In September 2018, the UK Government issued advice on how data protection regimes may be impacted by a “No Deal” Brexit scenario. The article outlines some key issues that UK organisations should consider if the UK leaves the European Union without an agreement on data protection. Information from the summary indicates that although the situation will be addressed in the long term, it is likely that there will be a difficult, confusing and high-risk interim phase. UK and European organisations will have to proactively work together to update their data processing policies and agreements and identify, justify and document legal bases for data to be transferred from the European Union (EU) to the UK (Norway, Iceland and Liechtenstein are party to the Agreement on the European Economic Area (EEA) and participate in EU arrangements. Therefore, this article also covers the data transfer between the UK and EEA).
Under a “No Deal” Scenario, the UK government has affirmed that the General Data Protection Regulation (GDPR) and UK Data Protection Act (2018) will continue to govern personal data processed within the UK and personal data transferred from the UK to the EU. This means that UK organisations can:
- transfer personal data to one another, and
- transfer personal data to their counterparts in EU Member States.
The main sticking point will be personal data transferred from organisations or partners in EU Member States to UK counterparts.
In a “No Deal” scenario, the UK would become a third country, like, for example, the USA or Australia, and the principles under Article 44 of the GDPR would apply.
According to the Information Commissioner’s Office (ICO), if the UK becomes a third country, UK organisations will only be able to lawfully receive personal data from organisations in EU Member States if one of the following applies:
- The European Commission makes an “adequacy decision” about the UK’s data protection legal framework. This decision could be issued if the European Commission certifies that the UK ensures a level of protection of fundamental rights and freedoms and that this is essentially equivalent to the guarantees ensured by law in the EU.
- The UK organisation and their EU counterpart work together to define a legal basis for transferring personal data that guarantees the rights and freedoms of individuals whose data is being transferred.
- The organisation in the EU Member State relies on a specific exception for transferring the data outside of the EU.
With respect to option 1, the UK Government reports that the European Commission will not consider whether the UK’s legal framework for Data Protection is adequate until after the UK leaves the EU (March 2019). Although an “adequacy decision” would be likely, this option will be unavailable in the interim between March 2019 and when the decision is reached.
With respect to option 2, most UK organisations will have to rely on standard contractual clauses to create a legal basis for receiving personal data from a European partner. Standard contractual clauses are “model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract”. Organisations in EU Member States will have to work proactively to adjust each individual contract to ensure the transfer outside of the EU is lawful. However, a sticking point here is that the Commission has not yet approved any GDPR-compliant standard contractual clauses. The most recent versions are from 2010 and are compliant with the Data Protection Directive 95/46/EC rather than the GDPR. While these 2010 versions can be used at present, they will need to be adjusted once the Commission approves new standard contractual clauses.
Under option 3, the organisation in the EU Member State must consider whether the data transfer outside the EU is subject to any specific exception, including:
- Adjusting their consent mechanisms to collect explicit consent from each data subject for their personal data to be transferred outside the EU. Note: Consent must be revocable and all other legal requirements related to consent would apply.
- Stop transferring data regularly, and only transfer data occasionally for the purposes of either performing a contract with an individual or performing a contract that directly benefits the individual whose data is being transferred. Note: Regular transfers are not covered under this exception. (Other exceptions are outlined here)
In summary, analysing all this information demonstrates that it will be very difficult for UK organisations to lawfully and regularly receive personal data transferred from partners in EU Member States after March 2019 in a “No Deal” Brexit scenario. The best case scenario that would leave no gaps, reduce legal uncertainty and organisational costs is for the European Commission to prioritise the development and approval of GDPR-compliant standard contractual clauses and for EU and UK partners to pre-emptively develop and implement contracts accordingly.
In the interim, EU organisations wishing to reduce their risks as far as possible should (1) negotiate new contracts with their UK partners using the 2010 standard contractual clauses and (2) immediately update their legal contracts with UK organisations once GDPR-compliant versions are released. However, the interim contracts must consider requirements emerging from the GDPR in addition to the 2010 standard contractual clauses and some risks will remain.
If the UK and EU governments reach a Brexit deal, these steps may become unnecessary. However, organisations should proactively prepare for a “No Deal” Brexit if they wish to cover all eventualities and ensure there are no gaps in their business processes in the event of a UK exit from the EU without a deal.
Visit our Data Governance and contact our team for more information.