As announced earlier this summer, the UK Government has been publishing a series of Brexit ‘no deal’ technical notes. The notices contain information about some of the potential impacts of a ‘no deal’ scenario, and identify steps that could mitigate those. Our briefing on the Government’s approach to no-deal planning is available on our Brexit Hub. This update covers the guidance issued by the Government in respect of data protection.
Unlike some of the other ‘no deal’ technical notices, the notice on data protection may also be relevant where a deal is reached with the EU as arrangements in relation to data protection during the transition period are still to be agreed.
What rules currently govern data protection?
Data protection law in the UK is governed by the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018, which came into force in May 2018. You can find out more about GDPR on our GDPR Hub.
Of particular importance in relation to Brexit is the restriction on transfers of personal data outside the EU. On 29 March 2019, the UK will become a third country, unless there is a specific agreement to the contrary.
GDPR states that transfers of personal data outside the EU are permitted only where there is a legal basis for doing so. Potential legal bases include:
- that the European Commission has determined that the country or territory provides an adequate level of protection for personal data (an “adequacy decision)
- that the data exporter and the data importer are subject to binding corporate rules (BCRs) that have been approved by a national supervisory authority
- that the data exporter and the data importer have entered into the standard contractual clauses (SCCs) approved by the Commission for transfers of personal data outside the EU
These rules apply regardless of whether the transfer is a controller to controller transfer or a controller to processor transfer.
It is therefore important that organisations that transfer personal data between the UK and the rest of the EU identify what steps they need to take to ensure that those transfers can continue in the absence of an agreement on data protection law.
Data protection law in the UK if there is no deal
Under the European Union (Withdrawal) Act 2018, EU derived law such as GDPR will become part of UK domestic law. There would be no immediate change to data protection law in the UK. This would also be the case in the event of a “deal” scenario.
Transfers of personal data from the UK to the EU
The technical notice states that organisations in the UK will be able to continue to send personal data from the UK to the EU, as is currently permitted under GPDR and the DPA 2018. While no immediate change in the law is planned, the notice states that this arrangement would be subject to review by the UK.
If an organisation in the UK shares personal data with an organisation in the EU (for example, a provider of cloud computing services in Germany, or a parent company in France) then no additional action needs to be taken.
Transfers of personal data from the EU to the UK
Organisations that transfer personal data from the EU to the UK should start identifying what work is required to implement SCCs between the relevant entities so that these can be in place for 29 March 2019.
The reason for this is that, unless there is agreement to the contrary, on 29 March 2019 the UK will become a third country for EU data protection law purposes. While an adequacy decision is the UK Government’s desired outcome, the process of the Commission making and adequacy decision sits independent from the negotiation of trade deals and is not automatic.
While the UK Government is hopeful that the continued application of GDPR in the UK should simplify the process for obtaining an adequacy decision, the EU has stated that an adequacy decision cannot be made until the UK is a third country. The technical note further confirms that discussions between the UK and the Commission have yet to commence.
What other approaches are available?
As an alternative to SCCs, where the UK and EU organisations are part of the same group, they may wish to look at putting in place BCRs. However, BCRs take time to develop and get approved and it is unlikely that there will be time for new BCRs to be approved prior to 29 March 2019.
Any organisation looking at BCRs for transfers between by an EU entity to a UK entity should also bear in mind that upon Brexit the ICO will lose its power to act as lead supervisory authority on the approval of new BCRs.
Is there anything else I need to know about the SCCs?
The Government’s technical note does not mention two issues with the SCCs that organisations should keep in mind when deciding on their strategy for international transfers of personal data.
Firstly, the current SCCs were approved under the old-pre GDPR regime. It is expected that the SCCs will be updated to reflect GDPR, but the Commission has not yet published any proposals on this.
Secondly, and perhaps the reason for the delay in the Commission issuing updated SCCs, the compatibility of the SCCs (and the Commission’s approval of the US Privacy Shield Scheme) with EU data protection law is being challenged in the Irish courts. This litigation follows the ruling by the European Court of Justice in 2015 that the Safe Harbor scheme for transfers of personal data to the United States was incompatible with EU data protection law.
The technical note focuses primarily on transfers of personal data between controllers. It does not consider the impact of Brexit on UK organisations that offer goods or services to data subjects elsewhere in the rest of the EU or otherwise monitor their behaviour.
Upon Brexit those organisations will be subject to the extra-territorial provisions of GDPR, including the requirement to appoint a representative in the EU. As a consequence, those organisations will be subject to both the DPA 2018 in the UK and GDPR in relation to data subjects in the EU. They may also have to deal with multiple supervisory authorities: the ICO in the UK and one or more supervisory authorities in the EU.
If your organisation is likely to be caught by the extra-territorial provisions of GDPR then you should identify the steps that you will need to take to prepare for Brexit.
Organisations that transfer personal data from the EU or are subject to the extra-territorial provisions of GDPR should start identifying now the steps that they need to take to prepare for the UK ceasing to be a member of the EU.
We will produce further guidance on data protection developments in due course, so keep an eye on our Brexit Hub.
On September 14, 2018