No-deal Brexit and data transfers – an update
21 February 2019
The Department for Business, Energy and Industrial Strategy (“BEIS”) has published guidance on using personal data after Brexit. The European Data Protection Board (“EDPB”) has also released an information note on the implications of a no-deal Brexit for data transfers from the EEA to the UK.
As discussed in our previous article, a no-deal Brexit would pose a number of challenges for data protection issues – particularly in relation to data transfers. These challenges are not insurmountable, but businesses that transfer personal data into the UK from the EU will need to put mechanisms in place to ensure data flows are not interrupted.
The BEIS guidance explains how Brexit will affect UK businesses in relation to use of personal data, in the event of both a deal and a no-deal Brexit.
If there is a deal, the guidance confirms that there will be no immediate change. The rules will not change during the implementation period, so personal data can continue to be sent to and received from the EU without any new requirements. The plan is for an adequacy decision to be in place by the end of this period, enabling the UK to be assessed as having adequate data protection standards, and the EU could continue to transfer data to the UK without additional safeguards.
BEIS does not expect there to be an adequacy decision in place by 29 March 2019. This means that, if there is no deal, EU data flows into the UK will need to be subject to additional safeguards. All businesses transferring personal data from the EU to the UK will have to ensure there is a compliant data-sharing mechanism or derogation in place. BEIS recommends referring to the six-step guidance on this topic published by the Information Commissioner’s Office (“ICO”), as explained in our article.
EDPB information note
The EDPB’s information note also explains that, should the UK leave the EEA without an agreement in place, it would become a third country after 29 March 2019. As a result, data transfers to the UK would need to be based on one of the permitted data-transfer instruments, and organisations should prepare accordingly. The EDPB sets out five steps that organisations transferring data to the UK should take in preparation for a no-deal Brexit.
- Identify what processing activities will imply a personal data transfer to the UK.
- Determine the appropriate data-transfer instrument for your situation.
- Implement the chosen instrument to be ready for 30 March 2019.
- Indicate in internal documentation that transfers will be made to the UK.
- Update your privacy notice accordingly to inform individuals.
The permitted data-transfer instruments are: EU-approved model clauses; binding corporate rules; a code of conduct or certification mechanism; or derogations which may allow data transfers under certain conditions.
The EDPB notes the UK Government's indication that it will continue to permit personal data to flow freely from the UK to the EEA, and advises organisations to consult its website and the ICO’s website regularly.
Neither of these documents contains anything surprising and our advice remains the same. Don’t panic, review your EU/UK data flows and hope for the best in terms of a deal. But if the worst happens, rest assured the issues are not insurmountable – EU/UK model clauses are not excessively complex to put in place or to amend to reflect the UK’s new position as a third country post Brexit.