The UK government recently issued guidance on the flow of personal data between the UK and other EU Member States in the event that the UK and the EU fail to reach agreement on the UK’s withdrawal from the EU next March.
The notice, from the UK’s Department for Digital, Culture, Media and Sport, forms part of a series of Brexit guidance notices published by the UK Government on a variety of topics ranging from applying for EU-funded programmes to work place rights. Whilst it states that negotiations are progressing well, it “sets out information to allow businesses and citizens to understand what they would need to do in a ‘no deal’ scenario, so they can make informed plans and preparations”.
DATA FLOW FROM THE UK TO THE EU
According to the notice, the current practice which sees personal data flow freely from the UK to the EU would continue, even in a no deal scenario. This is because the UK’s Data Protection Act 2018 and European Union Withdrawal Act 2018 incorporate the EU General Data Protection Regulation into UK law. This situation would, it states, continue to be reviewed.
DATA FLOW FROM THE EU TO THE UK
However, changes would occur where personal data are transferred from organisations in the EU to the UK. Two mechanisms to facilitate such transfers are discussed in the notice:
Under existing rules, where the EU makes a decision that a third country, i.e. a country outside of the European Economic Area (EEA), provides an adequate level of data protection, transfer personals of personal data may be made to that country. The notice states that the UK is endeavouring to enter into discussions with the European Commission regarding an adequacy assessment, which would be made without restrictions if the UK’s level of personal data protection is deemed to be essentially equivalent to that of the EU, but as of yet, no timetable for this has been agreed with the Commission. It goes on to state that the Commission has indicated that the decision on adequacy cannot be taken until the UK is a third country.
Standard contract clauses
Standard contract clauses are identified in the notice as the most relevant alternative legal basis for transferring personal data from the EU to UK. A series of model data protection clauses are approved by the European Commission and these enable the free flow of personal data when embedded in a contract. The clauses would confer obligations on UK organisations and their EU counterparts when it comes to the transfer of personal data. The notice refers readers to the website of the UK Information Commissioner for more information on the legal basis for such transfers.
This notice is certainly useful in clarifying the legal regime that would apply to transfers of personal data from the UK into the EU and in forewarning organisations of the implications of a no deal scenario for flows of data from the EU into the UK. However it does not offer much practical assistance to organisations which rely on large or even medium scale data exchanges between the EU and the UK. The use of standard contract clauses binding corporate rules, certification, codes of conduct and approved ad hoc contractual terms has been identified as “generally resource intensive and unsuitable to set up a broad framework for data exchanges that can be used to organise compliance transfers of personal data on a large scale, including particularly regarding SMEs”. These comments are made in a recently published study commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs on the available mechanisms for personal data transfers between the EU and the UK after Brexit. The study also finds that an affirmative adequacy finding for the UK would be insufficient to allow a continuation of current information flows. Instead it identifies a need for a bespoke instrument that establishes an initial standstill period that allows the EU and the UK to continue personal data exchanges on a provisional basis, taking into account that the UK’s data protection law is already substantially aligned to EU data protection law and policies. The bespoke agreement would amongst other things, allow the UK to participate in internal market data transfers and in security and law enforcement initiatives. (Interestingly the notice does not consider sectorspecific requirements, for example in relation to processing personal data for law enforcement purposes.)
Despite this guidance notice, organisations may find themselves under considerable pressure, in terms of time and resources, to prepare for personal data transfers in the event of a no deal Brexit scenario on 29 March 2019.