Data protection post-Brexit – Deal or no deal?
The UK Government has produced a series of technical notices explaining what businesses might need to do if there is a “no deal” Brexit. While it considers this “unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome”, the Government says it needs to prepare for all eventualities and suggests organisations should do the same. One of these notices concerns the crucial area of data protection and the possibility that, in a no deal scenario, the UK will not have secured an adequacy decision from the European Commission allowing the unrestricted transfer of personal data from the EU to the UK.
The UK Government’s notice, Data protection if there’s no Brexit deal published on 13 September, explains that if the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it. However, the legal framework governing transfers would change and organisations established in the UK would need to ensure EU organisations were able to continue to send them personal data. An adequacy decision from the European Commission, prior to Brexit, would make this unnecessary, but the Commission has stated that such a decision cannot be taken until the UK is no longer part of the EU. Although it would be the easiest option, an adequacy decision is not the only lawful method EU organisations will be able to rely on to transfer personal data to the UK.
Organisations in the UK should therefore be prepared for the eventuality of a no deal Brexit. This means, in the UK Government’s words, that “you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners”. Some EU partners may be able to rely on a derogation which allows for unrestricted transfers but, in the majority of cases, the most relevant alternative would be to put in place standard contractual clauses adopted by the Commission between the UK organisation and its EU partner. These contain contractual obligations on the data exporter (EU partner) and the data importer (UK organisation), and rights for the individuals whose personal data is transferred. The UK data protection authority, the Information Commissioner’s Office, will, where necessary, produce additional guidance outlining the steps organisations would need to take and, as the notice states, EU organisations should seek guidance from their respective data protection authorities.
The UK Government’s notice is short and to the point. The worst case scenario is no deal and no adequacy decision, the latter arguably an inevitable consequence of the former. According to the Government, that is unlikely, but a Reuters poll put the chances of exiting without an agreement at one in four. The Government insists that it is ready to begin discussions with the European Commission on an adequacy assessment. Unfortunately, the European Commission has “not yet indicated a timetable”. The possibility that these discussions will not begin until the UK is no longer part of the EU could mean, deal or no deal, that at least in the short term, organisations receiving personal data from the EU will face a legal lacuna. They should therefore give serious consideration to how they and their EU partners might fill it.