Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices.
Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event of a “no deal” Brexit:
- A general note on the various data transfer mechanisms (and exceptions) under the GDPR
- A specific note on the Information Commissioner’s Office (ICO), the UK regulator, as a Lead Supervisory Authority for Binding Corporate Rules
The UK government has also issued a paper titled “Implications for Business and Trade of a no Deal Exit on 29 March 2019,” including a small section on data transfers. The paper states that the government’s primary aim is to ensure that the UK leaves the EU on 29 March 2019 (the Exit Date) with an agreed and approved Withdrawal Agreement and Political Declaration (the Proposed Deal). Of course it is possible that Brexit may be delayed by extending Article 50 to give the UK more negotiating time with the EU.
As discussed in the firm’s most recent blog on this topic, if the UK leaves the EU on the Exit Date with the Proposed Deal then the GDPR will continue to apply in the UK until the end of the transition period, which is currently due to end on 31 December 2020 (but may be extended). As a result, the GDPR Chapter V requirements regarding data flows will continue to apply, although Chapter VII, which sets forth the cooperation and consistency principle, will not. If the UK leaves the EU on the Exit Date without the Proposed Deal (a No Deal Brexit), the UK GDPR (see our previous blog) will come into force, and for the purpose of data transfers, the UK will become a “third country” on the Exit Date. Further, if the Exit Date is extended or delayed, then the status quo would be maintained in the meantime. With regards to data transfers from the UK to any EU/EEA country, the UK government continues to take the position that transfers from the UK to the EU/EEA will continue uninterrupted in the event of a No Deal Brexit, although this will be kept under review (see the UK government’s updated “no deal” data protection guidance of 13 February).
The UK government paper, and the ICO’s most recent blog on Brexit, clarifies that an assessment of “adequacy” for the UK will only take place after the UK has left the EU. Elizabeth Denham, the UK’s Information Commissioner, notes on the ICO blog: “Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.” The EDPB’s “Information note on data transfers under the GDPR in the event of a no-deal Brexit” sets out these data transfer solutions, as well as derogations (e.g., performance of a contract), but does not add anything “new” or anything not already anticipated. However, the EDPB’s other note, “Information note on BCRs for companies which have ICO as BCR Lead Supervisory Authority,” provides clarity on the role of the ICO regarding Binding Corporate Rules (BCRs), an intra-group data transfer solution, in the event of a No Deal Brexit. If organizations are: (i) headquartered in the UK and wish to apply for BCRs; (ii) at review stage or awaiting an ICO decision on their pending BCR application; or (iii) already authorized BCR holders by the ICO, the EDPB advises them to identify a Lead Supervisory Authority from an EU Member State according to the criteria set out in section 1.2 of the Article 29 Working Party’s (now EDPB) “Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR” (published on 11 April 2018). Note that this will require the entity to have at least one establishment in the EU and even then, it may be more challenging to identify the appropriate lead authority given the recent CNIL decision to fine Google (in which the CNIL challenged Google’s assertion that the Irish Data Protection Commission should be Google’s lead authority). Where applicable, the new BCR Lead Supervisory Authority will take over pending and approved BCRs in the event of a No Deal Brexit and so will provide for continuity.
And what about transfers from non-EU/EEA countries to the UK? The Commissioner of Data Protection for the Dubai International Financial Centre (DIFC) announced on 14 March 2019 that the adequacy status of the UK for transfers of personal data outside the DIFC will continue to be recognized by the DIFC Commissioner of Data Protection after the UK leaves the EU. This decision, which was made on the basis of the UK GDPR and will come into effect on the Exit Day, is not hugely surprising given the volume of data flows between the DIFC and the UK.
On 15 March 2019, Japan’s Personal Information Protection Commission also announced that the UK will continue to be deemed adequate for the purpose of data flows from Japan to the UK after the UK leaves the EU. Latham will continue to report on announcements expected in the coming weeks.
The EDPB recommends that organizations regularly consult the UK government website and the ICO website for further updates at EU and UK level. Latham will continue to monitor the UK government and ICO websites, as well as the EDPB’s website. The UK government notes that, in regard to general preparations for a No Deal Brexit, “businesses are at varied levels of readiness” and that the “readiness of small and medium-sized enterprises in particular is low.”
Latham recommends that companies prepare now for a No Deal Brexit by identifying data flows, and if required, implementing a data transfer solution in time for 29 March 2019 (as well as updating internal documents and privacy notice(s)).