On July 16, the European Data Protection Supervisor (EDPS) published an information note detailing the different scenarios which may arise for international transfers of personal data to the United Kingdom from the EU in the event of a deal/no-deal Brexit.
With the proposed exit date of 31 October approaching fast and the prospect of the UK leaving the EU without a deal becoming an ever-increasing reality, organisations who are unfamiliar with the process and methodology of international transfers of personal data to third countries should begin their preparations for both eventualities immediately. The earlier such preparations are undertaken, the smoother the transition will be for their operations come 00:00 UTC on 1 November 2019, if the UK formally becomes a third country for the purposes of the GDPR.
Scenario 1 – Exit with a deal (i.e., the withdrawal agreement)
This scenario would present the least friction for international transfers as Title VII of the negotiated withdrawal agreement (WA) contains a “transition period” for personal data transfers post Brexit. This transition period would see EU data protection laws continue to apply in the UK until 31 December 2020. In this case, there will be no operational change for organisations come 1 November 2019 for the short term.
An option for a further two-year extension to this transition period is also available, allowing for valuable time to negotiate a solution which may take form in either an adequacy decision or a mechanism similar to the EU – U.S. Privacy Shield.
However, there is one major roadblock for Scenario 1 – ratification of the withdrawal agreement has failed in the UK Parliament on three separate occasions. Furthermore, it is also unlikely to be presented for a fourth vote under the new Johnson government due to disagreements between the UK and EU over other sections of the Treaty. Only time will tell if the Title VII provisions will be carried over into an amended withdrawal agreement, or an entirely new deal – something the EU has ruled out at this stage.
Scenario 2 – Exit without a deal (i.e. No-Deal Brexit)
In the event of a “No-deal Brexit”, the UK would not benefit from the Title VII transition period, meaning a transfer of personal data to the UK from the EU will be considered a “restricted transfer” under the GDPR immediately on the 1 November. The UK will be subject to the Chapter V requirements for international transfers, which include:
Article 45 – Transfers on the basis of an adequacy decision;
Article 46 – Transfers subject to appropriate safeguards;
Article 47 – Binding corporate rules; and
Article 49 – Derogations for specific situations.
These mechanisms are already widely used by organisations who are already transferring personal data to and from the EU to third countries but will require some adaptation for organisations not already accustomed to this. The fundamental principle behind Chapter V is that the rights of EU citizens must be maintained, including their right to exercise their enforceable and effective data subject rights.
Steps organisations can take now in order to be prepared
With a no-deal scenario now presenting itself as a real possibility, organisations should begin planning their post-Brexit international transfers immediately. The first steps to be taken are:
- Consult your organisation’s record of processing to identify and map all processing activities involving EU citizen personal data;
- From Chapter V provisions, decide which available data transfer mechanism best suits each processing activity’s individual situation;
- Beginning with the processing activities which present the highest risk, implement the chosen data transfer mechanism before 00:00 1 November 2019;
- Update internal documentation, including data protection policy and process to reflect the organisations’ changes implemented; and
- Update your front-facing privacy notice to inform EU data subjects of the methods your organisation has put in place to protect their data.
Whilst the status of data transfers to the UK post-Brexit has not received the widespread media attention other areas of the UK’s exit from the EU has, it remains one of the most important challenges for organisations moving forward. An ideal situation would see a deal reached between the two parties, but those best prepared for the worst-case eventualities will limit operational hindrances should a no-deal situation come about.
If you wish to talk more about the issues discussed in this article, or any other matter concerning Data Protection, please visit Trilateral Data Governance page and do not hesitate to contact a member of Trilateral Research’s DPO team who will be happy to assist you in full.
If you would like to read the EDPS’s information note in full, you can find it here.