What Does Brexit Mean for Data Flows?
Get Your Organisation Ready
With March 29th looming and no decision yet on whether the UK will leave the EU without a deal or whether a “transition” deal can be agreed, it’s important that your organisation knows what steps it should take to ensure data transfers are compliant.
Although a no-deal is now looking more unlikely, it is still not completely out of the question. If a no-deal scenario transpires, this will require some urgent changes for 29th March. If there is a “transition” deal, the UK will remain subject to EU law (including data protection laws) until December 2020, or perhaps beyond. However, organisations will still need to prepare for the end of any “transition” deal. It is important to understand where your international data flows go and whether you need to take action.
Why do you need to take action?
Currently, data can flow freely and unrestricted within the EU, but once the UK leaves the EU it will become what is termed a “third country” and will be subject to restrictions on the transfer of personal data outside the European Economic Area.
(This is similar to the restrictions UK organisations currently have to adhere to for data transfers to non-EEA countries).
|A restricted transfer can be conducted under the following three conditions:|
|1. Adequacy||2. Appropriate safeguards||3. An Exception|
What is adequacy?
The European Commission can assess the level of data protection provided in third countries to see if these are essentially of an equivalent level to that of the EU. If a country ‘passes’ the rigorous testing, the Commission can make an Adequacy decision. So far, The European Commission has recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
The EC’s finding for the USA is only for personal data covered by the EU-US Privacy Shield. This is limited to organisations in the US who sign up to the Privacy Shield framework. Most recently in July this year, the EU and Japan agreed to recognise each other’s data protection systems as ‘equivalent’.
The UK Government has made clear its intention to seek an adequacy decision. However, the EC has made it equally clear that its adequacy assessment will not commence until the UK leaves the EU. Some are arguing this should be a relatively quick process, but others say it could take years.
4 Things You Need To Consider
1. Personal Data Transfers TO the UK
|i) From EEA to UK
Are any of the organisations you work with based in the EEA? Are they transferring personal data to you in the UK?
If yes, you need to assure this transfer is covered by an appropriate safeguard or an exception.
The most convenient appropriate safeguard is likely to be Standard Contractual Clauses.
|ii) From ‘adequate’ countries to the UK
Are any of the organisations you work with based in ‘adequate’ countries? Are they transferring personal data to you in the UK?
Such countries are likely to have their own legal restrictions on making international transfers of personal data to countries outside the EEA.
The UK Government is expected to enter into discussions with these countries in order to make alternative arrangements for transfers to the UK. In the meantime, UK organisations and the sender will need to consider how to comply with local law requirements.
2. Personal Data Transfers FROM the UK
|Such transfers will be governed by ‘UK GDPR’ and will apply when you are making a personal data transfer from the UK.
|i) UK to EEA based organisations
The UK Government has confirmed that data transfers from the UK to the EEA will be permitted. Transfers to Gibralter will also be able to continue with no additional actions required.
This will be kept under review.
|ii) UK to Non-EEA ‘adequate’ countries
The UK government will recognise EC adequacy decisions, made prior to the UK leaving the EU.
This will allow transfers to continue with no additional actions required.
|iii) UK to Non-EEA non ‘adequate’ countries
In this scenario you should already have in place appropriate safeguards for this transfer of personal data.
The UK government says it intends to recognise EC-approved SCCs as providing an appropriate safeguard for restricted transfers from the UK.
|EU-US Privacy Shield: Once the UK leaves the EU it will be outside this specific EU-US arrangement.The US Department of Commerce has updated its Privacy Shield FAQs to cover Brexit scenarios either with “no deal” or under an agreed deal “transition period”.
|3. One Stop Shop & EU Representative
|If your organisation is based in the UK, post Brexit it is likely you will lose the benefit of the One Stop Shop – this may mean in the event of a personal data breach you would need to notify not just the ICO but also, if EU citizens data is affected, each relevant supervisory authority. The danger is this could lead to multiple enforcement actions.
Furthermore if you fall under the territorial scope of the GDPR you will be required to nominate an EU representative under Article 27.
4. Amendments to GDPR documentation
|It may be necessary to update your GDPR documentation, for example, your Record of Processing Activities and Privacy Notices to reflect and reference that the UK is no longer part of the EU.|
In preparation for Brexit, reviewing your international data flows will help you to identify and quantify any risks and ensure you know what steps you need to take to ensure this is conducted compliantly.
For further information see the following;
Published 4th March 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.