International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies. Following Brexit, the UK will be a ‘third country’ for the purposes of international transfers of data under the GDPR, which could have serious implications on the practicalities of legally transferring personal data from the EU to the UK. We would like to examine the possible outcomes of the on-going Brexit negotiations on the transfer of personal data from the EU to the UK.
Deal or No Deal
On 14 November 2018, the UK government published a draft withdrawal agreement (governing the terms of the UK’s departure from the EU), Article 71(1) of which anticipates a transition period for the continued application of EU data protection law (i.e. the GDPR) for the processing of the personal data of individuals resident outside the UK, provided that the personal data: (a) was processed under EU law in the UK before the end of the transition period; or (b) is processed in the UK after the end of the transition period on the basis of the withdrawal agreement. However, the continued application of EU data protection law just about only backs up the status quo that personal data may only be transferred to third countries (such as the UK after Brexit) if the European Commission has provided that country with an adequacy decision or, in the absence of an adequacy decision, either certain safeguards are adopted in relation to the transfer or a specific derogation can be safely counted on.
There was potentially a silver lining to this situation. Article 71(2), the transitional arrangements referred to above will fall away if the Commission makes an adequacy decision essentially acknowledging that the UK’s processing of personal data provides a satisfactory level of protection to EU-based individuals. Meaning there will be little to no disruption to businesses since there is no need to rely on safeguards in order for personal data to be transferred from the EU to the UK.
The big BUT; however, is it is not a guarantee that the UK Parliament and the leaders of the EU will come to an agreement before March 29th and even if there was a sort of deal, it is very possible it will not be permanent. If an adequacy decision ceased to apply for any reason then Article 71(3) requires the UK to “ensure a level of protection of personal data essentially equivalent to that under EU law…” That may sound as if the EU is forcing the UK comply by their rule and in ‘Borg’ like fashion assimilate you want to or not, but the fact is UK already have the GDPR incorporated into its own Data Protection Act laws since 2018. Domestically, the UK may have more wiggle room as to how that law can be enforced after the withdrawal.
On 25 November 2018, a summit of EU leaders unanimously approved the terms of the draft withdrawal agreement. However, on the 15th of January this year, the UK Parliament failed to approve the withdrawal agreement, resulting in a historic defeat for a proposition by any PM. This unfortunately makes the idea of a No Deal Brexit very close to a reality given that the deadline for Brexit is the 29th of March this year. The Commission has expressly stated that the adoption of an adequacy decision is not part of its contingency planning. EU member states do not have the power to unilaterally grant adequacy decisions to third countries as approval from representatives of all EU member states is required.
A no deal Brexit therefore suggests an extended period of reliance on the safeguards and derogations referred to above in order to legally transfer personal data from the EU to the UK. Reliance on these measures to govern all transfers of personal data from the EU to the UK is likely to be cumbersome in practice, partly given the rigid nature of the Standard Contractual Clauses (SCCs) and the magnitude of the task presented by establishing legally sound Binding Corporate Rules from a time and resource perspective.
What you can do now.
There is no way to be certain that the UK Parliament will go forward with the deal as it currently stands so the best thing to do is to proceed as if there were no deal in place. This means reliance on the safeguards and derogations in order to legally transfer personal data from the EU to the UK. If your business is reliant upon such data transfers from the EU, it would be advisable to consider putting in place contingency plans for a no deal Brexit by preparing for the use of appropriate safeguards and/or derogations.
The blog article provided by: East Belfast Enterprise, the UK
Image Credit: www.freestock.org