On the 13 September 2018 the Department for Digital, Culture, Media & Sport published a notice setting out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
The rules governing the collection and use of personal data are currently set at an EU-level by the General Data Protection Regulation (GDPR) which is supplemented in the UK by the Data Protection Act 2018 (DPA 2018). Under the current arrangements, organisations are only permitted to transfer personal data outside the EU if there is a legal basis for doing so, whilst transfers within the EU are not restricted.
Following the UK’s exit from the EU, the Government has confirmed that there will be no immediate changes to the UK’s own data protection standards. The EU Withdrawal Act will incorporate the GDPR into UK law and it will continue to sit alongside the DPA 2018. However, should no agreement be reached in the negotiations, the legal framework governing transfers from organisations (or subsidiaries) established in the EU to organisations established in the UK will change.
- Transfers from the UK to the EU
The UK Government’s position is that in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, organisations will continue to be able to transfer personal data from the UK into the EU unchecked and no restrictions will be put in place at the point of the UK’s exit.
- Transfers from the EU to the UK
The EU already has in place an established mechanism to enable the free flow of personal data to countries outside the bloc, namely where an adequacy decision is made by the European Commission in relation to that country.
The Commission has stated that if it deems the UK’s level of personal data protection equivalent to that of the EU, then it would make an adequacy decision allowing for the unimpeded transfer of personal data to the UK. However, although the UK has made it clear that it is willing to begin preliminary discussions on an adequacy assessment prior to its exit from the Union, the Commission has refused to indicate a timetable for talks and further has declared that no decision can be taken until the UK is a third country.
If the Commission does not make an adequacy decision at the point of the UK’s exit, and an organisation wants to receive personal data from partners established in the EU, then they will need to identify, alongside their European counterparts, a legal basis for the transfer. For the majority of organisations the most appropriate and relevant legal basis will be “standard contractual clauses”. These are model data protection clauses approved by the European Commission that enable the free flow of personal data when embedded into a contract. They impose obligations on both parties as well as conferring rights on the individuals whose personal data is transferred. In other circumstances a derogation, for example where the transfer is made with the data subjects consent or is necessary to perform a contract, may be relied upon.
The Department for Digital, Culture, Media & Sport has recommended that organisations proactively consider what actions they may need to take to ensure the free flow of data in the event of a no-deal Brexit. Greenwoods GRM can advise you on the various options available and the steps you need to take to ensure that your data flows are not disrupted.
For advice on data protection issues under English law, including GDPR, please contact :