The Data Protection Commission (DPC) has issued guidance in relation to the transfer of personal data to and from the UK in the event of a ‘no deal’ Brexit. The DPC’s guidance is in line with the ‘no deal’ Brexit guidance published on 13 December 2018 by the UK Government (supplementing its September 2018 Technical Note) and by the UK Information Commissioner’s Office (ICO). Some highlights of the guidance issued by the Irish and UK regulators, and UK government, are set out below.
Personal data flows from the UK to the EEA (including EU Member States) and Gibraltar
The UK Government has made it clear that the current practice which permits personal data to flow freely from the UK to the EEA (including EU Member States), and Gibraltar, will continue in the event of a ‘no deal’ Brexit.
Personal data flows from the EEA to the UK
Companies will need to start considering what mechanisms to put in place to ensure that personal data can continue to lawfully flow from the EEA to the UK from 30 March 2019. Without the Withdrawal Agreement, the UK will become a ‘third country’ for the purposes of EU personal data transfers from 30 March 2019. The GDPR requires companies who transfer personal data to a recipient in a ‘third country’ (i.e. a country outside the EEA) to put in place a transfer mechanism under Chapter V of the GDPR, such as the standard contractual clauses (SCCs), in order to lawfully transfer personal data to that non-EEA recipient. Whilst the UK intends to seek an adequacy decision from the European Commission recognising the UK’s data protection regime as essentially equivalent to those in the EU, (allowing data flows from the EEA to the UK without the need for an EEA-based organisation to adopt any specific transfer mechanism), an adequacy decision will not be in place before the UK leaves the EU. The European Commission has made it clear that a decision on adequacy cannot be taken until the UK is a third country.
Personal data flows from the UK to non-EEA countries
In respect of personal data flows from the UK to non-EEA countries, the UK government intends to preserve the effect of EU adequacy decisions made prior to exit day on a transitional basis. This means that transfers from UK organisations to Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay, can continue uninterrupted.
The UK will also continue to recognise the use of EU SCCs as a legal basis for data transfers from the UK in a ‘no deal’ scenario. After exit day, it is proposed that the UK ICO will have the power to issue new SCCs to facilitate transfers from the UK to non-EEA countries. In addition, the UK government will recognise binding corporate rules (BCRs) authorised under the EU process before the exit date as ensuring appropriate safeguards for transfers from the UK.
In conclusion, if the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, made under the EU (Withdrawal) Act 2018 and Data Protection Act 2018, will incorporate the GDPR into UK law with the aim of ensuring that the UK legal framework for data protection functions correctly after exit day. The draft Regulations were laid before Parliament on 19 December 2018. UK organisations would continue to able to send personal data from the UK to the EEA, as the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EEA.
However, the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EEA to organisations established in the UK would change on exit, and organisations would need to take action to ensure they are able to continue to send UK organisations personal data.
It is vital that companies operating across the EU start taking steps now to review their structure, processing operations and data flows. Many companies have already been taking precautionary measures in case of a ‘no deal’ Brexit. The DPC’s guidance emphasises the importance of planning ahead, recommending that organisations start taking the following steps:
- Map the personal data currently being transferred to the UK.
- Determine if the transfers will need to continue beyond 30 March 2019.
- Consider which transfer mechanism best suits the situation and work towards having it in place by 30 March 2019.