info@sapphireconsulting.co.uk             London – 020 305 68855         Cornwall – 01726 247047

BREXIT INFO

As it is looking more like the UK will leave the EU without a deal on the 29th of March, this is what will happen regarding data protection:

After March 2019 if there’s no deal

 

A no deal scenario is one where the UK leaves the EU and becomes a third country at 11pm GMT on 29 March 2019 without a Withdrawal Agreement and framework for a future relationship in place between the UK and the EU.

If the UK leaves the EU in March 2019 with no agreement in place, there would be no change to UK data protection law. This is because the Data Protection Act 2018 and the EU (Withdrawal) Act 2018 incorporate the GDPR into UK law.

However, the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK would change on exit.

 

You will continue to be able to send personal data from the UK to the EEA and EU.

However, the EEA and the EU cannot send data back to the UK without a transfer safeguard, like Standard Contractual Clauses, in place.

 

In the event of a no-deal Brexit, the UK government will:

 

  1. Retain the GDPR in UK law via the Data Protection Act 2018 and the EU (Withdrawal) Act 2018

In a ‘No Deal’ scenario, responsibilities of data controllers across the UK will not change. Data subjects will continue to benefit from the same high levels of data protection as they do now. The same GDPR standards will continue to apply in the UK and the Information Commissioner will remain the UK’s independent regulator for data protection.

  1. Recognise the EEA, the EU and Gibraltar as ‘adequate’ to allow data flows from the UK to continue

The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. This means that personal data can continue to flow freely from the UK to these destinations following the UK’s exit from the EU. However, the data cannot flow back.

The UK cannot provide for free flow of data into the UK; jurisdictions outside of the UK will provide their own rules on the transfer of data internationally. UK organisations will need to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place before the 29thof March.

  1. Recognise existing ‘adequate countries’ for data transfer

Where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to Exit Day, the UK government intends to retain the adequacy status of that country.  This will mean that transfers from UK organisations to those adequate countries can continue uninterrupted. Adequate countries are:

    • Andorra
    • Argentina
    • Canada (for commercial organisations)
    • Faroe Islands
    • Guernsey
    • Israel
    • Isle of Man
    • Japan
    • Jersey
    • New Zealand
    • Switzerland
    • Uruguay
    • USA (limited to those organisations that are on Privacy Shield – see below on Privacy Shield)
  1. Recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses

Standard Contractual Clauses (SCCs) can still be used for international data transfers from the UK in a ‘No Deal’ scenario. In practice, this means that organisations that transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. Under the proposed regulations, the Information Commissioner will have the power to issue new SCCs after Exit Day.

SCCs are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner and rights for the individuals whose personal data is transferred.

  1. Recognise Binding Corporate Rules (BCRs) authorised before Exit Day

Existing authorisations of Binding Corporate Rules (BCRs) made by the Information Commissioner will continue to be recognised in domestic law. After Exit Day, the Information Commissioner will continue to be able to authorise new BCRs under domestic law.

 

  1. Maintain the extraterritorial scope of the UK data protection framework

The EU GDPR applies to controllers or processors who are based outside of the EEA where they are processing personal data about individuals in the EEA in connection with offering them goods and services or monitoring their behaviour.

The Government intends to retain the extraterritoriality of the UK’s data protection framework. This will mean that that the UK framework will apply to controllers or processors who are based outside of the UK where they are processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour. This includes controllers and processors based in the EU.

  1. Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale

Where Article 3(2) of the EU GDPR applies, Article 27 of the EU GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.

The Government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.

In addition, a UK controller who doesn’t have an office or entity in the EU will be obliged to appoint a representative in the EU, if they are processing EU data on a large scale.

 

What you need to do

In the event of a no-deal Brexit, you will need to have data sharing agreements andStandard Contractual Clauses (SCCs)in place before the 29thof March with all EEA and EU organisations that send data to you.

We can prepare these agreements for you so please get in touch. Remember, without them, the data flow from the EEA and the EU will stop on the 29thof March if there’s a no-deal Brexit.

 

 

 

Privacy Shield – USA

 

In the event that the UK and the EU do not finalize an agreement, Privacy Shield participants receiving personal data from the UK in reliance on the Privacy Shield must take the steps below by the 29thof March.

 

Updates by the 29thof March:

To receive personal data from the UK in reliance on Privacy Shield in the case a no-deal Brexit, a Privacy Shield participant will be required to adhere to the following:  

  1.  First, a Privacy Shield organization must update its public commitment to comply with the Privacy Shield to include the UK. Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield.  If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy.  
  1.  Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.

An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after March 29th.

After the 29thof March, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.

 

What you need to do

Check the status of the company that you wish to export data to see if they have updated their public commitment to include the UK.

You can do this by searching for the company on the Privacy Shield website: privacy shield.gov

 

 

Sapphire Consulting Group Ltd is a limited company registered in England and Wales.

Registration number: 10427754. Registered office: Central Point, Beech Street, London EC2Y 8AD.

VAT Registration number: 285986235

ICO Registration number: ZA342346