On 13 September 2018, the UK Government published a series of technical notes setting out the implications in various sectors and areas of a ‘no deal’ scenario (i.e. a scenario in which the UK leaves the EU without an agreement), including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
Transferring data from the UK to the EU
Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders.
The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place – meaning that this could potentially change in the future.
Transferring data from the EU to the UK
In contrast to the export of personal data from the UK, the import of personal data to the UK from the EU will change on exit. As described above, the GDPR restricts the transfer of personal data outside of the EEA, meaning that in a ‘no deal’ scenario where the UK is no longer a Member State or part of the EEA, entities wishing to transfer data to the UK will need to satisfy one of the available legal bases for the transfer of personal data.
One such mechanism is a finding of ‘adequacy’ from the European Commission. The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions. However, it has further stated that any decision on adequacy cannot be taken until the UK is a third country (i.e. until after the UK’s exit from the EU).
In the absence of an adequacy decision (or in the intervening period of time whilst the European Commission is considering an adequacy decision), organisations in the EU wishing to send personal data to the UK will need to satisfy an alternative legal basis for doing so. The most common such basis is likely to be the use of the so-called Standard Contractual Clauses. These are sets of contractual clauses approved by the European Commission and incorporating various protections for personal data. By entering into the Standard Contractual Clauses, two entities are able to freely transfer data between each other. There are also specific derogations which might apply on a case-by-case basis. For example, the transfer of data is permitted with the explicit consent of the individual data subject. However, in all circumstances, entities will need to proactively consider what action they may need to take to ensure the continued free flow of data.