Data Transfers after a “no-deal” Brexit – our practical advice
Businesses which transfer personal data from outside of the UK need to take steps to ensure those transfers continue to be lawful if the UK exits the EU on 29 March without a “deal” (i.e. not having agreed the current (or an alternative) draft Withdrawal Agreement and Future Relationship document). The first step is to identify your data flows, to understand where you are receiving data in from the EU, and where you are transferring data out of the UK.
Transfers of data from the EU to the UK (“transfers-in”)
In a “no-deal” scenario, the UK will immediately become a “third–country” for the purposes of EU data protection rules. Transfers of personal data to non-EU countries are only permitted in the following circumstances:
- if the EU considers that country has adequate protections in place to ensure the protection of personal data – like Switzerland and more recently Japan
- the third-country has “safe-harbour” (“Privacy Shield”) arrangements in place which its businesses can sign-up to (in which case transfers to those businesses who have signed up will be covered). Currently only the US has this.
- for intra-group transfers, the group companies have agreed a set of “Binding Corporate Rules” which have been approved by the ICO (or the supervisory body of another EU country) and then adjusted to make reference to the UK as a third country; or
- the parties have agreed the “standard contractual clauses” (also known as “the Model Clauses”) will apply to the data transfers.
There is little possibility of the UK receiving an “adequacy ruling” before the end of March, and there is no “safe-harbour” framework for the UK, so this means outside of the minority of corporate groups which have formal Binding Corporate Rules in place, EU based businesses will only be able to continue to transfer personal data to those UK businesses which have signed up to the Model Clauses.
Compliance risk on this is an issue for the EU business transferring the data, but in order to avoid potential disruption to your business that may be caused by any suspension in data flows, it may be worth contacting your business partner to put in place Model Clauses to cover your transfers, even if your partner hasn’t raised the issue yet. This is not usually an overly difficult or time-consuming exercise.
A word on the Binding Corporate Rules. As following Brexit the UK’s ICO will no longer be a lead supervisory authority, it won’t be able to approve new Binding Corporate Rules. Groups wishing to either make a new application or those whose applications are at review stage, will need to identify a new authority to apply to. The choice of lead authority depends on the location of the EU headquarters of your company or the location within Europe of that part of your company best placed to take responsibility for global data protection compliance. ICO guidance on this can be found at: https://ico.org.uk/for-organisations/binding-corporate-rules/.
Transfers from UK businesses to businesses outside of the UK
Transfers to EU and EEA Businesses
These should be able to continue in the same manner as today without the need for amendment.
Transfers to the US
The ICO has advised UK organisations relying on safe harbour to transfer data should check the US organisations’ public commitments to comply with the Privacy Shield to ensure these expressly state that those commitments apply to transfers of personal data from the UK, not just the EU. More information on what this entails is available here.
Transfers to the Rest Of the World
The UK Government has committed to ensuring the same level of protection for personal data post Brexit and as such is bringing the GDPR into UK law without material changes. So transfers of personal data to countries outside of the EU and US will continue to be regulated as they currently are –therefore not permitted unless to a country which the EU has ruled has “adequate” protection, or where protection is afforded via Binding Corporate Rules or Model Clauses.
Watch this space?
Even if not trading with the EU post Brexit, businesses who deal with the personal data of EU individuals (including as employees) may be directly subject to the GDPR anyway (due to the extra-territorial effect of the GDPR) and if so will need to appoint a representative in the EU to act as the main contact for any questions and concerns regarding data protection from any EU citizen or any data protection supervisory authority.
The US Safe Harbour has been subject to criticism from EU regulators in the past, and the Model Clauses are currently the subject of a legal challenge. Also, Binding Corporate Rules previously agreed by the ICO are potentially subject to rejection by EU Member States who may no longer recognise the ICO’s opinion. However, at present businesses need to rely on the existing mechanisms as the only available solutions to keep data flowing.
For more information about data transfers after Brexit, please contact Kathryn Rogers at firstname.lastname@example.org or 01892 506 147.