A hot topic this month is how the UK is preparing for a no-deal Brexit on 31st October 2019 and what would be the consequences for the EU and UK citizens and organisations on both sides of the Channel.
In the light of these developments Brexit will change a lot in the personal data field. The main issue is whether the free flow of personal data between the UK and all other EU/EEA countries will continue.
Issues arising in business relations
Business partners from the UK and the EU/EEA will face the need to take steps allowing lawful ongoing transfers of personal data.
For example, an English language center in EU currently is freely transferring its students’ personal data to the UK for assessment of their exam results and issuance of certificates. Once no-deal Brexit becomes a fact, there will be additional requirements for EU and UK partners concerning the lawful transfer of student’s personal data. Similarly, UK organisations contracting with entities in the EU/EEA usually need to obtain personal data of the employees of the EU/EEA entity. Transferring these employees’ personal data to the UK will have to meet the requirements in force following no-deal Brexit.
The no-deal complications
In case of no-deal Brexit, the UK will no longer be bound by EU legislation, including the security levels established by the GDPR. The UK will become a “third country” as per GDPR. And this will cause complications for EU organisations transferring personal data to the UK. A general principle is that a transfer of personal data outside the EU/EEA requires the presence of at least one of the mechanisms envisaged in the GDPR – adequacy decision of the European Commission, appropriate safeguards or the so-called derogations.
Where the European Commission does not adopt an adequacy decision in respect of a third country (and obviously there is no such decision concerning the UK, yet), organisations transferring personal data towards this third country must ensure that another alternative safeguard mechanism exists. As a result, the cross-border flow of personal data within the EU/EEA remains entirely free, whereas transfer of personal data from the EU/EEA to the UK will be burdened to comply with the abovementioned additional requirements if an adequacy decision is not adopted.
How organisations can prepare themselves?
The UK government published No-Deal Readiness Report (the “Report”) aiming to demonstrate readiness for leaving the EU without any arrangements. This Report provides some general guidelines to the affected UK organisations and in essence states that UK organisations have to take the steps required to enable the continued free flow of personal data. As the European Commission does not intend to adopt an adequacy decision in respect of the UK at the time of Brexit, organisations from the two sides of the Channel must take measures to put in place one of the abovementioned safeguard mechanisms.
Identify the flow of personal data
The Report recommends that all UK businesses, civil society organisations and other organisations should identify the personal data they receive from organisations in the EU/EEA and where this data is held. Likewise, the EU/EEA organisations should identify personal data they transfer to their partners in the UK.
Choose the appropriate mechanism
Organisations should check whether they need to put in place alternative safeguard mechanisms to continue receiving personal data from the EU/EEA or transferring personal data to the UK and to choose which mechanism serves their needs best. These mechanisms include:
- Standard contractual clauses (SCCs)
- Bounding corporate rules (BCR)
- Presence of a derogation such as data subject’s explicit consent, a contract between the data subject and the controller, establishment, exercise or defense of legal claims, etc.
The appropriateness of the mechanism must be assessed on a case-by-case basis.