Published by Alisha McKerron on 22 August 2019
With a no deal Brexit looking like a genuine possibility on the 31st of October, it’s worth considering afresh its implications on cross border data flows, from the point of view of EEA organisations,which will continue to be subject to the General Data Protection Regulation (GDPR), and UK organisations (which shall become subject to a UK version of GDPR). The good news is that the UK government has done what it can to ease the process.
Personal data flowing into the UK from the EEA
For transfers of data into the UK, a no deal Brexit will mean that EEA organisations have to legitimise the flow of personal data into the UK. This is because the UK’s status will change (under GDPR) to that of a third country and rather importantly, cross-border transfers to third countries are prohibited (without a lawful data transfer mechanism, that is)! In other words, the UK would become like any other non-EU country with respect to data transfers – any EEA organisations would need a lawful data transfer mechanism (under art. 44, GDPR) to continue to transfer personal data.
UK organisations receiving personal data from EU organisations will therefore have to request such EU organisations to use a suitable cross border transfer mechanism.
If the UK is recognised as an “adequate” country, (under art. 45(1), GDPR) the status quo could continue, without having to implement any other transfer mechanism. But achieving adequacy status requires satisfying the EU Commission that the UK has an equivalent level of protection to that of the EU. This may take some time to determine because although the UK has adopted the GDPR into its domestic legislation, it has far reaching government surveillance powers which may adversely effect data subjects privacy rights. Until this issue has been resolved, EEA organisations will have to look to other transfer mechanisms.
EU Commission approved standard contractual clauses may be a suitable choice, as they are widely used for transfers around the world and could easily be introduced into existing documentation. However their validity is currently being questioned in a case before the European Court of Justice (Schrems II) – a final decision should come out around the end of this year.
A regulatory approved set of rules (under art. 47, GDPR) binding a group of undertakings, or group of enterprises engaged in a joint economic activity, could be considered, but these require time and money to set up.
Needless to say, it will be up to EU organisations to decide which mechanism to use. The European Data Protection Board’s “Information note on data transfers under the GDPR in the event of no-deal Brexit” should help them make the correct decision. But what about data flows from the UK to the EU?
Personal data flowing out of the UK to the EEA
For transfers in the other direction, what was said above pretty much applies in reverse (albeit under the UK’s version of the GDPR, instead of the real thing). The status of EU member states (from the UK’s point of view) will change to that of ‘third countries’, and a data transfer mechanism will be required, in order to continue transferring personal data. However, cross-border transfers will be easier because the UK has made it clear it intends to permit data to flow from the UK to EEA member states. It has also committed transitionally to recognising EEA member states and Gibraltar as “adequate” and so data transfer can continue as it currently is.
Personal data flowing out of the UK to countries that are not EEA member states
Transfers to third countries which are not EEA member states will stay the same too; the UK government will mirror the status quo of GDPR in the EU by adopting the same approach as the EU. It will recognise the same list of countries as being “adequate”, recognise the standard contractual clauses approved by the European Commission and any binding corporate rules approved by supervisory authorities. Interestingly, the UK’s version of GDPR will have an extraterritorial jurisdiction and apply to the EEA! This is all explained in the UK government guidance note entitled “Amendments to the UK data protection law in the event the EU Leaves the EU without a deal”. So what steps should UK organsiations take to protect themselves?
What you should do
UK organisations need to assist their EEA stakeholders/organisations in assessing their exposure to cross-border transfer to the UK. Both parties should consider the necessity of cross-border transfers. Perhaps data flows could be minimised or even temporarily stopped, pending a favourable UK adequacy decision. If their EEA stakeholders/organisations continue to transfer any personal data to them, they must use a suitable transfer mechanism under GDPR. Whilst the outcome of the Schrems II case is pending, standard contractual clauses should be avoided even though they are approved.
Organisations in the UK have somewhat less cause for concern, since the UK has committed transitionally to recognising EEA member states and Gibraltar as “adequate” and so data transfers to the EEA member states can continue as they are. However UK organisations should review their documentation (for example, what their privacy notices and data processing agreements say about international transfers, since EEA transfers will now fall into this category) and maintain organisational awareness of the issue.
Aside from cross border transfers they should also consider whether they have to appoint a representative in a EEA member state under article 27 of the GDPR- another side effect of becoming a third country. The same question needs to be considered by EEA member states in relation to the UK.