As we all continue to try to grapple with the implications of a no-deal Brexit, the last week or two has seen the publication of a few things of interest from a data protection perspective:
The EDPB’s view of data transfers in a no-deal Brexit scenario
On 12 February 2019, the European Data Protection Board (the “EDPB“) published a general information note on data transfers under the GDPR in the event of a no-deal Brexit (available here). In summary, the information note provides that organisations must comply with the GDPR when transferring personal data from the EU to the UK, which will become a “third country” for GDPR purposes (from 00.00 am CET on 30 March 2019). No new or additional safeguards are contemplated by the EDPB which effectively means that organisations must choose between:
- Standard contractual clauses (which the EDPB acknowledges are “ready to use”);
- Binding corporate rules;
- Codes of conduct or certification mechanisms (although none are yet approved/available under the GDPR); or
- Derogations such as individual explicit consent (although the EDPB emphasises that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive).
For further information regarding the potential impact of a no-deal Brexit on data transfers, including an analysis of worked examples, please see our previous blog post available here.
The EDPB’s view on Binding Corporate Rules (BCRs) in a no-deal Brexit scenario
The EDPB has also published a specific note on BCRs for companies which have the ICO as the Lead Supervisory Authority (available here). The EDPB acknowledges that, in the event of a no-deal Brexit, the ICO will no longer have a role in European data protection and binding corporate rules. As such, there are a number of options available to organisations:
- If an organisation already has a BCR in place that has been approved by the ICO, it will need to identify a new EU lead supervisory authority.
- If an organisation is in the process of applying for a BCR approval by the ICO, it will need to identify a new EU lead supervisory authority that will take over the application and formally initiate a new procedure at the time of a no deal Brexit.
- If a draft ICO decision for approving BCRs is pending before the EDPB at the time of a no-deal Brexit, the organisation will need to identify a new EU lead supervisory authority that will take over and re-submit a draft decision for the approval of the BCRs to the EDPB.
GDPR and DPA 2018 Keeling Schedules
On 14 February 2019, the DCMS published two Keeling Schedules (available here) showing changes to be made to the GDPR and the Data Protection Act 2018 on exit day (in the event of a no-deal Brexit). For those who have previously tried to reconcile the drafting of the Data Protection Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 with what they will actually mean in reality, these Keeling Schedules are a welcome publication (albeit for illustrative purposes only).
From a data protection perspective, it seems clear that a no-deal Brexit will have a significant impact (at least from an administrative perspective) on the transfer of data from the EU to the UK. Whilst the UK Government has confirmed that transfers from the UK to the EU will require no additional steps (at least in the short term), organisations would be well advised to take steps now to consider and put in place appropriate measures to deal with the transfer of personal data from the EU to the UK.