talks with the EU with regard to reaching an adequacy decision the European Commission has stated no such talks can take place until the UK is a third party.
a). What if the UK leaves the EU without an Adequacy Decision?
- The UK leaving the EU without an adequacy decision potentially has immediate implications for both UK and EU businesses as follows. For businesses operating in an EU member state, adequate safeguards may need to be implemented for any inbound transfers of personal data from the EU to the UK (such as SCC’s
- The Government has said that “given the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit [from the EU] continue to allow the free flow of personal data from the UK to the EU”. However, the Government guidance goes on to state that “the UK would keep this under review”
2.2). Standard Contractual Clauses (SCC’s)
On September 13, 2018 the UK Government published a technical notice, “Data protection if there’s no Brexit deal” which sets out the actions UK businesses are recommended to take to enable the continued flow of personal data between the EU and the UK in the event of no agreement. One such measure is the use of SCC’s. Provided it is clear what personal data is being exported, who the personal data will be transferred to, and how it will be processed, the clauses can be implemented relatively swiftly and without a formal application process.
The SCC’s have been adopted by the European Commission and the clauses should be used in the precise form approved by the European Commission. The clauses include contractual obligations between the data exporter and data importer and also include rights that are enforceable by data subjects.
While the current SCC’s were approved under the old-pre GDPR regime, it is expected that the SCCs will be updated to reflect GDPR, but the Commission has not yet published any proposals on this.
2.3). Binding Corporate Rules
Binding corporate rules are rules to govern the transfer of data between entities within a multinational group of businesses. The rules must be agreed with an appropriate ‘supervisory authority’ through an application process. However, the UK’s ICO will cease to be a “supervisory authority” for the purposes of the GDPR.
(This also means that organisations that previously considered the ICO to be their lead supervisory authority under the GDPR would need to consider which remaining EU member state’s supervisory authority is likely to be considered their lead supervisory authority. Organisations would need to engage with that authority in relation to for example data breach notifications.)
3). Other consequences of Brexit
- Organisations based in the EU without an establishment in the UK will be subject to the UK regime if their personal data processing operations involve the offering of goods or services in the UK.
- Organisations based in the UK without an establishment in the EU will be subject to the EU regime where their personal data processing operations involve the “offering of goods or services in the EU.
4). UK/EU data flows after 29 March 2019
|UK to EU||EU to UK|
|Up to 29 March 2019||Yes||Yes|
|After Brexit day (with no withdrawal agreement and no transition)||Yes (however the UK to keep under review).||No|
|After Brexit day (with agreement and during transition period)||Yes (Depending on terms)||Yes (Depending on terms)|
|After Brexit day (with agreement and after transition period)||Yes (Depending on the final terms of the withdrawal agreement)||Yes (Depending on the final terms of the withdrawal agreement)|
5). What can businesses do now?
Many businesses will have conducted data mapping exercises in readiness for the GDPR coming into force, with international data transfers a likely area of focus. Businesses should identify existing relationships, and start implementing SCC’s with controllers or processors so that these are in place for 29 March 2019. These are likely to be required even in a “deal” scenario.
Although the UK government has given positive indications that the status quo will be maintained for transfers out of the UK, there remains little certainty as to how this will be achieved. It is recommended that organisations review their existing data transfer solutions now and determine what steps should be taken to minimise any post-Brexit disruption of data flows.