No-deal Brexit - International transfer of personal data

Theresa May's draft Withdrawal Agreement was voted down by MPs in a historic defeat and we are waiting to see whether she will obtain the compromises from the EU that will enable her deal to pass the House of Commons vote. What happens in the next few days and weeks will be crucial to how the UK will exit the EU. Until then, there is still a possibility that the UK will leave without a deal.

A "no-deal" Brexit will have an impact on the way the EU's General Data Protection Regulation 2016 ("GDPR") applies to processing the personal data of EU data subjects.

What will happen if there is a deal?

Our guidance on the data protection position in the event that the UK leaves the EU with a deal is based on the draft Withdrawal Agreement. However, this has since been voted down by MPs. Any re-negotiated deal would have to be reviewed to check that the same rights are afforded to the UK in relation to the application of the GDPR.

As originally drafted, the Withdrawal Agreement allowed for a transition period (running until 31 December 2020). During this period EU law would continue to apply in the UK; this includes the GDPR. There are specific articles in the Withdrawal Agreement setting out how EU data protection laws would apply after the transition period. It also states that the EU will not treat personal data passing to or from the UK any differently from personal data passing between the remaining member states. We feel it is likely that the same provisions would continue to be included in any re-negotiated deal.

The draft Withdrawal Agreement envisaged that during the transition period an agreement would be negotiated between the EU and UK which would govern more formally how personal data can be transferred between the UK and remaining member states after the transition period ends. The most likely arrangement will be by way of an adequacy decision. This is a decision made by the European Commission that a country outside of the EU offers an adequate level of data protection. Theresa May had originally expressed that the UK would seek more than an adequacy decision with the EU, but the EU rejected this. The European Commission has said that it will endeavour to adopt a decision regarding the adequacy of the UK's data protection laws by the end of 2020.

If an adequacy decision is not made by the EU by the time the transition period ends, the UK will become a "third country" for the purposes of EU data protection legislation (i.e. a country which is not a member of the EU or of the EEA). The issues which arise from this are the same as the issues arising from a "no-deal" Brexit set out below.

What will happen if there is no deal?

If the UK leaves the EU without a deal, there will be no transition period. From 23.00 on 29 March 2019, the UK will no longer be a member of the EU and would become a third country. As a result, the EU version of the GDPR will not apply to UK businesses and organisations.

The UK government intends to incorporate the GDPR into UK law, to create a "UK GDPR". The proposed draft Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 has been laid before Parliament, with the aim of creating a legal framework in the UK for data protection once the UK leaves the EU. In principle, this would mean that the laws will be equivalent to those of the EU. However, this would not address the issue of how easily UK and EU member state businesses can transfer personal data between their respective countries.

It is highly unlikely that an adequacy decision will be made by the time the UK might exit the EU without a deal on 29 March 2019. This will mean that transfers from the EU to the UK will be affected.

For transfers from the EU to the UK, the impact will be more noticeable. The UK government cannot include in the proposed legislation the ability for personal data to move freely from the EU to the UK. Once the UK leaves the EU, and becomes a third country with no adequacy decision in place, the EU GDPR will still apply. Businesses in EU member states will need to ensure that "adequate safeguards" are in place to govern any transfer of personal data to the UK. This includes using either:

  • the standard contractual clauses, appropriate to the relationship between the entity in the EEA and the UK;  
  • binding corporate rules which cover the UK-based company as part of an international group of companies that share personal data across the group. If these were in place before the exit date, these will continue to be effective; but note that these would need to be updated to reflect that the UK would be a third country; or 
  • one of the limited derogations.

The UK government has said that when the UK leaves the EU, it will still be permitted for personal data to be transferred from the UK to the EEA, although this will be kept under review. UK-based businesses looking to continue transferring personal data outside of the EEA will have to implement "adequate safeguards", as previously. However, this would be governed by the new "UK GDPR".

For transfers from a country that has the benefit of an EU adequacy decision (e.g. USA {for those businesses in the EU-US Privacy Shield program}, Canada and Israel and others), the position is not yet as clear. The UK's Information Commissioner's Office ("ICO") expects that the UK government will begin the process of making alternative arrangements for transfers from these countries to the UK. Until these are made, UK-based businesses will need to ensure that they comply with the requirements of those countries, in line with their laws on transferring personal data.

A "no-deal" Brexit could, at least initially, slow down and hamper UK businesses' ability to transact and transfer personal data in the EU due to the formalities that would have to be put in place.

Transfers under UK businesses' current contracts

If the UK leaves the EU without a deal and becomes a third country for the purposes of data protection legislation, there may also be implications for transfers to a UK business under current contracts.

In many contracts, there will be a clause which states that neither party will transfer personal data outside the EEA or EU. Of course, once the UK leaves the EU at the end of March, personal data would inevitably be processed outside the EEA or EU and this would be in breach of any such clause.

It will be important to check the provisions in contracts between UK businesses and suppliers on the transfer of personal data, to see whether these would need updating in light of a no-deal Brexit.   

EU-US Privacy Shield

The EU-US Privacy Shield is an agreement between the EU and the USA. Once the UK leaves the EU, the UK will no longer be part of this agreement. The UK government is currently making arrangements to enable its continued application in the UK for transfers of personal data to relevant US businesses.

Guidance has now been issued on the application of Privacy Shield in the event a transition period is entered into on 29 March 2019. (As this guidance was issued before the draft Withdrawal Agreement was voted down, it should be confirmed that this would still apply under a re-negotiated deal with a transition period). During this period, Privacy Shield would continue to apply to transfers of personal data from the UK to US companies certified under the Privacy Shield program.

At present, if the UK leaves without a deal, UK businesses will still be able to transfer personal data to US companies in the Privacy Shield program as long as those companies have updated their Privacy Shield certification expressly to include personal data transfers from the UK. This applies to transfers that take place after the transition period. Model wording has been released on the Privacy Shield website to aid businesses. However, it should be noted that there are additional requirements if the data being transferred is HR data. UK businesses will need to check that all updates have been made before transferring personal data.

Risk of double the fines

When a UK organisation is carrying out cross-border processing (for example, a retailer that has a physical location in the UK, but sells via the internet to other EU countries) it currently benefits from the 'One-Stop-Shop' system under the GDPR. This means that one supervisory authority will act as a lead on behalf of the other EU supervisory authorities. At present, if the UK business were in breach of the GDPR, it would be investigated by one authority and issued with one fine across the EEA.

If the UK leaves the EU without a deal, the above example would not amount to cross-border processing and the 'One-Stop-Shop' system would no longer apply. In the event of any formal action by supervisory authorities, businesses would have to engage with the ICO and the relevant EU supervisory authority. More significantly, they would risk receiving more than one fine. For example, if the UK business sells in the UK and France and a data breach occurs, then the ICO could investigate and fine the business, as could the French supervisory authority. The ICO has confirmed that it is awaiting guidance from the European Data Protection Board on this type of scenario.

The future?

How the UK will exit the EU is as uncertain as ever. Businesses should plan for the eventuality that the UK will leave without a deal to minimise the impact this could have on them.

If you would like more information on this topic, please contact Tom Torkar, Partner in Michelmores' Commercial team.