Time is running out. If the deadline is not extended, the UK will leave the EU on 29 March 2019, with or without a deal. For many organizations it is unclear what the effects of Brexit will be on the protection of personal data processed in the UK. What are the implications for transferring personal data to the UK? The implications of transferring personal data will depend on whether or not a deal is reached by the end of March.
If the British leave with a deal, then the GDPR will remain in force until the end of 2020. This means that, until then, nothing will change with regard to the transfer of personal data to the UK.
However, given the current circumstances, the chance of a no-deal scenario continues to grow and becomes more likely every day. It is therefore vital to start preparing for a no-deal Brexit now.
A no-deal Brexit will have a major impact on the transfer of personal data to the UK – regardless of whether the transfer is for instance to the UK branch of a multinational or a British cloud provider. In the event of a no-deal Brexit, the UK will be considered to be a ‘third country’ after 29 March 2019 and will be subject to the rules that are applicable to the transfer of personal data outside the EU.
Personal data may no longer be transferred freely to the UK; data transfer will need to be based on one of the following instruments:
- Standard or ad-hoc data protection clauses (the European Commission has prepared three sets of Standard Contractual Clauses that provide an appropriate safeguard);
- Binding Corporate Rules (these are codes of conduct that multinationals impose on themselves; these must be approved by the Dutch Data Protection Authority);
- Codes of Conduct (these are intended for self-regulation by, for example, industry associations) or Certification Mechanisms (both of which also need to be approved).
The Commission could also consider (in a so-called adequacy decision) that the level of data protection in the UK is in line with European legislation. However, in the event of a no-deal Brexit, an adequacy decision will not be available immediately and the aforementioned instruments will have to be used, at least for the time being.
Because different rules will immediately become applicable after 29 March in the event of a no-deal Brexit, it is imperative to start taking steps immediately to prepare for this situation. According to the European Data Protection Board you can do this by means of the following five steps:
- Make an inventory, showing if and what personal data transfers are made to organisations (or branches) in the UK.
- Choose an instrument; determine which instrument is the best for your situation. For example, in the case of a multinational with a branch in the UK, creating or updating Binding Corporate Rules might be an option; whereas with data processors the Standard Contractual Clauses of the European Commission could be used.
- Make sure that whatever instrument you decide on is ready to use on 30 March 2019 (or as of the new deadline if the deadline is extended);
- Amend the privacy statement for data subjects to inform data subjects about the transfer to ‘outside the EU’.
Data transfers from the UK
A no-deal Brexit will not lead to any changes in the reverse situation, i.e. personal data transfers from the UK to an EU country. The British government has stated that data can be freely transferred from the UK to the EU, as is currently the case.
As Brexit may become a reality this month, there is no time to lose in making preparations.
If you have any questions, please contact Richella Soetens (IP, IT & Privacy lawyer)