The Situation: The UK Parliament has not approved the draft Brexit Withdrawal Agreement and Political Declaration on the future relationship of the European Union and United Kingdom. The next steps in the Brexit process are uncertain.
The Result: Businesses need to consider how a "no deal" Brexit would affect any data transfers that they make between the EU 27 and the United Kingdom.
Looking Ahead: Companies should consider taking provisional steps to mitigate any impact to their data transfers if there is a "no deal" Brexit. They may also need to appoint data protection representatives in the United Kingdom and/or the European Union.
Whether or not the Withdrawal Agreement is approved, after Brexit, the European Union will treat the United Kingdom as a "third country". The General Data Protection Regulation ("GDPR") prevents EU entities from transferring personal data to third countries unless the EU Commission has granted an "adequacy decision" (establishing that the data protection regime of the destination is "essentially equivalent" to that of the European Union), the parties use an approved data transfer mechanism or an exception in the GDPR applies.
The United Kingdom's position on data protection is to maintain a close alignment with EU data protection laws and seek an adequacy decision to avoid disruption to data flows. This is consistent with the Political Declaration which says that the European Union will "endeavour" to adopt an adequacy decision by the end of 2020 and the United Kingdom agrees to take steps to facilitate the flow of personal data to the European Union.
However, an adequacy decision will only apply as part of an agreed Brexit and not as part of a "no deal" Brexit. The EU Commission has said that EU companies making transfers of personal data to the United Kingdom after a "no deal" Brexit must rely on the available transfer mechanisms under the GDPR. The United Kingdom has said that UK companies could continue to be able to send personal data to the EU 27 after a "no deal" Brexit given the close alignment of data protection rules, but that this will be kept under review.
If there is a "no deal" Brexit, companies transferring personal data from the EU 27 to the United Kingdom will need to use one of the approved transfer mechanisms to cover the period until an adequacy decision. The most practical approved transfer mechanism will often be to use a data transfer agreement including the EU standard contractual clauses. Other approved transfer mechanisms include the less-common "binding corporate rules" or "administrative arrangements".
Businesses that currently consolidate personal data from multiple jurisdictions across the European Union before transferring it to another country (such as the United States), should consider whether they should deal with UK data separately if there is a "no deal" Brexit. Businesses should also consider whether the United Kingdom's status as a "third country" will require them to update any notices they have issued to data subjects under the GDPR.
The GDPR has extraterritorial scope and applies to non-EU based companies that sell into or monitor individuals in the European Union. These companies, which post-Brexit will include UK companies, must appoint an EU representative unless the processing is occasional, does not include large scale special categories of personal data and is low risk. Post-Brexit it is expected that the United Kingdom will apply an equivalent provision for non-UK companies, including EU companies, that sell into or monitor individuals in the United Kingdom. Businesses should assess if either requirement applies to them.
Three Key Takeaways
- Given the uncertainty as to the final form of Brexit, businesses should assess their transfers of personal data between the EU 27 and the United Kingdom.
- Companies should consider implementing data transfer agreements based on the EU standard contractual clauses to ensure that these transfers are not disrupted by a "no deal" Brexit.
- Companies should consider if they need to appoint a UK and/or an EU representative and whether they need to update their GDPR notices to data subjects.