In our blog today, we look at the implications for Data Protection in the event of a No Deal Brexit. An increasingly likely scenario, given the inability of the politicians in both houses, to agree on a sensible approach.
A very informative article by FieldFisher explains that the EU Withdrawal Agreement seeks to ensure there is no disruption to data flows after Brexit.
Currently, the EU Withdrawal Agreement proposes that during the Implementation / Transition phase, ie the period between March 2019 and until the Treaty governing the future relationship is agreed, existing EU laws will apply within the United Kingdom.
This means that businesses and practises still require to be compliant with the existing regulations – UK Data Protection Act 2018 & EU General Data Protection Regulation. So, no change there.
The UK government and businesses on both sides of the channel, would like continued free flow of personal data after the Transition period ends. To achieve this, once the UK is outside of the EU, it would take the form of an adequacy decision, similar to adequacy decisions given by the EU to countries for example, the United States, Canada, New Zealand and Argentina which ensure the free flow of data.
An adequacy ruling from the EU Commission effectively means that the Data Protection laws in a country are adequate to ensure the protection of individuals rights regarding personal data.
The political declaration on the future relationship between the UK and the EU, describes the ‘endeavour’ to adopt an adequacy decision by the end of the Transition period.
Given that the UK government adopted all of the GDPR provisions into the UK Data Protection Act 2018, my personal opinion is that it would be astounding and rather disingenuous if the EU did not grant the UK an adequacy decision.
But what happens if there is No Deal before March 2019?
The UK ceases to be a member of the EU in March 2019, instead becoming a Third country. If the EU Withdrawal Agreement Bill does not go through UK Parliament, there will be no agreement for either the Transition period or a plan for a future trading agreement.
In becoming a Third Country from a Data Protection perspective, Third countries either require an adequacy decision OR must implement other safeguards for data transfers from EU to third countries and vice versa.
…. What are the other safeguards?
- A legally binding and enforceable instrument (eg contract, agreement) between public If you are a private organisation, this is not the solution.
- Binding Corporate rules – BCRs are an internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s EEA entities to non-EEA group entities. However, BCRs must be submitted for approval to an EEA Supervisory authority – which can be a lengthy and expensive process. If you are a SME private organisation, this is not (or unlikely to be) the solution.
- Standard contract clauses (or model clauses) adopted by the EU commission – these can be used in contracts and have been approved by the EU, but have yet to be updated to reflect the EU GDPR. The clauses cover the transmission or processing of personal data from / to non-EEA countries, BUT only when used in their entirety and without amendment.
So the standard contract clauses need to exist in any contract where the transfer of personal data occurs outside the UK (currently outside the EEA).
If we exit the EU without a deal, your organisation or practise very quickly needs to:
- Understand what data you have, how it flows and which countries the data is received from or flows to.
- Be prepared to review and possibly update any contract with another organisation outside of the UK where data flows from and to.
If you have not yet done your homework or analysis on your organisation’s data, I strongly recommend this is a priority task for January 2019, especially if the EU Withdrawal Agreement Bill is not approved by UK Parliament in a few weeks. You should have done this anyway, as part of Data Protection compliance.
Something to think about in January.
Today’s fact. Did you know that data in transit only through a country is not liable to EU GDPR? This means that the data must not be stored, processed, accessed or amended in any way, it just passes through.
=> At least that’s one thing you don’t need to worry about!
That’s it from me for 2018. I’ll be back in January 2019 with an update on the implications of Brexit for Data Protection.
Wishing you and your families a very happy festive season!
Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited
Data Protection for Business offers outsourced data protection officer services:
Previous blogs in the series:
GDPR and data processing
Data Protection Operational Risks & Penalties
Introduction to GDPR for healthcare