The possibility of a no-deal Brexit continues to be a real risk and many businesses are looking at what they need to do to prepare for this.
A key consideration is to ensure that data flows with group companies, partners and vendors can be legally maintained. In this connection, if the UK does exit Europe without a transitional arrangement, what will be the position in relation to data flows to and from the UK?
What does the GDPR say?
The GDPR prohibits transfers of personal data from the European Economic Area (the EU plus Norway, Liechtenstein and Iceland) (“EEA”) to a country outside the EEA (referred to in the GDPR as a “third country”) unless:
Will the GDPR still apply post-Brexit?
The GDPR is here to stay post-Brexit regardless of whether there is a deal or no deal. This is because, on the day the UK leaves the EU, most of the EU law (including the GDPR) which applied prior to the UK leaving the EU will be converted into UK law. In addition, the new Data Protection Act 2018 (“DPA 2018”), which supplements the GDPR, will continue to apply in the UK regardless of the outcome.
What about transfers of data from UK to EEA?
When the UK leaves the EU, the UK will become a “third country”. The UK government has stated that, post-Brexit, UK businesses will continue to be able to send personal data from the UK to the EEA. Having said that, it has also said that the “UK would keep this under review”. Therefore, unless otherwise indicated by the UK government in future, the continued free flow of personal data from UK business to the EEA will continue.
What about transfers of data from EEA to UK?
The position is not the same in respect of data transferred from the EEA to the UK.
While the UK government has indicated its intentions to begin discussions on an adequacy decision for the UK, the European Commission has not yet given a timetable for this and has stated that a decision on adequacy cannot be taken until the UK is a third country. In any event, such decisions typically take many years to conclude. Therefore, for the time being, EU organisations will need to implement one of the appropriate legal safeguards (the SCCs usually being the most convenient option) in order to continue to transfer personal data to businesses in the UK.
What about transfers of data from UK to other territories?
In relation to transfers from the UK to other territories, the EU’s existing decisions on adequacy and SCCs that were in place on Brexit day can continue to be used after Brexit to ensure the free flow of data. Longer term, these adequacy decisions and SCCs will fall under the responsibility of and will be reviewed by the UK ICO rather than the European Data Protection Board.
Other issues to consider
Aside from the issue of international data transfers, there are some other issues to consider upon the UK exiting EU:
We are advising a number of clients on preparations for a no-deal Brexit. Contact us to explore how we can assist you.