The government has published guidance for UK organisations on transfers of personal data in the event of a so-called no-deal Brexit. In particular, the guidance sets out actions for UK organisations to take to enable the continued flow of personal data between the UK and the European Union (EU) in such an event.
While emphasising the fact that a no-deal Brexit is “unlikely”, the guidance notes that it is important to prepare for all eventualities.
The guidance forms part of the government’s series of notices on a no-deal Brexit, aimed at businesses and citizens.
The current position
The UK has a comprehensive data protection framework, consisting of the Data Protection Act 2018, which is a UK-specific law, and the General Data Protection Regulation (GDPR), which applies across the EU Member States.
The GDPR does not restrict transfers of personal data within the EU. Transfers can also be made outside of the EU if there is an appropriate legal basis for doing so.
After Brexit, the UK’s data protection legislation will remain unchanged, since the EU Withdrawal Bill will incorporate the GDPR into UK law.
Transfers of personal data from the UK to the EU will continue without interruption. This is because the UK plans to make an adequacy decision in favour of the EU, based on the degree of alignment between the UK and EU’s data protection laws. The UK will keep this position under review.
However, transfers of personal data from the EU to the UK will be impacted. The guidance suggests that we do not yet know exactly how these transfers will be affected.
The EU may make an adequacy decision in favour of the UK, allowing the free flow of personal data outside the EU, to the UK. The European Commission has said that such a decision will be made “if it deems the UK’s level of personal data protection essentially equivalent to that of the EU”. The European Commission has said that this decision cannot be made until after Brexit, causing uncertainty for controllers across the EU. There is also no guarantee or solid timeframe under which an adequacy decision would be made.
If the European Commission refuses to make an adequacy decision, or if the European Commission does not make this at the UK’s point of exit, organisations will need to rely on a legal basis for the transfers of personal data to the UK. The guidance suggests that standard contractual clauses would be the most relevant legal basis for most organisations, but recommends that proactive consideration is given to what action may be required to enable the continued free flow of data.
The Information Commissioner’s Office
The guidance makes it clear that the Information Commissioner’s Office (ICO) will remain the UK’s independent supervisory authority. The ICO will produce additional guidance for UK organisations on how to continue to meet obligations under data protection law.
The government emphasises that this ICO advice is guidance only, and that organisations should consider obtaining separate professional or legal advice. The guidance is also limited, in that it takes a broad-brush approach to transfers and does not consider sector-specific requirements.
The future is uncertain for the transfer of personal data from the EU to the UK, and this uncertainty will remain until the European Commission completes its adequacy assessment. However, it is at least reassuring to see that the government is recognising and considering these issues ahead of Brexit.