In the event the United Kingdom leaves the European Union in October 2019 without having concluded a specific agreement as to the matters previously governed by EU law and regulations, businesses should prepare for continuity by taking steps now.
International data flows
One area where the rules will change is in international data transfers. In order to avoid disruption, you should know there are measures you can take ahead of Brexit. If your organization sends personal information from Canada to the EU at the present time, you currently do not need specific additional safeguards to ensure the protection of the data. And if you now send personal information from the EU to Canada, the latter's adequacy status (as applied only to the Protection of Personal Information and Electronic Documents Act) means information flows as if it was within the EU.
However, once the UK leaves the EU without special arrangements, it becomes a third country for data protection purposes, until and if the EU eventually judges it to be adequate in the protection it affords to personal information. So personal information can no longer circulate between Canada (partially adequate), the continental EU and the broader European Economic Area (EEA) and the UK in a continuous loop. Data from a business in the EU or the EEA cannot be simply transferred to the same or another business in the UK in the identical manner as before.
Things to do now:
1. Inventory all current data flows in your business. Pinpoint those going from the EEA and the EU to the UK.
2. Identify, given your particular needs, how to support your existing data flows to the UK given that post Brexit the UK will be considered a third country by the EU. What additional safeguards could be attached?
Unless you have binding corporate rules (BCRs) in place throughout your organization (bearing in mind that BCRs can only be used within a group of undertakings) duly approved by the relevant data protection authority, adding standard contractual clauses to the documentation which applies to the data flowing from the EEA and EU to the UK may be the simplest approach. Such clauses are to be found on the website of the European Commission.
3. Alternative solutions to BCRs and standard contractual clauses exist. You can envisage using Codes of Conduct or Certification as approved by data protection authorities within the EU and the EEA.
4. You can also rely on the following options but only for specific situations:
- the consent of the individual;
- the transfer is necessary for the performance of a contract between the individual and the Canadian company;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the individuals.
5. Review your arrangements for a lead supervisory authority. If you have chosen the UK and you do business in the EU and the EEA post-Brexit, you will have to evaluate your activities in the newly configured EU to see where your new lead data protection authority is in order to benefit from the one-stop-shop policy in case of complaints.
6. Make necessary amendments to your Privacy Policy to ensure it will accurately describe what you do with personal information and data flows in your organization post-Brexit.
7. Continue to monitor the post-Brexit situation. No major changes in the UK data protection regime are currently envisaged but it is foreseen that it will adapt over time.
The UK Information Commissioner, Elizabeth Denham, has affirmed that the current data protection law with its GDPR compliant standards will continue to be in force. However, it is very likely that adaptations to it will be made to mirror developments in international data protection standards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
