GDPR and a No-Deal Brexit

Current GDPR guidelines and the cross border transfer of personal data

If feels like we have only just completed our compliance programme in relation to GDPR and data protection legislation in general.  In relation to cross border transfers of personal data, these were, in large, limited to EEA (essentially EU) countries where you could rely upon similar laws and protections being in place, thanks to the GDPR’s reach across Europe.

Some businesses may have recognised that some of their contracts involved transferring personal data outside of the EEA in which case, additional measures were taken, often in the form of an agreement with the data recipient(s) or authorisation from the ICO (or other European regulatory data protection body).  Once that task was accomplished, you moved on to other, more pressing routine matters, or so you thought.

The transfer of personal data after a no-deal Brexit

At 23.00 hrs (GMT) on 29 March 2019 EU law will no longer apply in the UK if there is a no withdrawal agreement, no revocation of the Article 50 withdrawal notice and no extension of the Article 50 period.

This will have wide-reaching consequences for businesses in general, but in data protection terms, businesses that rely on the transfer of personal data between the UK and the EEA will be affected.  Measures that have already been implemented for transferring data to non-EEA countries will not change so transfer mechanisms adopted for these countries will largely stay the same and no further need be taken at this stage.

With a no-deal Brexit, the UK government have stated that it will permit personal data to flow from the UK to EEA countries but the transfer of data from the EEA to the UK will be affected.  This is because the UK will become designated a “third country” that is, a non-EU country, and we will be subject to the same restrictions on international data exports from the EU which apply to all other non-EU countries.

On the basis that the UK has demonstrated its commitment to the principles of the GDPR by enshrining it in the UK Data Protection Act 2018, it is reasonable to assume that we are well positioned to achieve adequacy status as our protections for the transfer of data are parallel to that of our European neighbours.  This does not, however, prevent amendment to this law over time.  We will need to wait and see if adequacy decision follows the outcome of our Brexit negotiations, thereby maintaining the status quo.

The UK are pushing for a designation that actually goes beyond the current adequacy arrangements, seeking an “adequacy plus” determination, but these arrangements don’t happen overnight and usually follow a rather long, drawn out procedural process.  As such, it is unlikely that such a designation will be achieved by the end of March.

This leaves us with a rather complicated process for achieving the same ends.  The possible solutions will vary from one business to another although the range of solutions will increase the more reach and data heavy the business.  A “one size fits all” approach will not work here and guidance should be sought for the most suitable mechanism for your business to adopt.

The data export solutions available to make transfers to and from the EU and UK are as follows:-

• Adequacy Decision the European Commission considers that our data protection laws provide an “adequate” level of protection for EU nationals;
• Standard Contractual Clauses (SCC) issued by the European Commission. Non-negotiable clauses for businesses involved in the transfer of data (sender and receiver of personal data);
• Binding Corporate Rules (BCR) used for companies with branches in other countries where internal overseas transfers of personal data are made within a corporate group and must be approved by the ICO;
• Approved Codes of Conduct prepared by the business and approved by the ICO and the European Data Protection Board (EDPB). Breaches of the Code may result in significant fines aligned with GDPR enforcement powers;
• Approved Certification Mechanism prepared by a business establishing appropriate safeguards where the receiving party makes binding and enforceable commitments to apply the appropriate safeguards including those in relation to data subjects’ rights;
• Privacy Shield is used for transfers to the US who have signed up to this certification scheme. If this framework in place then organisation deemed to have an “adequacy finding.”

If your business operates in Europe (and this includes third party suppliers or processors with whom you share personal data) then you will need to comply with both the UK and EU data protection regimes and may need to appoint a representative for both jurisdictions.  This would be a requirement where you offer goods or services to individuals in the EEA and where the data processed is regular, high-risk and/or involves special category (sensitive) data or criminal offence data on a large scale.

There are some general exceptions to using one of the above solutions, and these are called “derogations” under data protection legislation.  These are circumstances where, for example, the transfer is necessary for the performance of a contract with the data subject or where explicit and informed consent has been given by the individual.  But if one of these exceptions can’t be satisfied then the default position is that one of the transfer instruments must be adopted.

As there is a general shift away from relying on consent of the individual due to its precarious nature (it is easily revoked) this presents yet another barrier to the data flow procedure for organisations when dealing with international transfers.

What can UK businesses do at this point to prepare for a no-deal Brexit?

The ICO suggests a number of actions that can be implemented to prepare for a no-deal Brexit.  These are:

Louise Weatherhead is a Solicitor in the Corporate and Commercial team at Sintons. If you have any questions about this article, you can contact her on 0191 226 3699 or Louise.Weatherhead@sintons.co.uk.