Continued and unhindered data flows are vitally important to both the UK and EU economies. Currently, the GDPR sets the framework to allow free transfers of personal data by providing safeguards to ensure EU residents have control over their own data. It also provides transparency as to how it is used and protection from misappropriation and misuse.
Whilst the UK remains in the EU, cross border transfers of personal data do not require any additional or specific authorisations – Brexit could change all this…
The Impact of Brexit
As and when Brexit occurs, the UK, by definition, leaves the EU and becomes a ‘third country’.
The burning question is “After Brexit, will the EU Commission still consider the UK an ‘Adequate’ third country as defined in GDPR Article 45”? i.e. a country that is deemed to have data protection rules that are at least on a par with the GDPR.
A further complication is, after Brexit, the UK will not be party to the EU-US Privacy Shield potentially further complicating US data transfers.
Implications of not being ‘Adequate’
Under the GDPR, if the Commission determines the UK is not Adequate, then lawful transfers of EU residents’ personal data can only take place where UK organisations:
1) Use model contractual clauses (approved by the European Commission and/or a relevant Supervisory Authority) within their contracts with suppliers and partners; or;
2) Implement and use approved codes of conduct or certification mechanisms; or;
3) Use supervisory authority agreed binding corporate rules (BCRs) when dealing with intra-company transfers within a corporate group.
Implementing and enforcing any of these options will be costly and time consuming both within the UK and a post Brexit EU.
We can’t assume the UK is guaranteed to be ‘Adequate’
It is a common misconception that , as the UK has implemented the GDPR in the form of the Data Protection Act 2018, then a positive Adequacy decision is guaranteed, but this is not strictly true.
After Brexit, the UK will no longer be answerable to The Court of Justice of the European Union, the ultimate overseers of the GDPR. Post Brexit, the DPA2018, whilst essentially replicating the GDPR, will be enforced by the UK Parliament. Parliament has also enacted the Investigatory Powers Act 2016 (nicknamed the “Snooper’s Charter”) which allows broad interception, interference and communications powers and limits the rights of individuals under EU law. It has also refused to incorporate the Charter of Fundamental Rights of the EU that provides fundamental privacy rights alongside the GDPR.
If these paradoxes cannot be resolved it would be open to the European Commission to decide that the UK is only a partially Adequate or even a non-Adequate third country. Even the process for making such a decision is not clear, it may not be immediate, leaving us all in a damaging and costly period of great uncertainty.
Options in the event of Non or Partial Adequacy
So, what would happen in the event of a non or partially Adequate or even a delayed Adequacy decision?
Negotiating a bilateral UK-EU governmental agreement in the same way that EU-US Privacy Shield has been agreed is one possibility. Failing that, and in the interim, whilst negotiations take place then organisations will have to fall back on model contract clauses, BCR’s and approved certification mechanisms outlined above.
An ‘Adequacy’ decision really does matter
Securing the elusive Adequacy decision, post Brexit is going to be complex and not for the faint hearted, but it really does matter. Without it, the additional cost, administrative burden and time required for UK and EU governments and organisations to overcome a non or partially Adequate decision will be numerous and extensive. Personal Data transfers are at the heart of business, so this is not just a theoretical debate and will impact a wide range of important areas.
Whilst there is no guarantee there will be a favourable decision on Adequacy, the UK must have faith in a Brexit deal that grants the UK Adequate status. Regardless, organisations should start to discuss the implications and consider their contingency plans as nothing is certain other than that there is more change on the horizon.
As experts in Data Protection legislation, the DPO Centre provides advice and guidance to organisations to help them navigate the ever-evolving regulatory landscape by providing interim, outsourced Data Protection Officers as a service, GDPR EU Representation Services required under Article 27 for organisations outside the EU, as well as Data Protection Impact Assessments, Consultancy and Training.
For further information on how we can assist you and your organisation, please contact us today.