Amid the constitutional and political uncertainties surrounding the Brexit process, the UK Government has provided welcome assurance on the data protection front. Guidance issued by the Department for Digital, Culture, Media & Sport (DCMS) confirms how UK data protection law will work in the event the UK leaves the EU without a deal. Whilst the Government still regards a No Deal Brexit as “unlikely”, given the extremely severe implications of that scenario for transfers of personal data into and out of the UK, the DCMS confirmation is hugely helpful in terms of the preparations needed for that eventuality.
According to DCMS, the Government intends to use its regulation-making powers under the EU (Withdrawal) Act 2018 to provide as much continuity as possible in this area. In practical terms, this means the following:
- The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. This means that personal data can continue to flow freely from the UK to these destinations following the UK’s exit from the EU.
- The UK intends to preserve the effect of all existing adequacy decisions in respect of a country or territory outside of the EU made by the European Commission before the Brexit date. This means that the following jurisdictions will continue to be regarded as safe recipients of data: Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. It is also possible that Japan may be added to this list in early 2019.
- In line with the above, the EU-U.S. Privacy Shield will also be recognised as providing an adequate level of protection for transfers of personal data from the UK without the immediate need of a separate agreement between the UK and U.S. governments.
- Data transfer agreements incorporating the Standard Contractual Clauses issued by the European Commission will continue to be regarded as a valid mechanism for international data transfers from the UK.
- All existing authorisations of Binding Corporate Rules made by the UK Information Commissioner will continue to be recognised under domestic law for transfers of data from the UK.
This is all good news that will help organisations wondering if the mechanisms in place to deal with transfers from the EU would work under UK law.
However, DCMS acknowledges that the free flow of data into the UK would cease in the event of a No Deal Brexit. Therefore, the guidance refers to the mechanisms that might be available under other jurisdictions’ laws to legitimise any such data flows. In terms of transfers of data from the EU to a third country that is not deemed adequate (such as the UK after Brexit in the absence of a deal), the menu of different options available is set out in Article 46 of the GDPR.
At this stage and in line with the UK Government’s position, our practical advice continues to be as follows:
- Assess existing and future data transfers from the EU to the UK, and from the UK to other jurisdictions.
- Identify suitable mechanisms to legitimise data transfers into and from the UK in the event of a No Deal Brexit.
- Consider alternative lead authorities to the ICO – both for the purposes of the One Stop Shop and BCRs.
- Keep a close eye on the political developments in the UK affecting the likelihood of either a Brexit Deal or a No Deal Brexit.