Transfers of data from the UK to the EU – it is now time to act

UK business needs to act now to ensure that in the event of a “no deal” Brexit it can continue to receive personal data from the EU by putting alternative measures in place to safeguard these transfers.

With the General Data Protection Regulation (GDPR) having recently passed the six month milestone, Brexit brings a new personal data challenge for data privacy in the UK. Even if Theresa May’s Withdrawal Agreement does somehow scrape through the Commons, the future shape of relations between the EU and the UK is less than certain and an area of particular concern is that of data protection and personal data transfers.

The impact of a “no deal” Brexit

Whether or not a deal is achieved between the EU and UK prior to 29 March 2019 there will be no immediate change in the way that data is handled in the UK upon exit.

The draft Withdrawal Agreement provides that the GDPR will be incorporated into English law to sit alongside the Data Protection Act 2018 following our departure from the Union and the position will be substantially the same in a “no deal” scenario with the GDPR remaining part of UK law. Either way the legal framework itself will remain the same.

In contrast, the framework governing transfers of personal data from the EU to the UK will undergo a notable change. If there is a deal along the lines of the current draft Withdrawal Agreement then that change will be deferred until at least the end of the transition period and after that it will depend on what arrangement the UK and the EU come to. If there is a “no deal” Brexit the change will be immediate.

The practical effect of this change is that it will become more difficult to receive personal data in the UK from the EU. In its guidance entitled “Data protection if there’s no Brexit deal”, the Department for Digital, Culture, Media and Sport provided that ‘in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.’ There is however no equivalent statement from the EU and in fact, as we will discuss a little later, the EU’s position may be markedly different.

Keeping data flowing

Put starkly, if there is a “no deal” Brexit then come 29 March 2019, then European businesses will not legally be able to transfer personal data to the UK, which will become a ‘third country’. This is obviously a serious business and presents a major risk to UK trade. One of the following would need to happen in order for a data transfer from the EU to take place:

• Organisations to adopt one of the legal safeguards set out by the GDPR, for example, standard contractual clauses, or
• The UK has the benefit of an, ”adequacy decision” from the EU Commission i.e. the UK is considered by the European Commission to have adequate safeguards in place in relation to the protection of personal data.

We look at the two most obvious solutions below.

Standard contractual clauses

The standard contractual clauses are the European Commission approved data protection clauses that are embedded into a contract between data exporter and data importer and consequently allow data to flow freely between countries.

By adopting the clauses, contractual obligations are to be placed on the UK and EU parties and provisions relating to the rights of individual data subjects are also incorporated. This is likely to be the easiest and quickest way of safeguarding data flows post Brexit. It is not however a perfect solution. The clauses are relatively inflexible and do not apply to processor-processor (sub-processor transfers).

Adequacy decision

An alternative to the adoption of standard contractual clauses is a finding of adequacy by the European Commission. In order for this finding to be made, the European Commission would have to deem the level of personal data protection given by the UK to be equivalent to that found in the EU, a process which would be seemingly straightforward considering the GDPR will be incorporated into UK law. To the contrary, there are a number of potential obstacles that could prevent an adequacy decision being reached, one of which is the Investigatory Powers Act 2016.

Additionally, the European Commission has been somewhat vocal about the fact that any assessment of whether the UK data protection regime is adequate could only begin at the time of exit, presumably to encourage a deal to be agreed prior to the prescribed date. This is concerning due to the timescales involved with many adequacy assessments taking months at the minimum and some, such as that being sought by Japan at present, taking years.

Next steps

The UK government’s recommendation to UK business is it should, “…proactively consider what action you may need to take to ensure the continued free flow of data with EU partners”.

Presently, the outcome of the Brexit negotiations is largely unpredictable and, as a result, it would be prudent for UK organisations to prepare for the worst case scenario and conduct an audit to identify the number of contracts that require EU to UK data transfers. In doing so, organisations should be in an advantageous position going forward and aware of the contracts which will need to be amended if the UK leaves the EU without a deal that makes provision for data privacy.

If you would like any assistance in reviewing your personal data contracts or incorporating standard contractual clauses, please contact Nick Phillips or another member of the data protection team.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now