On 13 September 2018 the UK government’s Department for Digital, Culture, Media & Sport published a notice, Data Protection If There’s No Brexit Deal (the Notice). The Notice sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EEA in the event that the UK leaves the EU in March 2019 with no exit agreement in place. If this happens, there would be no immediate change in the UK’s own data protection laws because the Data Protection Act 2018 would remain in place and – more importantly – the UK’s European Union (Withdrawal) Act 2018 would incorporate the GDPR into UK domestic law.
Under the GDPR, organisations are only permitted to transfer personal data outside the EEA if certain conditions are met. The least onerous route for the exporting entity is where the third country to which the proposed transfer is to be made has an adequate data protection regime in place, as assessed by the EU Commission in making an “adequacy decision”.
Once the UK becomes a third country by virtue of Brexit, EU organisations wishing to continue to send personal data to the UK will typically want to rely on such an adequacy decision. Conversely, under UK data protection law (as it currently stands), personal data could continue to flow from the UK to the EEA on the legal basis that EU data protection law is already adequate (in terms of the requirements of UK legislation). The Notice clarifies that this is how the UK government will interpret the export requirements under UK (although it notes that it will keep this under review).
The European Commission has stated that, if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision, allowing the transfer of personal data to the UK without restrictions.
However, if the European Commission has not made an adequacy decision regarding the UK at the point of Brexit (which is certainly possible in the event of a no-deal Brexit), the Notice suggests that UK businesses wishing to receive personal data from organisations established in the EEA should consider assisting its EEA counterpart in identifying an alternative legal basis for the EEA to UK transfers.
For the majority of UK businesses, the Notice suggests that the most relevant alternative legal basis for transfer to the UK would be the EU standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when included in a contract. The clauses contain contractual obligations on both the recipient of personal data (in this context, a UK business) and the EEA counterpart, and provide for directly enforceable rights for the individuals whose personal data is transferred in certain circumstances.
Given the inflexible nature of the EU data protection export regime and the time and effort it can take to re-paper data processing or sharing agreements, UK businesses should start to review client, business partner and intra-group agreements with EEA counterparties and consider incorporating EU standard contractual clauses covering data flows from the EEA counterparties to the UK now. These standard contractual clauses should bite should there be a “no deal Brexit” and the UK becomes a third country without an adequacy finding.
Businesses should also consider their contingency positions if personal data is unable to flow as freely from EEA subsidiaries to parent companies or European HQs established in the UK as it does today. For example, initial reviews for e-discovery for US litigation or regulatory disclosure might need to be undertaken in an EEA country rather than in the UK in these circumstances.
The work that businesses have undertaken to understand and map their processing to comply with the GDPR will make identifying impacted personal data operations more straightforward.
For more information on the Notice and the UK government’s guidance, see DCMS advises regarding continued UK-EU data flow upon a no deal Brexit.