The European Data Protection Board (“EDPB”) has issued guidance on personal data transfers from the EEA to the UK in the event of a No-Deal Brexit.
The General Data Protection Regulation (GDPR) currently allows a two-way free flow of personal data between the EEA and the UK. This will change in the event of a No-Deal Brexit as without a deal, on 30 March 2019, the UK will become a "third country" for the purposes of transfers from the EEA to the UK.
By "No-Deal Brexit" we mean that the UK ceases to be a member of the EU, without any specific withdrawal agreement, extension of the time period for notice of intention to leave or withdrawal of such notice.
The EDPB guidance suggests that organisations should consider the following 5 actions:
- Identify what processing activities will involve a personal data transfer from the EEA to the UK.
- Determine the appropriate data transfer mechanism (see below).
- Implement the chosen data transfer mechanism to be ready by 30 March 2019.
- Indicate in internal policies that transfers will be made from the EEA to the UK.
- Update the privacy notice to inform individuals.
Data transfer mechanisms
The following data transfer mechanisms are suggested in the EDPB guidance note:
- Standard Contractual Clauses ("SCCs"). These are standard form contracts prescribed by the Commission for controller-controller and controller-processor transfers, and available on the Commission's website.
- Binding Corporate Rules ("BCRs"). These are legally binding data protection rules which can be used by a group company for data transfers within the group, including transfers outside of the EEA. BCRs must be approved by competent national supervisory authorities. The EDPB has also produced some guidance on BCRs and No-Deal Brexit.
- Code of conduct and certification mechanisms. Approved certification mechanisms and codes of conduct, together with binding and enforceable commitments of the controller or processor in the third country. These are new mechanisms introduced by the GDPR, and currently not yet available in practice.
- Derogations. In the absence of appropriate safeguards, a transfer or a set of transfers may still take place on the basis of so-called "derogations" under Article 49 of the GDPR. These allow transfers in certain (limited) circumstances, for example where the transfer is based on explicit consent or is necessary for the performance of a contract, for the exercise of legal claims or for important reasons of public interest. The EDPR guidance confirms that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive.
What should organisations transferring data from the EU to the UK do now?
Organisations should review their existing data transfer arrangements and data flows to the UK and, if necessary, put GDPR safeguards in place to ensure EEA-UK data flows can continue after a No-Deal Brexit.
Where a UK organisation receives personal data from the EEA, the sender will generally need to comply with the GDPR transfer requirements and ensure there are appropriate safeguards in place, unless an Article 49 derogation is available. In most cases, the SCCs are likely to provide the most suitable solution, though this should be assessed on a case-bycase basis.