By Grace Kim and Ezra Steinhardt
On September 13, 2018, the UK government published a series of technical notices on how to prepare for a scenario in which the UK leaves the EU without agreement on March 29, 2019 (“no-deal Brexit”). The government stressed that a no-deal Brexit “remains unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome,” but that “it’s our duty as a responsible government to prepare for all eventualities.” One of the notices, “Data protection if there’s no Brexit deal,” sets out the UK government’s position on data flows between the UK and EU and recommends actions that organizations should take to help ensure the continued flow of personal data from the EU to the UK if no agreement is reached.
Data privacy standards in the UK to remain the same
In the event of a no-deal Brexit, the technical notice is clear that the UK will maintain the same data protection standards as exist today. This is because the General Data Protection Regulation (“GDPR”) currently applies in the UK (as it remains, for now, an EU Member State), and, at the point of a no-deal Brexit, the UK would incorporate the GDPR into UK law. The GDPR rules — now and following Brexit — are supplemented by the UK Data Protection Act 2018, which sets out how certain aspects of the GDPR apply in the UK (e.g., in relation to children’s data).
Transfers of data from the UK to the EU
The GDPR prohibits the flow of personal data from the EU to recipients outside of the EU, unless certain conditions are met. Incorporating the GDPR into UK law would therefore appear to establish a similar broad prohibition on transferring data from the UK. The notice explains that the UK would, “at the point of exit,” ensure that organizations could still freely send personal data to the EU “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes.” The mechanism underpinning this transfer is not spelled out, but would appear to take the form of an adequacy determination made by the UK government. As such, data would continue to flow legally from the UK to the EU without organizations needing to take any further measures. The notice states that the UK would keep this arrangement “under review.”
Transfers of data from the EU to the UK
The situation regarding data flows from the EU into the UK, however, is not so straightforward, as the UK would become a “third country” at the point of a no-deal Brexit. EU organizations would need to explore the options available to them under the GDPR, as they do today with third countries, for transferring data to the UK. One mechanism that enables transfers from the EU is an adequacy decision. The European Commission has deemed a limited number of countries as providing “adequate” protections for personal data, such as Argentina and Switzerland. In the technical notice, the UK government signals its desire to be found adequate by the Commission even in the event of a no-deal Brexit. However, the government also notes the Commission position, which is that an adequacy decision cannot be taken until the UK is officially a “third country” outside of the EU. Historically, adequacy determinations can require considerable time, sometimes spanning months or years.
Given that possibility, the notice explains that if the Commission does not make an adequacy decision regarding the UK at the time of Brexit, organizations should turn to an alternative transfer mechanism to enable flows of personal data from the EU to the UK. The notice suggests that the most relevant basis for most organizations would be the so-called Standard Contractual Clauses, a series of contractual agreements that the Commission has deemed to offer adequate protections for any data transferred using them.
Organizations will need to consider and keep under review what data they transfer from the remaining 27 Member States of the EU to the UK, and what mechanism they may use in the event of a no-deal Brexit and the UK not being deemed adequate for a period of time, i.e., appropriate safeguards such as Standard Contractual Clauses, binding corporate rules, or statutory derogations.