The last few months have shown that it is getting harder by the minute to forecast what the outcome of the Brexit negotiations in the United Kingdom might be. As time lapses, and with the recent parliamentary rejection of the EU-UK Withdrawal Agreement in London, the shadow of a "hard Brexit" scenario appears to be creeping over the UK and its EU counterparts. It is likely that the next few days are going to prove critical to the future of the UK-EU relationship.
In this context, organizations should be aware of the important consequences that a "Hard Brexit" scenario might have upon transfers of personal data between the UK and EU Member States, especially under the GDPR regime which became applicable last year.
Indeed, while the GDPR enables transfers of personal data to take place between entities located in different EU Member States, transfers of personal data between the EU and non-EU Member States ("third countries") are generally prohibited, unless certain stringent conditions are complied with.
In case of infringement, article 83 of the GDPR enables data protection supervisory authorities, such as the Commission Nationale de la Protection des Données (CNPD) in Luxembourg, to inflict severe sanctions upon the entities concerned. Such administrative fines may amount up to 20 million euros or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever the higher amount. Furthermore, under the Luxembourg Law of 1 August 2018 which complements the GDPR, the CNPD is entitled to impose additional penalties upon the same entities, which may entail financial and/or reputational sanctions for those involved. Organizations dealing with personal data flows to and from the UK should ensure that such flows fall within the conditions provided for by the GDPR.
The GDPR allows personal data transfers to a third country notably when:
- the third country benefits from an "adequacy decision" from the European Commission. However it is rather unlikely that the UK will swiftly benefit from such a decision in case of a "Hard Brexit," at least not in the near future
- the transfers of personal data take place between entities of a same group, and such entities have entered into "binding corporate rules" specifying strict conditions for the transfers
- the entity exporting personal data has entered into EU Commission approved "standard data protection clauses," the so called "EU Model Clauses," with the entity importing personal data
Consequently, with the growing risk of a "Hard Brexit" outcome, organizations dealing with UK-EU transfers of personal data are strongly encouraged to urgently verify that such transfers of personal data comply with the GDPR: under the current "no deal" scenario, transfers will be restricted as from 30 March 2019. In this respect, putting "EU Model Clauses" in place between the relevant entities often constitutes the most convenient and the quickest solution. Such a solution complies with the rules set by the GDPR, whilst waiting for the EU Commission to decide whether the UK should benefit from an adequacy decision.