Following last nights historic defeat of Theresa May’s Brexit deal, a ‘no deal Brexit’ is now a very real prospect for the UK. What does this mean for organisations in relation to their data processing operations given current reliance on the highly publicised General Data Protection Regulation (GDPR), which is a piece of European legislation. Without the certainty of an agreed withdrawal agreement between the EU and the UK, it is not surprising organisations, particularly those that process high volumes of personal data or are involved in complex data sharing arrangements, may be beginning to panic about potential disruption to operations.
Looking ahead, the ICO recently published guidance on the impact of a no-deal Brexit which provides a useful overview of key issues. One of the obvious areas of immediate concern are cross-border transfers of personal data. Can this still continue in the event of a no-deal Brexit? What do organisations needs to do to minimise disruption to their activities?
International Transfers – will your organisation be affected?
Not if your organisation operates in the UK, never transfers personal data outside the UK (please remember to consider transfers that may not be immediately obvious e.g. use of cloud IT service with servers outside of UK) and never receives personal data from outside the UK or only transfers or receives personal data outside the UK to consumers.
Yes – if your organisation is located in the UK, caught by GDPR and (i) sends personal data outside the UK; (ii) receives personal data from the EEA; or (iii) receives personal data from outside the EEA and which are covered by an adequacy decision. If this is your organisation, we recommend you start thinking about how your organisation can prepare for a no-deal Brexit.
What will be the impact?
At the moment, UK based organisations can generally enjoy unrestricted transfers of personal data across the EEA. Once the transfer involves sending personal data outside of the EEA i.e. to a third country, this becomes a restricted transfer and additional requirements must be met – these are set out in Chapter V of GDPR. Once (if) the UK leaves the EEA, the UK becomes a ‘third country’ and the impact of this as far as cross border transfers are concerned will depend on the nature of the transfers. We have identified four possible scenarios:
1. Transferring Personal Data from the UK to the EEA
This will now be a ‘restricted transfer’. However the UK government has stated that transfers from the UK to the EEA will be permitted and there is no indication at this time that organisations in this category require to do anything further in this regard at this time. This will be kept under review, however for the time being, this should give organisations some comfort.
2. Transferring Personal Data from the UK to outside of the EEA
This would currently be considered a restricted transfer therefore your organisation ought already have in place arrangements that meet the provisions of GDPR applicable to international transfers. It appears that the UK will generally continue to recognise the provisions put in place by GDPR in relation to legitimising international transfers. For example, if your organisation relies on EC approved Model Contract Clauses, it is anticipated that the UK government will continue to recognise these.
Likewise, if your organisation relies on an adequacy decision (i.e. where prior to the UK’s exit the European Commission has deemed the recipient country or organisation has adequate levels of protection for personal data) to make restricted transfers, it is expected that the UK will continue to recognise that adequacy decision.
It seems therefore for the time being, organisations falling into this category do not require to implement any significant changes ahead of leaving the EEA as a result of a no-deal Brexit. An exception to this would be if your organisation relies on the Privacy Shield system to send personal data to the US; please note that this will only continue to be available in the event of a no-deal Brexit if those US organisations have publicly committed to express that their Privacy Shield obligations apply to transfers of personal data from the UK (i.e. not just the EEA). We recommend that if this is relevant, that your organisation checks the US recipient’s privacy policy and seek assurances in this regard.
3. Receiving Personal Data from the EEA into the UK
The UK will be a third country outside of the EEA therefore the sender (i.e. the organisation in the EEA) will require to meet GDPR’s requirements for international transfers set out in Chapter V of GDPR. In due course, if the European Commission gives the UK an adequacy rating, it may be that a significant portion of transfers from EEA to UK organisation will rely on this. However at exit, the UK will not have such a finding.
This means that in the short term, any EEA ‘sender’ will need to put in place additional safeguards if it wishes to continue sending personal data to UK organisations post the UK leaving the EEA. Arguably, the most common and convenient methods is use of the EC approved Model Contractual Clauses, however how easy this is executed in practice will depend on the parties involved and their preferred requirements.
4. Receiving Personal Data from outside the EEA
Since both the recipient and sender sit outside the EEA, a no-deal Brexit is unlikely to have a significant impact on international transfers of personal data in this scenario.
An exception to this would be where the ‘sender’ is a country that has been given an adequacy rating by the European Commission. Currently, this includes Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, USA (Privacy Shield only) and shortly Japan.
To receive an adequacy decision, the country or territory may have subjected itself to legal restrictions in relation to making transfers of personal data to countries outside of the EEA, which will include the UK once it leaves. It is therefore unclear on what basis these countries will continue to legitimise transfers of personal data to the UK and it is understood the UK government will enter into talks with these countries in this regard.
If your organisation falls into this category, we recommend that you contact the ‘sender’ to identify if they are subject to any legal restrictions which could prohibit the continued transfer of personal data to the UK.
What should your organisation do next?
With the UK due to leave the EEA in March, time for effective risk management is running short. We recommend that consideration is given to cross border transfers of personal data as well as other data protection implications at the earliest opportunity.
Prioritising high risk data transfers such as transfers of special category data, criminal convictions, operational critical transfers or high volumes, plan out action that requires to be taken to ensure the seamless continuation of transfers post the UK leaving the EEA. The scenario that is likely to be most problematic will be where your organisation is receiving personal data from within the EEA and this will require a proactive approach to be adopted with the perhaps easiest route to legitimise such transfer being to put in the place the Model Contract Clauses. In this regard, we recommend that your organisation starts to discuss this issue with any organisation in the EEA it receives personal data from to try and put in place adequate measures to continue to support the sharing of personal data as soon as possible.
Loretta Maxfield is a specialist Intellectual Property, Media and Technology solicitor. We are always delighted to talk without obligation about whether we might meet your needs. Call Loretta on 01382 229111 or email lmaxfield@thorntons-law.co.uk