As the end of the Brexit transition period on 31 December 2020 (the "Transition End Date") draws closer and political uncertainty continues around the outcome of negotiations between the EU and the UK, organisations must now consider the implications of a potential 'No-Deal' Brexit scenario on their business activities, including on transfers of personal data from within the EU to the UK.
Potential Outcomes of Brexit Negotiations
On 6 July 2020, the European Commission issued a notice which sets out the position relating to transfers of data from the EU to the UK after the Transition End Date (the "Notice").
The Notice acknowledges that while negotiations between the EU and UK may result in an agreement being reached as to how flows of data from the EU to the UK will be governed, there is a clear possibility that no such agreement will be reached.
In a 'No-Deal' Brexit scenario, the UK will leave the EU/EEA without having agreed an arrangement for the continued transfer of personal data from the EU to the UK. In such circumstances, the UK will be treated in the same way as any other 'third country' without an adequacy decision (i.e. a determination that a non-EU country has an adequate level of personal data protection).
The Irish government has also noted in a recent publication the importance for businesses of ensuring that sufficient protections are in place so that transfers of personal data can continue after the transition period and has advised businesses to review their existing processes and contracts to assess whether they involve data transfers to the UK.
The national competent authority for matters relating to data protection in the UK, the Information Commissioner's Office (the "ICO"), has noted that the UK government has said that it intends to incorporate the General Data Protection Regulation ("GDPR") into UK data protection law from the Transition End Date. Therefore, while the GDPR will not technically apply in the UK after the Transition End Date, initially at least, there may be very little change under UK law to the core data protection principles, rights and obligations found in the GDPR.
Existing flows of Personal Data
Notwithstanding the impact on future flows of personal data, Article 71 of the Withdrawal Agreement states that legacy personal data (i.e. personal data transferred to the UK before the end of the transition phase) may continue to be processed by UK companies in accordance with the GDPR beyond the Transition End Date.
While this safety net may provide some comfort in the short term, this may not provide sufficient protection in the long term if the UK's data protection laws were to diverge from the applicable EU standards under the GDPR.
Impact of a 'No-Deal' Brexit Scenario
The impact of a 'No-Deal' Brexit would be that an EU-based data controller or data processor intending to transfer personal data to the UK would need to utilise a mechanism providing specific safeguards to ensure an adequate level of protection for that data.
The Notice identifies certain "appropriate safeguards" relevant to transfers between the EU and UK going forward, including:
- standard data protection contractual clauses ("SCCs");
- binding corporate rules ("BCRs"); and
- a European Commission adequacy decision.
Standard Contractual Clauses
SCCs are a standard set of contractual terms approved by the European Commission used by organisations seeking to lawfully transfer personal data from a country in the EU to a country outside the EU (which is not subject to an adequacy decision of the European Commission).
At present, SCCs are one of the most widely used transfer mechanisms for transfers of personal data from within the EU to third countries. SCCs may be put in place either as a standalone agreement or by incorporating the clauses into existing agreements.
While the validity of SCCs has recently been affirmed by the European Court of Justice ("ECJ") in the 'Schrems II' case, their use going forward may not be straightforward and may be subject to certain preconditions and ongoing obligations. The ECJ found that organisations using SCCs are now required to assess whether or not the country to which personal data is being transferred provides an adequate level of data protection. Based on the outcome of that assessment additional safeguards may be required to be put in place. The European Data Protection Board are expected to issue guidance in the coming months to assist parties in determining whether additional safeguards are required.
This will equally apply to SCCs being used for transfers of personal data to the UK. In the months after the Transition End Date, this exercise may be simplified should the UK government incorporate the GDPR into UK law, as has been indicated.
Binding Corporate Rules
BCRs are legally binding data protection policies adhered to by companies operating within a multinational group which apply to transfers of personal data from the group's EEA entities to the group's non-EEA entities. National competent supervisory authorities approve the BCRs for use by multinational organisations.
The Notice states that BCRs approved by the ICO may no longer provide appropriate safeguards after the Transition End Date, unless steps are taken by the organisations that use them to either seek new approval from a competent authority of an EU member state or designate a group entity and a competent authority within the EU as the parties responsible for the ongoing oversight of the BCRs.
The European Commission has previously issued adequacy decisions in respect of a number of countries. The procedure for the issuance of an adequacy decisions involves a number of procedural steps. Furthermore, once an adequacy decision has been issued the country that is the subject of the adequacy decision remains subject to ongoing scrutiny by the European Commission to ensure their data protection regime continues to be adequate.
While it is possible that an adequacy decision might be reached in respect of the UK in the future, based on the current status of negotiations, it is unlikely that any agreement would be concluded by the Transition End Date.
- Organisations should review their data flows to assess the extent to which they engage in the transfer of personal data to UK-based companies and carry out a mapping of any such transfers. Understanding the extent to which an organisation's business is impacted by a potential interruption to the transfer of personal data to the UK is crucial to developing an appropriate response.
- Once the extent and nature of personal data transfers to the UK has been determined, organisations should identify the "appropriate safeguard" most suitable to their needs.
- Where necessary, current data transfer arrangements should be discussed with UK-based data controllers/data processors to determine whether any changes are required as regards the relevant transfer mechanism.
- Where it is intended to use SCCs, organisations should carry out an assessment to verify, prior to any transfer, whether the level of protection of personal data in the third country to which personal data is being transferred is "essentially equivalent" to the level of protection in the EU.
- Organisations currently using BCRs that were approved by ICO must consider the impact of Brexit on their BCRs and take the necessary steps to permit their continued use.
- In circumstances where new or revised transfer mechanisms are required to be implemented, organisations should, in the absence of an adequacy decision being agreed, arrange for this mechanism to be put in place before the Transition End Date.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.