Jocelyn S Paulley
Partner
Co-Head of the Retail Sector (UK)
Co-lead of Data Protection and Cyber Security sector (UK)
Article
6
One headache that organisations can avoid if there is a "No Deal" Brexit is whether data will still flow globally around their organisation. We set out what organisations need to do with their international data flows to make sure they are prepared if there is no deal.
Last month, the ICO and the UK government each published guidance on the data protection implications in the event of a "No Deal" Brexit. We have summarised the key points in this article.
There will be no substantive changes to the data protection laws in the UK as the government has already incorporated the General Data Protection Regulation ("GDPR") into law through the Data Protection Act 2018.
We have summarised the position for each international transfer of personal data:
Transfer | Explanation | |
---|---|---|
From | To | |
UK | EEA | No additional measures required, UK recognises all EEA states as "adequate" |
UK | "Adequate" non-EEA country | No additional measures required, UK will follow adequacy rulings by the EU on a transitional basis |
UK | Non-EEA country | Existing rules apply (i.e. appropriate safeguard required) Standard contractual clauses can continue to be used or binding corporate rules or Privacy Shield |
EEA | UK | No specific guidance on any requirements other than the law as it stands, meaning controllers based in the EEA would need to put in place one of the appropriate safeguards, i.e. standard contractual clauses |
The ICO has published a "Six Steps to Take" guide. The key points include:
The guidance from the ICO and the UK government provide useful clarification on the impact of a "No Deal" Brexit. A further source of comfort would be confirmation from the EU on the continuation of the free flow of personal data from the EEA to the UK, e.g. if the EU made a finding of adequacy for the UK. Of course, this is not for the UK to decide and we await further development on this.
Since the UK has incorporated the GDPR into UK law, one may be inclined to think that the UK is ready-made for an adequacy decision and should be given this status promptly following Brexit. Unfortunately, the adequacy decision applies only to non-EEA countries and the process cannot commence until the UK leaves the EU (29 March 2019). Furthermore, there is no telling as to how long (or short) the adequacy decision will take to be approved.
If Brexit were to happen tomorrow, then the UK will be subject to the same restrictions on international transfers of personal data provided in the GDPR that apply to a non-EEA country i.e. in order to send personal data from the EEA to the UK, the standard contractual clauses can be put in place, with the EEA organisation sending the personal data being "data exporter" and the UK organisation receiving the personal data being "data importer". Companies should review their data flows, using the data maps produced as part of GDPR compliance programmes, to identify where data flows from Europe to the UK and put appropriate measures in place.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.