email@example.com London – 020 305 68855 Cornwall – 01726 247047
As it is looking more like the UK will leave the EU without a deal on the 29th of March, this is what will happen regarding data protection:
A no deal scenario is one where the UK leaves the EU and becomes a third country at 11pm GMT on 29 March 2019 without a Withdrawal Agreement and framework for a future relationship in place between the UK and the EU.
If the UK leaves the EU in March 2019 with no agreement in place, there would be no change to UK data protection law. This is because the Data Protection Act 2018 and the EU (Withdrawal) Act 2018 incorporate the GDPR into UK law.
However, the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK would change on exit.
You will continue to be able to send personal data from the UK to the EEA and EU.
However, the EEA and the EU cannot send data back to the UK without a transfer safeguard, like Standard Contractual Clauses, in place.
In the event of a no-deal Brexit, the UK government will:
In a ‘No Deal’ scenario, responsibilities of data controllers across the UK will not change. Data subjects will continue to benefit from the same high levels of data protection as they do now. The same GDPR standards will continue to apply in the UK and the Information Commissioner will remain the UK’s independent regulator for data protection.
The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. This means that personal data can continue to flow freely from the UK to these destinations following the UK’s exit from the EU. However, the data cannot flow back.
The UK cannot provide for free flow of data into the UK; jurisdictions outside of the UK will provide their own rules on the transfer of data internationally. UK organisations will need to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place before the 29thof March.
Where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to Exit Day, the UK government intends to retain the adequacy status of that country. This will mean that transfers from UK organisations to those adequate countries can continue uninterrupted. Adequate countries are:
Standard Contractual Clauses (SCCs) can still be used for international data transfers from the UK in a ‘No Deal’ scenario. In practice, this means that organisations that transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. Under the proposed regulations, the Information Commissioner will have the power to issue new SCCs after Exit Day.
SCCs are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner and rights for the individuals whose personal data is transferred.
Existing authorisations of Binding Corporate Rules (BCRs) made by the Information Commissioner will continue to be recognised in domestic law. After Exit Day, the Information Commissioner will continue to be able to authorise new BCRs under domestic law.
The EU GDPR applies to controllers or processors who are based outside of the EEA where they are processing personal data about individuals in the EEA in connection with offering them goods and services or monitoring their behaviour.
The Government intends to retain the extraterritoriality of the UK’s data protection framework. This will mean that that the UK framework will apply to controllers or processors who are based outside of the UK where they are processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour. This includes controllers and processors based in the EU.
Where Article 3(2) of the EU GDPR applies, Article 27 of the EU GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
The Government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.
In addition, a UK controller who doesn’t have an office or entity in the EU will be obliged to appoint a representative in the EU, if they are processing EU data on a large scale.
In the event of a no-deal Brexit, you will need to have data sharing agreements andStandard Contractual Clauses (SCCs)in place before the 29thof March with all EEA and EU organisations that send data to you.
We can prepare these agreements for you so please get in touch. Remember, without them, the data flow from the EEA and the EU will stop on the 29thof March if there’s a no-deal Brexit.
In the event that the UK and the EU do not finalize an agreement, Privacy Shield participants receiving personal data from the UK in reliance on the Privacy Shield must take the steps below by the 29thof March.
Updates by the 29thof March:
To receive personal data from the UK in reliance on Privacy Shield in the case a no-deal Brexit, a Privacy Shield participant will be required to adhere to the following:
An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after March 29th.
After the 29thof March, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.
Check the status of the company that you wish to export data to see if they have updated their public commitment to include the UK.
You can do this by searching for the company on the Privacy Shield website: privacy shield.gov
Registration number: 10427754. Registered office: Central Point, Beech Street, London EC2Y 8AD.
VAT Registration number: 285986235
ICO Registration number: ZA342346