Brexit is certain but what about the free movement of personal data

Whether or not Brexit will be hard (with no transition agreement) or on the basis of the current tabled transition agreement is still not known. However, all indicators point to both the UK parliament and the EU Commission approving the current deal. This deal at least preserves the status quo for transfers of personal data between the European Economic Area (EEA) and the UK – for now. But the future is still uncertain and if a permanent deal is not struck by the end of 2020 then a hard Brexit may still come to pass (if the UK prime minister sticks to his current line that there is to be no extension to the negotiation period), or we could find ourselves in limbo land for years to come while politicians on both sides of the Channel continue to argue out the finer points of just how Britain and the EU will continue to trade.

Preserving the ability to maintain data flows in an economy that is powered by the digital services sector is crucial to maintaining the UK’s position as the second largest commercial market in the world.

Even though the referendum in 2016 set in motion Britain’s plans to leave the EU, the UK is still part of the EU and as a result had to adopt the gold standard for protection of personal data when it came into force in the EU (the EU’s General Data Protection Regulation) and has now implemented it into national law in the form of the Data Protection Act 2018 (DPA 2018). Despite this, once the UK leaves the EU (with or without a deal) if the European Commission has not approved an adequacy decision (i.e. a decision that the UK has data protection measures that are deemed essentially equivalent to European standards) then alternative cumbersome transfer mechanisms will have to be put in place to maintain the flow of personal data between the EEA and the UK and vice versa.

The European Union Task Force for Relations with the UK has held internal preparatory discussions on the future relationship with the UK on personal data protection (adequacy decisions) and cooperation and equivalence in financial services.

A document issued by the Task Force, dated 10 January, stated that if the UK withdraws with an agreement on 31 January 2020, there will be a transition period of 11 months. During that time, an adequacy decision may be negotiated and an adequacy decision given if the applicable conditions are met.

Given the UK is already fully aligned with Europe on the data protection front you’d be forgiven for thinking that the “applicable conditions” will be easily met and it would be very hard for the powers that be in Europe not to fast track an adequacy decision thereby seamlessly maintaining the flow of personal data between the UK and the EEA countries. But the wheels grind slow (as we have seen) and adequacy decision assessments and negotiations usually take many months and then there are political considerations, and safeguards for personal data exchanged for law enforcement and judicial cooperation in criminal matters that need to be worked out, which could all prolong negotiations.

The transition deal between the UK and the EU preserves the status quo for data sharing between the UK and the EEA and vice versa, at least until the end of December 2020. However, the deal is only transitional, and an adequacy decision is by no means certain, so UK businesses would be well advised to take steps now to preserve flows of personal data between the UK and the EEA in case the UK leaves the EU at the end of this year with no deal and no adequacy decision. As we have seen so far with Brexit, we need to continue to prepare for all eventualities.

1. Continue to Comply with GDPR

Most organisations in the UK that process personal data should already have a level of compliance with GDPR in place even if that is still being worked on and refined. Continuing to improve on processes and procedures to ensure continued compliance with GDPR is critical. Even if GDPR no longer has direct application to the UK (after Brexit), the DPA 2018 embodies its principles in UK law, and Brexit is not likely to result in a repeal of that legislation.

Also, GDPR will still apply directly to UK businesses with an office, branch or other established presence in the EEA, or that have customers or target customers in the EEA. These organisations will need to comply with both the DPA 2018 and GDPR after Brexit and under GDPR will need to designate a representative in the EEA to interact with individuals and data protection authorities in the EEA.

2. Implement Valid Transfer Mechanisms

The DPA 2018 requires exports of personal data outside the EEA to be done with consent or under an alternative valid transfer mechanism e.g. Standard Contractual Clauses (SCCs), ad-hoc model clauses, privacy shield (for transfers between the UK and the US) or in accordance with approved codes (which are still in the making).
The UK government has stated that transfers to the EEA will not be restricted. So, no additional steps are required to continue transferring personal data from the UK to the EEA.

However, if a business or organisation in the EEA is sending personal data to a UK organisation, then the EEA organisation will still need to comply with EU data protection laws and will require the UK business to take action to put in place a valid transfer mechanism.

The SCCs still remain the preferred mechanism for ensuring valid transfers of personal data from within the EEA to organisations outside of the EEA. (These are a set of standard clauses approved by the European Commission that impose obligations on organisations outside of the EEA that are receiving and processing personal data of persons in the EEA.)

UK organisations receiving personal data from the EEA should consider adding SCCs to contracts with EEA exporting organisations now, including a trigger mechanism which brings them into force only in the event of a no-deal Brexit and in the absence of an adequacy decision.

3. Update Privacy Notices

Businesses should also review their privacy notices and other privacy documentation to identify any changes that need to be made after Brexit. For example, privacy notices may need to be revised to reflect that personal data is being imported from or exported to the EEA and under which transfer mechanism and those doing business in the EEA will need to provide details of their EEA representative.

4. Update Supply Contracts

UK organisations that receive personal data from the EEA and use UK service providers as processors or sub-processors of that personal data, may need to update their contracts with those service providers to add commitments in relation to valid transfer mechanisms to ensure that all processors in the supply chain can lawfully receive and process personal data coming into the UK from the EEA. If not already in process, now is the time to start checking the contracts in place with processors to ensure that commitments being made to EEA exporting organisations are flowed through to all UK based processors and sub-processors.

Taking the above steps will be time well spent and should put your business ahead of the game when it comes to flows of personal data whatever the final outcome of this on-going Brexit saga.

During the transition period and beyond whether or not there is a deal, UK organisations handling personal data will be subject to EU data protection authority scrutiny and will not necessarily be able to escape the eye watering fines which can be meted out under GDPR. If you are interested in keeping up to date with the number and value of fines levied so far the following is a useful source of information: GDPR Fines Tracker & Statistics