The wheels are set in motion for the UK to leave the EU on 31st January and enter a transitional period due to end on 31st December 2020. During this period, negotiations between the UK and the EU will continue with a view to reach a trade agreement – however this is not guaranteed.
Leaving without a trade agreement means that the UK will become a “third country” and the free flow of data across borders will no longer be permitted. With that, companies must prepare for a no-deal Brexit and ensure that they are able to orienteer the shifting sands of the data protection landscape.
Data Protection in the UK is governed by the Data Protection Act 2018 and General Data Protection Regulations (GDPR), an EU regulation. Although the GDPR will be incorporated into UK law during the transitional period, over time UK legislation may naturally diverge from EU law. However, the EU regulations will continue to apply directly to a business which:
In this two-part series we look at two scenarios concerning data protection should the UK leave the EU without a trade agreement:
The Government has confirmed that after Brexit transfers of data from the UK to the EEA will be permitted, although this will be kept under review.
If the transfer from the UK is not to the EEA then you may be able to rely on certain mechanisms to ensure data protection compliance - which includes so called adequacy decisions, appropriate safeguards or an exception (discussed further below).
A transfer will be permitted if it is covered by the new UK adequacy regulations. These regulations will set out what countries, territories or international organisations have an adequate data protection regime in place and therefor the data transfers to the same will be permitted.
The government intends to recognise the EU adequacy decisions made by the European Commission.
UK organisations will also be able to rely on the EU/US Privacy Shield Scheme for the transfer of personal data to registered entities within the US, but only in instances where the US entity has updated its privacy notice to expressly extend protection to transfers from the UK.
If your business cannot rely on an adequacy decision or the Privacy Shield for the transfer of personal data, then other appropriate safeguards must be relied upon. The most convenient appropriate safeguard for many businesses will be to use standard contractual clauses (SCCs).
SCCs set out the required standards for the protection of personal data and contractually bind the parties to these standards. SCCs are a vital tool in the data protection arsenal to ensure the consistent application of the GDPR’s requirements and standards for cross-border data transfers and are considered essential for many businesses as they make their preparations for a post-Brexit world.
The Advocate-General (AG) has recently provided his opinion on the adequacy of the data protection provided by SCCs in the Facebook Ireland v Schrems case. Max Schrems, a privacy activist, argued that the use of SCCs to transfer data from Europe to the US failed to offer adequate data protection.
The AG has advised that SCCs provide an adequate level of protection for personal data. This is because they include an obligation to suspend or prohibit the transfer of data if the obligations set out in the SCCs cannot be complied with as a result of a conflict with obligations imposed by the law of the third country destination where the data is to be transferred to. Whilst the position is not final until it is referred to the European Court of Justice (ECJ) for judgment, the ECJ invariably follows the opinions of the AG and this therefore offers welcome comfort to the many businesses who have implemented SCCs as part of their Brexit preparations.
The EU has confirmed that transfers of personal data from the EEA to the UK post-Brexit will be restricted. This will have a major impact on any organisation that transfers personal data from the EU to the UK, including organisations which are UK-based but which provide their services to customers in the EU.
Restricted transfers from the EEA to the UK will be permitted if it is covered by an EC adequacy decision, or an appropriate safeguard is in place. For the European Council to reach an adequacy decision, they must determine that the UK offers personal data an adequate level of protection - a decision which is currently being deliberated. The EU and the UK aim to complete the adequacy process within the transition period, however if a decision is not reached by 31 December 2020 organisations in the UK will need to rely on binding corporate rules (a measure that is appropriate for multinational corporate groups) or standard contractual clauses to transfer personal data from organisations in the EEA.
For many organisations the best approach will be to adopt SCCs (see Part 1) to ensure that data flows are validly protected. Particularly as the Advocate-General (AG) has recently provided his opinion that these do offer an adequate level of protection for personal data in the Facebook Ireland v Schrems case.
And finally – keep up to date with any legal developments during the transition period – sign up here to receive our legal updates in this area