21st March 2019
Whether the UK leaves the EU with or without a deal, businesses must be ready for changes that will affect their data flow processes and agreements.
As 29 March looms, with no clear indication yet of how we will leave the EU, some issues need to be considered in both a deal or no-deal scenario, data protection being one of them. Regardless of the Brexit outcome, businesses have to review, and probably adapt, their data flow processes and agreements, and not just in relation to data flows between the UK and EEA given that EU regulation has much to say re third countries.
Deal: carry on meantime
The Withdrawal Agreement between the EU and UK provides for continuation of the GDPR in UK law during the transition period; thus there would continue to be no restriction on data transfers between the UK and EEA, both ways. After that period, it is intended that GDPR will apply until the European Commission issues the UK an “adequacy decision”. This means that the Commission has approved that the UK’s data protection safeguards are essentially equivalent to those of the EU.
However, adequacy decisions are not granted overnight: for example, it took New Zealand four years to obtain one. In the absence of a decision, the cautious approach is to assume the UK will be a third country and therefore UK businesses should prepare standard contractual clauses (see below) with their EEA processors and controllers.
No deal: transfers restricted
Leaving the EU without a deal or an adequacy decision will mean that the UK is essentially treated as a third country for GDPR purposes, and transfers will be restricted unless certain safeguards or derogations apply.
The draft Data Protection, Privacy and Electronic Communications (Amendment etc) (EU Exit) Regulations 2019 would bring GDPR into UK law from 29 March. This means that, if you are a UK business processing UK data, you will be subject to the UK version of GDPR. However, if you process EU data, you will still also be subject to the EU GDPR.
The UK Government has advised that there will be no restriction on data flows from the UK to the EU: the UK will recognise the EU as having sufficient data protection safeguards. It is also intended that the UK recognises EU adequacy decisions made prior to the exit date. The UK will no longer benefit from the one-stop-shop, which means that the ICO will no longer participate on the European Data Protection Board or be the leading supervisory authority for processing of EU data by a UK entity. UK businesses processing EU data will also have to designate an EU representative, who must have a base in a member state where some of their data subjects are.
In addition, without an adequacy decision, the UK will not benefit from a free data flow from the EEA, as data transfers will be restricted unless certain processes are in place such as “standard data protection clauses”, “binding corporate rules”, legally binding instruments between public authorities, legally binding codes of conduct, or derogations for specific situations.
Standard and ad hoc contractual clauses. The most relevant mechanism for international transfers will be the standard data protection clauses approved by the European Commission. These are only available for EU controllers to non-EU/EEA controllers or processors. Note that there has been comment that the clauses do not meet all the GDPR requirements for a lawful transfer and therefore it is expected that they will be reviewed in the near future.
The European Data Protection Board (EDPB) states that while these clauses may be used within a wider contract, they must not be modified by the contracting parties. Any modifications mean that the clauses will be considered ad hoc and must be approved by the competent national authority, following an opinion from the EDPB. The UK Government intends to recognise European Commission-approved standard contractual clauses as providing an appropriate safeguard for restricted transfers from the UK.
Binding corporate rules. These apply for data transfers from the UK to outwith the EEA but within a corporate group or to a group of overseas service providers. The UK Government also intends to recognise binding corporate rules authorised under the EU before exit day.
Derogations. Derogations allow transfers in certain situations (usually occasional and non-repetitive transactions) as exceptions to the safeguards discussed above. They include relying on consent from an individual, or for performance of a contract between the individual and the controller. They must be interpreted restrictively.
EU-US privacy shield. We should also note that UK businesses relying on the privacy shield to make data transfers to the US will have to check that their transferees have adapted their certification to include the UK post-Brexit.
How can we prepare?
Without thinking about it, we and our clients transfer data on a daily basis. Some of those transfers will be international transfers, for example uploading documents on to the cloud, sending an email, or updating a database or document management system.
UK businesses need to think about:
1. Do they operate in the EEA/EU?
2. Do they send data from the UK to the EEA/EU?
3. Do they receive data from the EEA/EU?
4. Do they send UK or EU data from the UK to a third country?
5. Do they receive data from a third country?
6. Is that third country subject to an adequacy decision?
7. If no adequacy decision, can the standard contractual clauses be used?
8. Do they send UK data to the United States?
Generally, UK businesses should review their contracts. In relation to receiving data from third countries not covered by an adequacy decision, it is expected that the UK Government will enter into separate agreements. Meanwhile, in order to continue receiving data from such countries post-Brexit, UK businesses will also need to comply with local laws of the third country.
If UK businesses rely on consent from EU subjects, this may have to be reviewed post-Brexit, especially where transfers outwith the EEA were not covered.
The EDPB has given guidance on a no-deal Brexit and data transfers; however it is recommended that a close eye is kept for any further updates in the weeks to come.
This article first appeared in The Journal.
The information contained in this newsletter is for general guidance only and represents our understanding of relevant law and practice as at March 2019. Wright, Johnston & Mackenzie LLP cannot be held responsible for any action taken or not taken in reliance upon the contents. Specific advice should be taken on any individual matter. Transmissions to or from our email system and calls to or from our offices may be monitored and/or recorded for regulatory purposes. Authorised and regulated by the Financial Conduct Authority. Registered office: 302 St Vincent Street, Glasgow, G2 5RZ. A limited liability partnership registered in Scotland, number SO 300336.