+44 (0)20 7404 0606
No-deal Brexit - a data dilemma
- AuthorPaul Herbert
With the UK due to leave the EU on 29 March 2019 and no deal having yet been made, there is increasing concern over the possible impact of a ‘No-Deal’.
Following MPs’ rejection of Theresa May’s proposed deal, she appears to be maintaining her stance that it is either “This Deal or No Deal”. There is still a great deal of animosity and lack of consensus in Parliament and with MPs due to vote on the deal on 12 March 2019, there is little time for further negotiations before the 29 March 2019 deadline. This has led many to believe that the UK could be left with a no-deal Brexit.
So what could a no-deal Brexit mean for the UK’s data protection laws and how can you prepare for this scenario?
The Data Protection Act 2018 is the primary piece of legislation in the UK and ensures that the GDPR has effect in the UK.
One of the purposes of the GDPR is to restrict and regulate transfers of personal data outside of the EU. Personal data can only be transferred outside the EU to third countries or international organisations in compliance with the conditions set out in Chapter V (Articles 44-50) of the GDPR. Once the UK leaves the EU in March 2019, we will be considered a third country, which leads to concerns over where this will leave us in relation to data sharing with the EU.
So what happens post-Brexit?
Once the UK leaves the EU, the Data Protection Act 2018 will remain in place and the EU Withdrawal Act 2018 incorporates the GDPR into UK law to sit alongside it.
The Government has published guidance on the effect of a potential no-deal Brexit on data protection which confirms that personal data can still be sent from the UK to the EU, but the potential problems could arise where data is transferred from the EU to the UK.
The general rule is that organisations are only permitted to transfer personal data outside the EU if they can demonstrate to the European Commission (EC) that the recipient can provide an ‘adequate’ level of protection – i.e. one that offers an equivalent level of protection to that within the EU. However, the EC has said that it will not make any decisions on adequacy until we have officially left the EU and are a third country.
As the UK will adopt the GDPR into domestic law, this should just be a mere formality. However, if the EC does not make an adequacy decision regarding the UK at the point of exit and UK companies want to continue receiving personal data from organisations established in the EU (whether that be from other European companies or subsidiaries or from EU data centres) then they need to identify an alternative legal basis for those transfers until such time as the EC makes an adequacy decision.
How to prepare for a potential no-deal Brexit?
For the majority of organisations the most relevant alternative legal basis for data transfers would be standard contractual clauses. These are model data protection clauses that have been approved by the EC and enable the free flow of personal data when incorporated in a contract. These model clauses are available on the EC’s website - https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en. However, it is important to note that these clauses cannot be modified and must be signed as provided.
Should your organisation want to modify or adapt these standard clauses this will be considered as ad-hoc contractual clauses. These can also be an effective means to enabling the free-flow of data, but legal advice should be sought on the wording and use of such ad-hoc clauses.
In order to enable the continuous flow of data between your organisation and the EU, it is recommended that you include a provision for data sharing into any contracts with any counterparties in the EU. The Information Commissioner’s Office (ICO) has a number of model contract clauses for the international transfer of personal data which should be considered.
If your Company is part of a multinational group, an alternative gateway is the use of Binding Corporate Rules (BCRs). BCRs are data protection policies adhered to by a group of companies in order to provide the appropriate safeguards for transfers of data within the corporate group. It is important to note that BCRs must be approved by the relevant competent national supervisory authority.
The benefit of using BCRs is that it avoids the challenges of having to put a matrix of contracts in place with the standard contractual clauses and once implemented they are easier to maintain than stand-alone contracts. However, the requirements for BCRs are very prescriptive and the process is lengthy and costly.
If your company already has BCRs in place which were certified by the ICO, these may not be recognised by the EU supervisory authorities post-Brexit.
It is important that your company and board are aware of these issues and seek advice on how to best approach their data handling in the upcoming weeks to ensure there is no interruption to data flow.
Should you wish to have more information on these or any other topics mentioned in this article, please get in contact with us.
This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.