Continued and unhindered data flows are vitally important to both the UK and EU economies. Currently, the GDPR sets the framework to allow free transfers of personal dataInformation which relates to an identified or identifiable natural person. by providing safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of the personal data. They should ensure that data subjects' rights will be respected and that the data subject has access to redress if they are not, and that the GDPR principles will be adhered to whilst the personal data is... to ensure EU residents have control over their own data. It also provides transparency as to how it is used and protection from misappropriation and misuse.
Whilst the UK remains in the EU, cross border transfers of personal data do not require any additional or specific authorisations – Brexit could change all this…
As and when Brexit occurs, the UK, by definition, leaves the EU and becomes a ‘third country’.
The burning question is, “After Brexit, will the EU Commission still consider the UK an ‘Adequate’ third countryA country that is not part of the European Economic Area (EEA). as defined in GDPR Article 45”? i.e. a country that is deemed to have data protection rules that are at least on a par with the GDPR.
A further complication is, after Brexit, the UK will not be party to the EU-US Privacy ShieldCertification scheme, currently operational with the US, which places requirements on companies to protect personal data and provide appropriate redress for individuals. potentially further complicating US data transfers.
Under the GDPR, if the Commission determines the UK is not Adequate, then lawful transfers of EU residents’ personal data can only take place where UK organisations:
Implementing and enforcing any of these options will be costly and time consuming both within the UK and a post Brexit EU.
We can’t assume the UK is guaranteed to be ‘Adequate’
It is a common misconception that, as the UK has implemented the GDPR in the form of the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998)., then a positive AdequacyA status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law. decision is guaranteed, but this is not strictly true.
After Brexit, the UK will no longer be answerable to The Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions., the ultimate overseers of the GDPR. Post Brexit, the DPA2018, whilst essentially replicating the GDPR, will be enforced by the UK Parliament. Parliament has also enacted the Investigatory Powers Act 2016 (nicknamed the “Snooper’s Charter”) which allows broad interception, interference and communications powers and limits the rights of individuals under EU law. It has also refused to incorporate the Charter of Fundamental Rights of the EU that provides fundamental privacy rights alongside the GDPR.
If these paradoxes cannot be resolved it would be open to the European Commission to decide that the UK is only a partially Adequate or even a non-Adequate third country. Even the processA series of actions or steps taken in order to achieve a particular end. for making such a decision is not clear, it may not be immediate, leaving us all in a damaging and costly period of great uncertainty.
So, what would happen in the event of a non or partially Adequate or even a delayed Adequacy decision?
Negotiating a bilateral UK-EU governmental agreement in the same way that EU-US Privacy Shield has been agreed is one possibility. Failing that, and in the interim, whilst negotiations take place then organisations will have to fall back on model contract clauses, BCR’s and approved certification mechanisms outlined above.
Securing the elusive Adequacy decision, post Brexit is going to be complex and not for the faint hearted, but it really does matter. Without it, the additional cost, administrative burden and time required for UK and EU governments and organisations to overcome a non or partially Adequate decision will be numerous and extensive. Personal Data transfers are at the heart of business, so this is not just a theoretical debate and will impact a wide range of important areas.
Whilst there is no guarantee there will be a favourable decision on Adequacy, the UK must have faith in a Brexit deal that grants the UK Adequate status. Regardless, organisations should start to discuss the implications and consider their contingency plans as nothing is certain other than that there is more change on the horizon.
As experts in Data Protection legislation, the DPO Centre provides advice and guidance to organisations to help them navigate the ever-evolving regulatory landscape by providing interim, outsourced Data Protection Officers as a service, GDPR EU Representation Services required under Article 27 for organisations outside the EU, as well as Data Protection Impact Assessments, Consultancy and Training.
For further information on how we can assist you and your organisation, please contact us today.