The European Commission has issued a notice explaining some of the legal ramifications of Brexit on transfers of personal data from the EU to the UK.
The General Data Protection Regulation ("GDPR"), which will come into force on 25 May 2018, only allows the transfer of personal data to “third countries” in specified circumstances where there is a lesser risk of the transfer undermining the protection afforded by EU law.
The European Commission has issued a notice explaining that for the purposes of the GDPR “third countries” are those countries that are not members of the EU and, as such, the UK will be a “third country” once it leaves the EU. Therefore, the rules on transferring personal data to third countries will apply to the UK (although the terms on which the UK leaves the EU could potentially provide otherwise).
Under the GDPR, subject to certain limited exceptions, personal data can only be transferred out of the EU where:
- the European Commission has determined that the country to which the personal data is being transferred “ensures an adequate level of protection” (an “adequacy decision”),
- prescribed “appropriate safeguards” have been put in place, or
- the individual to whom the personal data relates has given their explicit consent to the transfer (having been informed of the possible risks).
UK aiming for adequacy decision
The UK Information Commissioner and the UK government have made clear that the UK will be aiming to be the subject of an adequacy decision. This would facilitate the free transfer of personal data between the UK and the rest of the EU post-Brexit and would be less onerous on businesses than other mechanisms for legitimising data exports to the UK. Under the GDPR, for an adequacy decision to be made, the protection in the third country must be “essentially equivalent” to the level of protection in the EU.
The UK will still be a member of the EU when the GDPR comes into force and the UK’s data protection framework will continue to be aligned with that of the EU after Brexit as the GDPR will be transposed into UK law by the European Union (Withdrawal) Bill (once enacted). It therefore seems likely that the UK will meet the level of protection required to be the subject of an adequacy decision. The UK government has declared its intention for this issue to be resolved in advance of the UK’s withdrawal in order to provide businesses with regulatory certainty.
The indications from the UK government to date suggest that maintenance of data flows between the EU and the UK is on the government’s agenda for Brexit negotiations. However, depending on how negotiations progress during the course of the year, it may be appropriate for businesses to consider putting in place other mechanisms to validate their data transfers from the EU to the UK.
Existing mechanisms for international data transfers which will be retained under the GDPR are:
- European Commission-approved standard contractual clauses that can be incorporated into contracts between data exporters and data importers;
- binding corporate rules which are agreed with data protection authorities and legitimise intra-group data transfers; and
- obtaining the consent of the relevant data subjects (although the GDPR will make it more difficult for businesses to rely on consent).
In addition, the GDPR will enable trade bodies to agree codes of conduct with data protection authorities. Data transfers between entities bound to adhere to the applicable code of conduct will be deemed to be subject to “appropriate safeguards” as will transfers between entities that have agreed to adhere to a Commission-approved certification mechanism.
The European Commission’s recent notice serves as a reminder of the potential implications of Brexit on EU-UK data flows. Whilst a finding that the UK provides an adequate level of protection would facilitate a more open flow of personal data between the EU and the UK, other mechanisms are available. Businesses should keep abreast of developments in negotiations on this front and be ready to put in place appropriate safeguards should an adequacy decision not be made before the UK’s withdrawal. We will be tracking the progress of Brexit negotiations, including in connection with data protection, and anticipate providing a further update on EU-UK data transfers towards the end of the year as matters develop.