Many businesses in the UK and the EU are reliant on the free flow of personal data between the UK and the rest of the EU. This will be especially true of any who trade or provide services across borders or who use data centres in other parts of the EU. So what will happen if the UK leaves the EU without a deal? Will data continue to flow freely or will it become instantly unlawful to transfer data?
If the UK leaves the EU without a deal then it is likely that the immediate effect in the majority of cases would be that personal data could not be lawfully transferred from the European Economic Area (EEA) (which is the area covered by EU data protection regulation) to the UK and there would be an instant disruption of data flows. This is because the UK would become a “third country”, i.e. a non-member of the EEA. For personal data to flow freely to a third country from the EEA, the EU Commission needs to have made an “adequacy decision”, which is a unilateral decision that would need to be made following a process which would scrutinise the adequacy of data protection regulation and enforcement in the UK. There is no adequacy decision currently in place (as it is not necessary while the UK remains in the EU) and it would take some time for a decision to be made. There is no guarantee that an adequacy decision would be granted in respect of the UK and, even if one is made in the future, it will be reviewed periodically and can be withdrawn by the EU Commission or overruled in the Court of Justice of the EU.
Conversely, the UK government has indicated that even if there is a no-deal Brexit it intends to recognise the EU’s data protection regime as adequate, which would have the result that transfers of personal data could continue to be made from the UK to the EU.
So, what can businesses do to ensure the free flow of personal data that is required in their business from the EU to the UK? Outside of an adequacy decision, personal data can be transferred to third countries where there are applicable standard contractual clauses in place or binding corporate rules.
Standard contractual clauses are sets of clauses that have been approved by the EU which enable transfers between data controllers and data processors or between data controllers and data controllers and can be used with third-party companies. They can therefore be used to facilitate many commercial relationships and many large suppliers will already have these in place within their standard terms. However, the standard contractual clauses are in standard form and cannot be amended, meaning that they are not always appropriate to every situation. They must also be put in place for each controller-controller and controller-processor relationship and must be agreed to by both parties, so for businesses with complex data flows they may be very cumbersome to implement. Nonetheless, they may be the only immediate way post-Brexit to ensure that data can continue to be transferred.
Binding corporate rules are primarily for multinational groups of companies, who must apply to a data protection authority within the EEA to approve the rules, which will facilitate data transfers within the group. Implementing binding corporate rules can be a costly and lengthy process (potentially costing £250,000 and taking several years), so is unlikely to be a viable solution in the short term or for any but the largest companies.
Businesses would be well advised to undertake a review of their current data transfers and consider what cross-border data flows they are currently reliant upon. Business should prepare for the possibility of a no-deal Brexit and consider whether there are any practical steps that can be taken to mitigate the potential impact. Where businesses will need to continue to rely upon transfers of data from the EEA post-Brexit the most pragmatic solution for most businesses will be to implement standard contractual clauses where possible and particularly for key transfers of personal data, in order to ensure that data can continue to flow post-Brexit.
We recently held a GDPR Compliance Seminar covering many areas, specifically, the impact of Brexit and how it will affect GDPR going forward. Businesses who attended were reassured from our expert speakers and left feeling ready for all eventualities. For more details on GDPR, Brexit and the continuation of data protection laws please refer to our Data Protection & GDPR article.
If you are worried about how a No-Deal might impact your data, get in touch with our specialist Brexit team who’ll be here to guide you and explore all options available for you and your company.
You can email or call on 0161 941 4000 at any time to reach them. We are here to help you.