Following recent developments in Parliament, the risk that the UK will leave the EU on 31 October 2019 without a deal has now diminished. However, given the Government’s determination to respect the result of 2016’s referendum, it is still important for businesses to prepare for the possibility of leaving the EU without a deal at a future point. If your organisation receives personal data from other countries, in particular the EEA, it is important that you have contingencies in place so that you can continue receiving personal data lawfully. While this note is intended to provide guidance, it does not replace legal advice.
The UK’s data protection regime is currently governed by the EU’s General Data Protection Regulations (GDPR) and the UK’s Data Protection Act 2018 (DPA 2018). If your organisation receives personal data from the EEA you will still need to abide by both GDPR and the DPA 2018 even after Brexit.
GDPR is a common set of regulations that all EEA Member States abide by and it sets a minimum level of protection for the personal data belonging to EEA Citizens. As the UK is currently a member of the EU, there are no restrictions on the flow of personal data and other EEA Member States.
Article 45 of the GDPR states that the European Commission needs to assess the relevant country’s laws to determine whether they are essentially equivalent or “adequate” to that of EU ones. There are currently 13 countries that have adequacy or partial adequacy status. Adequacy talks are ongoing with South Korea.
The UK has announced that it will allow the flow of personal data to the EEA regardless of a deal being in place and will recognise existing European Commission data adequacy decisions. However, the EU has not yet made a similar commitment towards the UK. This is because on leaving the EU, the UK will become a “third country”. And while the UK remains an EU member, the European Commission will not conduct this assessment. Unfortunately, this means if we leave the EU without a deal we will not have a data adequacy decision in place to facilitate the free flow of personal of data from the EEA.
Standard Contractual Clauses
In the absence of an adequacy decision, GDPR states that personal data can be transferred to a third country or an international organisation if there are appropriate safeguards. There are a number of recognised safeguards, but most appropriate to businesses are the implementation of Standard Contractual Clauses (SCCs). SCCs are a standard set of contractual terms and conditions for the transfer of personal data which both the data exporter and the data importer enter into. They include contractual obligations which help to protect personal data when it leaves the EEA and ensure compliance with GDPR. SCCs only relate to the transfer of personal data, so they can be incorporated into a wider contract that covers other business terms. One of the key benefits of using these SCCs is that they are approved by the European Commission.
The Information Commissioner’s Office (ICO) has developed a tool for small and medium-sized businesses and organisations to help them decide if SCCs are appropriate and to select the right one. You can incorporate SCCs into a wider contract but you cannot amend the SCCs themselves, or they will no longer be authorised by the European Commission or relevant Data Protection Authority.
If you are using the SCCs as standalone contracts then you should not modify the clauses as the contract will no longer be authorised by the European Commission or relevant Data Protection Authority.
Binding Corporate Rules
If you are a multinational operating in the UK and in one or more EEA country, then Binding Corporate Rules are required to transfer personal data between the different parts of the Group located in the UK and the EEA.
US Privacy Shield
If you send data to a US Privacy Shield organisation, the Privacy Shield participant will need to update their public commitment to specifically reference the UK, in addition to the EU. There is further information on the US government’s Privacy Shield website.
In addition, the ICO has published guidance for organisations about international data transfers.
Data Protection Lead Authority
If the ICO is your lead Data Protection Authority, you may need to review your operations to assess whether you can still have a lead authority and benefit from the one-stop-shop following Brexit.
Appointing a Data Representative.
If you are a data controller or processor that is subject to GDPR but not established in the EEA – as will be the case when the UK leaves the EU – you have an obligation to designate a data representative based in the EEA. This representative will be the go-to person to deal with individuals and DPAs in the EEA.
The UK plans to oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale.
Regularly check the GOV.UK website for updates. The ICO has a page dedicated to Brexit that covers the implications for data protection and data transfers in more detail and its SCC tool provides template contracts. If you need more information about your obligations and what you need to do to comply, we recommend seeking legal advice.
In the meantime, if you have any further questions, please email firstname.lastname@example.org.