Following the overwhelming rejection of Theresa May’s Brexit deal on 15 January 2019, the possibility of a no-deal Brexit continues to be a real risk and many businesses are looking at what they need to do to prepare for this.
A key consideration is to ensure that data flows with group companies, partners and vendors can be legally maintained. In this connection, if the UK does exit Europe without a transitional arrangement, what will be the position in relation to data flows to and from the UK?
What does the GDPR say?
The GDPR prohibits transfers of personal data from the European Economic Area (the EU plus Norway, Liechtenstein and Iceland) (“EEA”) to a country outside the EEA (referred to in the GDPR as a “third country”) unless:
- that third country has been deemed “adequate” by a European Commission adequacy decision (for example, Switzerland has adequacy status); or
- one of a number of legal safeguards has been put in place beforehand. For most EU businesses transferring personal data to third countries which do not have “adequacy” status, the most convenient legal safeguard used is the standard contractual clauses (or “SCCs”) which is a set out standard data protection clauses prescribed by the EU and entered into between the data transferor (in the EEA) and the data recipient (in the relevant third country).
Will the GDPR still apply?
The GDPR is here to stay post-Brexit regardless of whether there is a deal or no deal. This is because, on the day the UK leaves the EU, most of the EU law (including the GDPR) which applied prior to the UK leaving the EU will be converted into UK law. In addition, the new Data Protection Act 2018 (“DPA 2018”), which supplements the GDPR, will continue to apply in the UK regardless of the outcome.
What about transfers of data from UK to EEA?
When the UK leaves the EU, the UK will be become a “third country”. The UK government has stated that, post-Brexit, UK businesses will continue to be able to send personal data from the UK to the EEA. Having said that, it has also said that the “UK would keep this under review”. Therefore, unless otherwise indicated by the UK government in future, the continued free flow of personal data from UK business to the EEA will continue.
What about transfers of data from EEA to UK?
The position is not the same in respect of data transferred from the EEA to the UK.
While the UK government has indicated its intentions to begin discussions on an adequacy decision for the UK, the European Commission has not yet given a timetable for this and have stated that a decision on adequacy cannot be taken until the UK is a third country. In any event, such decisions typically take many years to conclude. Therefore, for the time being, EU organisations will need to implement one of the appropriate legal safeguards (the SCCs usually being the most convenient option) in order to continue to transfer personal data to businesses in the UK.
What about transfers of data from UK to other territories?
In relation to transfers from the UK to other territories, the EU’s existing decisions on adequacy and SCCs that were in place on Brexit day can continue to be used after Brexit to ensure the free flow of data. Longer term, these adequacy decisions and SCCs will fall under the responsibility of and will be reviewed by the UK ICO rather than the European Data Protection Board.
Other issues to consider
Aside from the issue of international data transfers, there are some other issues to consider upon the UK exiting EU:
- If you market to EU consumers, or you monitor the behaviour of individuals located in the EU, you will need to comply with both the UK data protection regime and the EU regime after the UK exits the EU, due to the extra-territorial reach of the GDPR. This carries with it the potential for regulatory actions including fines from both EEA authorities and the ICO, in the event of a data breach or infringement of data laws.
- The GDPR requires a controller or processor not established in the EEA to designate a “representative” within the EEA in certain circumstances where they are processing the personal data of data subjects who are in the EEA. This is not a straightforward matter; the “representative” is a separate role to a data protection officer and may assume some direct compliance responsibility.
- Likewise, controllers that are based outside the EU but that target UK customers (and are therefore subject to the UK GDPR) will be required to appoint a UK representative.
- As well as dealing with the UK ICO, you may have to deal with European supervisory authorities in every EEA and EU state where individuals are affected. You may no longer be able to have a “lead authority” and benefit from the One-Stop-Shop. The One-Stop-Shop means you can deal with a single European supervisory authority rather than every supervisory authority in every EEA and EU state where individuals are affected.
- Privacy notices may need to be updated in relation to international transfers and the appointment of a representative.
We are advising a number of clients on preparations for a no-deal Brexit. Contact us to explore how we can assist you.
Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org