The European Data Protection Board (EDPB) last week adopted a paper clarifying the position in relation to data transfers between the EU and UK in the event of a no deal Brexit.
The EDPB confirmed that if the UK exits the EU without a deal, then with effect from 30 March 2019 the UK will be regarded as a “third country” for the purposes of the GDPR and any transfers of personal data from the EU to the UK from that point. The UK will in effect be treated in the same way as other “third countries” (such as India and the US) from that date.
This post summarises the impact of the EDPB’s note and outlines the practical implications and steps which UK businesses may want to consider. In the discussion below, we refer to transfers into and out of the European Economic Area (EEA) rather than the EU because the EEA countries have adopted the GDPR, and the position relating to data transfers will be the same in respect of the three additional EEA countries, as for the core EU countries. Readers may also find it useful to review our previous blog post on the data protection implications of a deal/no deal Brexit which contains our GDPR Brexit flowchart.
Transfers from an EEA controller to a UK controller/processor
In the case of transfers from an EEA controller to a UK controller or processor this can readily be managed by adopting the relevant Standard Contractual Clauses approved by the EC (“SCC”) or intra-group data transfer agreements which incorporate the SCC (“IGDTA”) (in the case of inter-affiliate transfers, for example between EU and UK HR teams).
Given the high chance of a no deal, it would be prudent for organisations which are reliant on these data flows to take action now to start to adopt the SCCs / check their IGDTAs in relation to these transfers. The repapering exercise is relatively straightforward as the SCCs cannot be amended.
Data importers in the UK may also want to look at the resources published by the ICO which include downloadable copies of the relevant SCCs.
Transfers from an EEA processor to a UK controller or sub-processor
Addressing transfers from a EEA processor to a UK controller or sub-processor presents more of a challenge as the European Commission has not approved SCCs which cover these types of transfers. There is the possibility (at least in theory) that a local regulator could raise a legal challenge against an EEA-based processor which continues to process data in relation to UK controllers post-Brexit, holding that the on-going transfer of data back into the UK is invalid and must cease. In our view, this risk seems low given the high adverse impact such a ruling would have on trust in the EU digital marketplace and on EU – UK trade relations, but cannot be ruled out in the current political climate.
Whilst the risk may be low and as we understand it, the EDPB is working hard to find a resolution, until a solution is forthcoming, UK controllers need to be aware of the issue given the potentially material impact on continuity of supply if a regulator were to restrict transfers into the UK from EEA processors. At the present time the only 100 percent safe workaround is to retain / repatriate data to the UK (or another non-EEA jurisdiction) which will be costly and potentially technically difficult and therefore unlikely to be a viable option in most cases. We would expect the majority of UK controllers in this position will choose to leave data flows as they are currently, and “watch this space”, ensuring that leadership and Brexit planning committees are aware, and continue to monitor on-going developments.
Transfers from the UK to the EEA
In the case of transfers from the UK to the EEA there is no immediate risk issue as the UK has taken a unilateral position that it will recognise data transfers to the EEA as adequate for the foreseeable future. UK controllers which are exporting to controllers/processors in the EEA do not therefore need to take any additional steps at present.
The full EDPB information note is available here.