The government has published the second tranche in its series of technical notices providing guidance for UK businesses, workers and citizens on how to prepare for a “no deal” Brexit. A "no deal" Brexit will occur if the UK and the EU fail to conclude a withdrawal agreement by the time of the UK’s exit from the EU at 11pm on 29 March 2019. This would mean there would be no transitional period and a sudden break in the application of EU rules to the UK.
One of the latest notices is entitled “Data protection if there’s no Brexit deal” and it sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no withdrawal agreement in place.
Currently, the rules governing the collection and use of personal data are set at an EU-level by the General Data Protection Regulation (GDPR). In the UK, the Data Protection Act 2018 and the GDPR provide a comprehensive data protection framework. Under GDPR rules, organisations are only permitted to transfer personal data outside the EU if there is a legal basis for doing so. Transfers of personal data within the EU are not restricted. If the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the European Union (Withdrawal) Act 2018 would incorporate the GDPR into UK law to sit alongside it. UK organisations would continue to be able to send personal data from the UK to the EU. In recognition of the degree of alignment between the UK and EU’s data protection regimes, the UK would continue to allow the free flow of personal data from the UK to the EU. The government would propose to keep this under review.
However, the legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK would change at the point of exit. The EU has an established mechanism to allow the free flow of personal data to countries outside the EU – this is called an adequacy decision. The European Commission has stated that if it deems the UK’s level of data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data from the EU to the UK without restrictions. Unfortunately, there is no timetable in place yet for preliminary discussions on an adequacy assessment to commence and the European Commission has stated that an adequacy decision cannot be taken until the UK has left the EU. If the European Commission doesn’t make an adequacy decision regarding the UK at the point of exit and UK organisations want to continue to receive personal data from organisations established in the EU, they should start proactively identifying a legal basis for those transfers.
For most organisations, the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on UK organisations and their EU partners, and rights for the individuals whose personal data is transferred.