On 13 September 2018, the Department for Digital, Culture, Media and Sport (“DCMS”) issued guidance on the implications for data protection if the UK exits the European Union (“Brexit”) with “no deal”, and what actions organisations should take. In this article, we will outline the current procedure for transferring personal data between the EU and the UK, and how this could change if the UK does not reach a deal with the EU by 29 March 2019.
What happens now?
Currently, if there is a transfer of personal data between the UK and the EU, it is governed by the EU General Data Protection Regulation (“GDPR”). Subject to these provisions, personal data can move freely between parties based in EU member states. As the UK currently is an EU member state, there is no issue with the transfer of personal data to and from other countries in the EU.
What if there is a “no deal” Brexit?
In the scenario of a “no deal” Brexit, there would be no immediate change in the UK’s own data protection standards because the Data Protection Act 2018 would remain in place on exit and the GDPR would be incorporated into UK law by the EU (Withdrawal) Act 2018. The DCMS has confirmed in its guidance that the free transfer of personal data from the UK to the EU would be permitted. This will remain under review by the UK Government.
However, the legal framework will be subject to change for organisations established in the EU that wish to transfer personal data to organisations established in the UK. EU organisations would need to take action to ensure that they are able to send UK organisations personal data, as the UK would be deemed to be a “third country” under the GDPR
Chapter V of the GDPR provides the methods by which transfers of personal data to the UK (as a third country) can be permitted under GDPR.
Adequacy Decision
The first of these, and the most favourable for UK-based data controllers and processors, is an “adequacy decision”. This is where the European Commission (the “Commission”) makes a decision that a third country’s data protection laws provide an adequate amount of protection for data subjects, and therefore personal data can be transferred freely. The Commission has stated that an adequacy decision would be granted to the UK following its exit of the EU if the UK’s regime was deemed as “essentially equivalent” to that of the EU. However, the Commission will not take the decision on adequacy until the UK is a third country, and the decision is not guaranteed. At this stage, it would not be advisable to assume that an adequacy decision can be relied upon at the point of exit and therefore you may wish to consider appropriate safeguards for EU to UK transfers.
Appropriate Safeguards
Model Clauses
If the UK does not get an adequacy decision, those that are looking to transfer personal data from the EU must then look towards whether the transfer can be made subject to “appropriate safeguards” listed in the GDPR. The DCMS states that the most relevant of these for EU to UK transfers would be the use of the standard contractual clauses adopted by the Commission (the “Model Clauses”). These clauses are available to govern: (i) transfer of personal data from an EU controller to a third country processor; and (ii) sharing personal data between an EU controller and a third country controller.
However, the Government has not provided any guidance on the transfer of personal data from an EU-based processor back to a UK-based controller and there are no Model Clauses to govern this relationship. Therefore, bespoke standard contractual clauses may require to be implemented as a safeguard. These must be authorised by the supervisory authority of the EU-based organisation that wishes to share personal data with the UK-based organisation. This is not a particularly practical solution. The European Data Protection Board (“EDPB”) is expected to provide guidance on the territorial scope of the GDPR shortly which may shed further light on this issue.
Binding Corporate Rules
Binding Corporate rules can be used for the transfer of personal data to third countries, but only for transfers between group companies. These binding corporate rules must be approved by a supervisory authority. These rules specify the details of the transfers to be undertaken and provide the data protection principles that will be applied.
Legal binding instrument between public authorities
An appropriate safeguard is considered to be given if there is a legally binding and enforceable contract or other legal instrument implemented between public authorities or bodies. In order to be considered as a safeguard for the purposes of GDPR, the instrument must comprise enforceable data subject rights and effective legal remedies for the data subjects. This provision is only available for the transfer of data between public bodies/authorities.
Derogations
In certain circumstances there are a number of derogations that may be relied upon to transfer personal data to a third country. Such derogations include explicit consent of the data subject, the transfer being necessary for the performance of a contract or the transfer being necessary for important reasons of public interest. The derogations are very much dependent on each specific set of circumstances and would have to be considered on a case-by-case basis.
Comment
Ideally, in the event of a “no deal” Brexit, the Commission will make an adequacy decision which will allow the free flow of personal data from the EU to the UK. However, it would be prudent to consider your current arrangements with EU-based entities and identify where there are transfers of personal data from the EU to the UK which may require appropriate safeguards, such as standard contractual clauses, to be put in place if an adequacy decision is not forthcoming.
