On 21 December 2018, the Data Protection Commission (“DPC”) published preliminary guidance in relation to the impact of a “no deal” Brexit on personal data transfers.
In summary, organisations which transfer personal data to the UK need to make preparations to ensure that personal data can continue to flow freely to organisations in the UK in the event of no deal. However, the flow of personal data from the UK to EEA countries can continue without the need for action, as the UK Government has signalled its intention to continue current practice in the event of no deal.
Under EU data protection law, personal data can be freely transferred between organisations within EEA countries without any specific measures. However, in the case of transfers of personal data to third countries – of which the UK will become one following Brexit – different rules apply under Part V of the GDPR.
One mechanism which facilitates the transfer of personal data to third countries is the EU Commission’s adequacy decision – in other words, where the EU Commission has recognised a data protection regime in a third country as being adequate and therefore further measures are not required to underpin the transfer of personal data. However, the EU Commission has confirmed that there will not be an adequacy decision in place in respect of the UK by the end of March 2019, meaning that in the event of a “no deal” Brexit, organisations must avail of one of the alternatives under Part V of the GDPR in order to transfer personal data to the UK following Brexit.
Part V of the GDPR permits personal data transfers to third countries provided appropriate safeguards are in place. The most commonly used mechanism which meets these requirements is the use of standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract.
Impact of No Deal
Should the UK leave the EU without a deal, then with effect from 11pm (British & Irish time) on 29 March 2019 organisations which transfer personal data to the UK must do so in accordance with personal data transfers to third countries under Part V of the GDPR. While it is expected that an adequacy decision will be made by the EU Commission in due course in respect of the UK, pending such a decision organisations need to take steps to deal with personal data transfers in the event of no deal, most commonly via standard contractual clauses.
While the UK’s departure from the EU remains shrouded in uncertainty, the spectre of a “no deal” Brexit is an increasing possibility. In these circumstances, organisations should take note of the DPC’s preliminary guidance which highlights one of the immediate impacts of a “no deal” Brexit. While the use of standard contractual clauses may be the solution for most organisations, in certain cases other transfer mechanisms permitted under Part V of the GDPR may be more appropriate. It is therefore vitally important that organisations which transfer personal data to the UK address this issue as part of their contingency planning for Brexit.