The impact of ‘Brexit’ on Data Transfers
With just over six months to go until the UK exits the European Union, the Government has started to issue guidance on what will happen if there is ‘no deal’ by the 29th March 2019.
As we all know, the current data transfer rules are set out at European level in the General Data Protection Regulations (GDPR) which came into force on 25th May 2018. Under the current rules, transfers within the EEA are permitted BUT, on 29th March 2019 the UK will become a ‘third country’ for the purpose of the applicable legislation.
So, what does this mean?
The Data Protection Act 2018 will remain in force and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside the domestic legislation.
The Government has recognised the ‘unprecedented degree of alignment’ between the UK and EU data protection regimes and has confirmed that at the point of exit they will allow the free flow of personal data from UK to the EU (this will be kept under review).
These transfers become more complicated as the UK will be deemed a ‘third country’. Under the GDPR, transfers to a ‘third country’ can only take place in defined circumstances –
There is an ‘adequacy decision’ in place; or
There are appropriate safeguards in place.
Adequacy decisions are currently in place for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The adequacy finding for Canada only covers data subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the finding for the US is for transfers covered by the EU-US Privacy Shield Framework (currently subject to challenge by the EU Commission).
Appropriate safeguards are –
A legally binding and enforceable instrument between public authorities or bodies;
Binding corporate rules (BCRs);
Standard data protection clauses adopted by the Commission;
Standard data protection clauses adopted by a supervisory authority and approved by the Commission;
An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;
Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;
Contractual clauses authorised by a supervisory authority.
So, how does this impact me and what do I need to do?
The UK Government has expressed its intention to apply for an adequacy decision but the EU has stated that the process cannot be started until after 29th March 2019 and obtaining a decision can be a lengthy process. This means that EU-UK transfers will need to have appropriate safeguards in place.
If your organisation transfers data from the EU to the UK, or if you are an organisation in the UK that receives data from EU then you should look to implement standard contractual clauses as a matter of urgency – the latest approved version can be found on the EU Commission’s website. It’s important to note that the current version was approved pre-GDPR and should be updated.
UK organisations who offer goods and services to data subjects within the EU will need to appoint a representative within the EU.
You can find out more here –