On 12 February 2019, the European Data Protection Board (“EDPB”) published an information note on data transfers under the General Data Protection Regulation (“GDPR”) in the event of a no-deal Brexit.
In its information note, the EDPB stated that, in the absence of an agreement between the EEA and the UK (no-deal Brexit), the UK will become a ‘third country’ on 30 March 2019.
The EDPB also sets out five steps commercial and public organisations should take when transferring data to the UK:
- Identify what processing activities will imply a personal data transfer to the UK. This will not necessarily apply simply because a contracting party is based in the UK, but will apply, for example, if a company grants access to personal data to a contracting party located in the UK.
- Determine the appropriate data transfer instrument for its situation (See below).
- Implement the chosen data transfer instrument by 30 March 2019.
- Indicate in its internal documentation that transfers will be made to the UK (For example, internal privacy policies and notices).
Determine the appropriate data transfer instrument for its situation
The European Commission has adopted adequacy decisions on third countries in the past, which, in essence, confirms the transfer of personal data to a third country ensure an adequate level of protection, and that such a transfer shall not require any specific authorisation. Currently, there is no such adequacy decision in place for the UK as the UK is still currently a member of the EU. In the absence of an adequacy decision, to afford data subjects (individuals) the same level of protection under the GDPR, in the event of a no-deal Brexit, the transfer of personal data to the UK must be based on one of the following instruments:
- Standard or ad hoc Data Protection Clauses. Considering the short time between publishing its information note and the 30 March 2019 deadline, the EDPB acknowledges that the Standard Clauses are a ready-to-use instrument. There are currently three sets of Standard Data Protection Clauses available. These may not be amended and must be signed by all parties as provided. Any modifications to the Standard Clauses will be considered as ad-hoc clauses and must be authorised by the relevant national supervisory authority, following an opinion of the EDPB, prior to any transfer. For many businesses this may prove to be the best option, at least in the short term.
- Binding Corporate Rules (“BCRs”). The EDPB has published a separate information note on BCRs for companies which have the ICO as BCR Lead Supervisory Authority: see [No-deal Brexit: Binding Corporate Rules and the ICO] for further information.
- Codes of Conduct and Certification Mechanisms.
- Derogations. These can only be used in the absence of Standard or ad-hoc Data Protection Clauses or other alternative appropriate safeguards.
According to the UK Government, the current practice, which allows personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit. However, this is subject to change as Brexit negotiations continue. In any event, any business which receives data transfers from another country situated within the EU should consider its options urgently in case a no-deal Brexit becomes a reality.