Brexit and the Data Protection implications in the UK

Back
stack of paper with asterisk

A GDPR & Data Protection Advisory Note.

Published: 26/09/2019 Last updated: 22/09/2020

Terminology

GDPRGeneral Data Protection Regulation
DPAData Protection Act 2018
ICOInformation Commissioner’s Office
EUEuropean Union
EEAEuropean Economic Area
ECEuropean Commission

IN SUMMARY

One of the central aims of the GDPR is the facilitation of the free flow of data between all countries in the EEA.  In practice this means that, currently, personal data can be transferred between organisations in the UK and the EEA without any specific or additional security measures needing to be put in place.

However, a ‘no-deal’ Brexit will mean the principle of the free flow of personal data will no longer apply and the UK will be in the same position as virtually any other country outside the EEA.

IN DETAIL

THE PRESENT POSITION

Personal data can flow freely between organisations in the UK and EEA without any specific measures. That’s because there are a common set of rules governing the collection and use of personal data – the GDPR. In addition, the UK has its own supplementary legislation, the DPA.

The GDPR and DPA restrict transfers of personal data outside the EEA, i.e. to ‘third countries.’ This means that such transfers (which the ICO refers to as ‘restricted transfers’) can only take place in certain circumstances.

Those circumstances are where:

  • there is an ‘adequacy decision’;
  • ‘appropriate safeguards’ are put in place;
  • a derogation applies.

An adequacy decision means that the country, although outside the EEA, is ‘safe’ to send personal data to.

Appropriate safeguards ensure that both the sender and the receiver of the transfer are legally required to protect personal data. These safeguards are most commonly enforced via contractual arrangements, known as Standard (or Model) Contractual Clauses.

The derogations are few and far between and are really only of any practical use in very limited circumstances and are unsuitable to facilitate the regular transfer of personal data between organisations.

AFTER 31st DECEMBER 2020 – IF A DEAL IS MADE

If a deal is made it is expected that as part of that the UK would be treated as if there had been a full finding of ‘adequacy’. In practice, this would have effectively mean that personal data transfers could continue, and the position would, for all intents and purposes, be the same as it is now.

AFTER 31st DECEMBER 2020 – IF THERE IS NO DEAL MADE

1. Data flows UK to EEA

In terms of data protection, the GDPR will become domestic law – to be known as the ‘UK GDPR’. The DPA will also remain in place. In addition, the UK has introduced the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. Together, these measures mean that in a no-deal situation, there will be no change as regards data flows from the UK to the EEA.

2. Data flows EU to UK

The UK would be in the same position as any other country outside the EEA. This means that any organisations established in the EEA would not be able to send personal data to the UK, except in the circumstances provided for by the GDPR (see above).

Therefore, to continue to receive personal data from organisations established in the EEA organisations based in the UK should engage with their EEA counterparts to carefully consider alternative transfer mechanisms to maintain data flows and in identifying a legal basis for personal data transfers.

The most relevant alternative legal basis will be Standard Contractual Clauses. These are model data protection clauses that have been approved by the EC and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations, as well as rights for the individuals whose personal data is transferred. Standard Contractual Clauses are particularly aimed at small and medium sized organisations.

However, this may be difficult where an EU/EEA-based data-processor sends personal data to the UK. This is because there is currently no EU-approved set of Standard Contractual Clauses for use by an EU/EEA-based data processor when sending data to a data controller in a third country.

FAQs

Q: We are a UK based organisation which transfers personal data to a country inside the EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows from the UK.

Q: We are a UK based organisation which transfers personal data to a country outside the EEA Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows from the UK.

Q: We are a UK based organisation which receives personal data from another country inside the EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: No, unless alternative transfer mechanisms have been put in place, e.g. Standard Contractual Clauses.

Q: We are a UK based organisation which receives personal data from another country outside the EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows to the UK from outside the EU.

Q: We are an EEA based organisation which transfers personal data to organisations in the UK. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

No, unless alternative transfer mechanisms have been put in place, e.g. Standard Contractual Clauses.

Q: We are an EEA based organisation with an office in the UK. Will we be able to continue to transfer personal data to that office?

A: No, unless alternative transfer mechanisms have been put in place, e.g. Standard Contractual Clauses.

Q: We are a non-EEA based organisation which transfers personal data to the UK. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows to the UK from outside the EEA.

RECOMMENDATIONS AND ACTIONS

If you are concerned that your organisation may be affected by a ‘no-deal’ Brexit, you should make sure you are aware of and understand the situations in which you are receiving personal data from outside the UK:

  1. Identify all organisations based outside UK from which your organisation receives, or to which your organisation sends, personal data.
  2. Divide these into two categories
    • EEA
    • Rest of World
  3. For organisations in EEA
    • Identify those from which personal data is received
    • Contact these to ask if they will be putting in place an alternative transfer mechanism, such as Standard Contractual Clauses.

DISCLAIMER

This note, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Further reading:

A tale of two GDPRs: the data protection implications of Brexit

Brexit – the countdown to 1st January 2021

UK on the brink of post-Brexit data protection divorce?