Brexit: Implications for data
A no-deal Brexit would create a range of new barriers to the transfer of data between the EU and UK.
In the absence of a UK-EU ‘Withdrawal Agreement’ that provides for the continued flow of personal data (or a no-deal Brexit scenario), organisations will need certain safeguard mechanisms to underpin the lawful transfer of personal data from the European Economic Area (EEA or ‘internal market’) to the UK (including Northern Ireland) after 31 January 2020. This scenario would impact the transfer of personal data from the EU to the UK and organisations conducting business with the UK.
Currently, the free movement of personal data across the EU (including the Republic of Ireland and UK) is underpinned by a common set of data protection rules, including the EU General Data Protection Regulation (GDPR). After the 31 January 2020, the UK becomes a ‘third country’, outside the EEA (including the EU) and additional ‘appropriate safeguards’ will be required for EEA-UK transfers of personal data. EU data protection rules permit the international transfer of personal data from the EEA to third countries when either:
- The European Commission has initiated an ‘Adequacy Decision’, a mechanism whereby the Commission formally recognises the data protection framework of a third country as ‘adequate’ – a form of equivalence, whereby personal data can flow from the EEA to the third country without any further safeguards. At the time of writing, no such agreed recognition is in train and the European Commission has indicated that the adoption of an adequacy decision is not part of its contingency planning for a no-deal Brexit scenario; or
- Organisations themselves, use an appropriate alternative safeguard mechanism to lawfully transfer personal data from the EEA to recipients in a third country. A common transfer safeguard mechanism is the use of approved standard or model contractual clauses between a data exporter and importer. Further information on the various lawful mechanisms for the transfer of personal data outside the EU is available from the Irish Data Protection Commissioner and the European Commission.
It is understood that the UK government intends to permit a continuance of the current flow of personal data from the UK to recipients in the EU at the point of exit after the 31 October 2019. This will be subject to review.
Considerations in preparing for a no-deal Brexit scenario
- Measure risk to manage it. Review organisational awareness. Identify and map out your organisation’s current and planned data transfers to (and from) the UK. Identify contractual arrangements underpinning these transfers.
- Review and consider your transfer options. Review the approved EU mechanisms for the lawful transfer of personal data from the EEA to third countries. Consider which mechanism best fits your situation in preparing for a potential no-deal Brexit scenario before 31 January 2020.
- Consider any organisational implications associated with different jurisdictions after 31 October 2019. Organisations who operate across Europe should assess how a potential no-deal Brexit could affect their data processing activities and the data protection regimes that apply to them. Consider if your organisation needs to reflect changes to international data transfers in your privacy notice and data protection documentation after 31 January 2020.
The data protection authorities in Ireland and UK have produced guidance on data protection in a no-deal Brexit scenario. The Irish Data Protection Commission (DPC) issued specific guidance around standard contract clauses in the event that the UK leaves the EU without a deal. The European Data Protection Board (EDPB) has issued guidance on data transfers in a no-deal Brexit scenario.
Ibec is working with the DPC to ensure business is best supported and informed in preparing for a potential no deal Brexit scenario. Ibec held well-attended briefings with the Data Protection Commission (DPC) on the impact of a no-deal Brexit on data protection compliance on 25 February and 30 September. In parallel to those briefings, we recorded webinars for members unable to attend. A recording of the 30 September webinar is available at this link. We were delighted to partner with the Data Protection Commission in delivering this initiative.
This note is intended as general information and not detailed legal advice.