Update: 6 February 2020
- During the transition period, the General Data Protection Regulation (GDPR) continues to apply to the UK and the ICO will continue to act as the lead supervisory authority.
- Without an adequacy decision, the UK becomes a third country. For international transfers of personal data, this means that organisations will need to include safeguards, such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). Only in rare cases, organisations can rely on a derogation.
- Organisations may also need to update their privacy related documentation and designate another data protection authority for cross-border data processing activities after the end of the transition period.
- Organisations that process personal data in the UK should continue to follow the current ICO guidance.
Many organisations depend on the unrestricted flow of personal data for their day-to-day activities and have a significant interest in ensuring that such data flows can continue after Brexit. Currently, as the UK is still part of the EU/EEA, there are unrestricted personal data flows between the EU/EEA and the UK. Also, during the transition period (until 31 December 2020, but which could be extended), personal data can continue to flow freely.
Data protection actions
In view of Brexit, organisations should consider various actions from a data protection perspective, including:
- Privacy documentation: Organisations may need to update their privacy related documentation and agreements including references to the EU/EEA and the UK, references to relevant privacy legislation and associated terminology.
- International data transfers: Organisations should map any transfers of personal data between the EU/EEA and the UK (and vice versa).
- Data Breach Reporting: If a data breach occurs in both the EU/EEA and the UK, the data controller will need to report this cross-border data breach to both the relevant data protection authorities in the EU in the UK. This could lead to fines being imposed by both the EU data protection authorities and the ICO.
- One-stop-shop principle: Companies who appointed the ICO as the lead authority for cross-border data processing activities under the GDPR, need to designate another EU data protection authority.
The EU will mainly use the transition period to assess whether the UK’s data protection practices are essentially equivalent to those of the EU and endeavour to adopt an "adequacy decision" in order to seek to ensure the continued free flow of personal data also after the transition period. The UK has a head start given that it has implemented the GDPR, but the result of the adequacy assessment is not a foregone conclusion. The EU will need to look at all aspects of UK data privacy protection including the rules of law and the access public authorities, such as intelligence agencies, have to personal data. Meanwhile, the UK will incorporate the GDPR into UK law with references to EU bodies/legislation instead referring to the appropriate UK bodies and incorporated legislation.
If the adoption of an adequacy decision fails to succeed before the end of the transition period, the UK will qualify as a third country under the GDPR. As a result, organisations that want to (continue to) transfer personal data from the EEA to the UK will have to adopt additional safeguards for the transfer of personal data. The GDPR provides for two solutions for such a data transfer: the use of Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). Only in limited cases, a derogation can be applied for.
BCR are data protection policies adhered to by organisations established in the EU for the transfer of personal data outside the EU within a group of undertakings. For personal data exchanges outside the organisation, the use of SCC is required. The SCCs are drafted and approved by the European Commission and can be added to data processing agreements. It is however important to know that currently the SCC are under review in a case pending at the Court of Justice of the European Union.
Although the adoption of an adequacy decision for the transfer of personal data between the UK and the EU is the most foreseen scenario, a Brexit without an adequacy decision cannot be ruled out. To ensure the continuous flow of personal data from the EEA to the UK, we recommend organisations to prepare a strategy for a Brexit scenario without the adoption of an adequacy decision within due time.
Please also see the articles on the impact of Brexit in other practice areas. For a more detailed analysis of the impact of Brexit on your business, please do not hesitate to contact any of our experts.