No-Deal Brexit—Preventing Disruption to Data Transfers
In Short
The Situation: The European Union and United Kingdom have both warned companies to prepare for a no-deal Brexit.
The Result: There is a real possibility that the Brexit Implementation Period will end on 31 December 2020 without a trade deal between the United Kingdom and European Union.
Looking Ahead: Companies sending personal data from the European Economic Area ("EEA") to the United Kingdom must put in place arrangements to comply with the EU data transfer rules as a matter of urgency.
The EU Data Transfer Rules
From 1 January 2021, the United Kingdom will be a "third country" for the purposes of the EU General Data Protection Regulation ("GDPR"), and companies in the EEA may transfer personal data to the United Kingdom only by using an approved data transfer mechanism (such as the EU Standard Contractual Clauses ("SCC") or Binding Corporate Rules ("BCR")) or where one of the GDPR exceptions applies. The exceptions are unlikely to apply to regular data transfers.
In time, it is possible that the EU Commission will grant the United Kingdom an "adequacy decision" (establishing that the United Kingdom's data protection regime is "essentially equivalent" to that of the European Union). This would allow transfers without additional measures being taken. The UK Government's position is to maintain a close alignment with EU data protection laws and to seek such a decision. However, this will take time and is by no means certain.
For the moment, there is no equivalent issue for data transfers from the United Kingdom to the EEA. The United Kingdom has issued guidance stating that, given the alignment of the United Kingdom and the EU data protection rules, UK companies will continue to be able to send personal data to the European Union after 31 December 2020. This position will be kept under review.
In addition, data transfers from non-EEA countries to the United Kingdom will need to comply with the data protection rules of those countries. Where a country has an existing EU adequacy decision (such as, for example, Canada, Japan, or Switzerland), it is likely to have rules restricting data transfers to third counties (which will, after 31 December 2020, include the United Kingdom). The position for specific country transfers should be checked.
Required Steps
Anyone making regular transfers of personal data from the EEA to the United Kingdom should implement a legal transfer mechanism by 31 December 2020. Those using SCCs should also bear in mind the impact of the recent Schrems II decision and the upcoming SCCs which are currently expected to be adopted in early 2021 (see our Commentary, "Ensuring International Data Flows After Schrems II").
In addition, the GDPR applies to non-EU based companies that sell to or monitor individuals in the European Union. From 1 January 2021, UK companies carrying out such selling or monitoring must appoint an EU representative unless their processing is occasional, does not include, on a large scale, special categories of personal data (such as health data) and is low risk.
The United Kingdom has equivalent provisions for non-UK companies, which from 1 January 2021 will apply to EU companies that sell to or monitor individuals in the United Kingdom.
Companies should assess if either requirement applies to them and appoint any necessary representatives. They should also update their GDPR notices to data subjects to reflect the post-Brexit situation. This means transfers to the United Kingdom need to be referred to as third-country transfers, including a reference to the safeguards used (such as SCC or BCR) and where those can be obtained. The records of processing activities should also be updated to reflect the data transfer mechanisms in place for transfers to the United Kingdom.
Finally, companies should address these issues with their key suppliers in the European Union and in other countries with transfer restrictions applicable to the United Kingdom as a third country in order to avoid critical interruptions in the supply of goods and services.
Four Key Takeaways
- If there is no deal in place between the European Union and the United Kingdom before 31 December 2020, companies need to put in place a transfer mechanism to deal with any transfers of personal data from the EEA to the United Kingdom after 31 December 2020.
- Companies should consider if they need to appoint a representative in the European Union or United Kingdom under the applicable data protection rules.
- Companies need to update their notices to data subjects to reflect the post-Brexit situation, and update their records of processing activities.
- Companies will need to ensure that their key suppliers have taken similar steps in order to avoid critical interruptions in the supply of goods and services.