As it is looking more like the UK will leave the EU without a deal on the 29thof March, this is what will happen regarding data protection:
After March 2019 if there’s no deal
A no deal scenario is one where the UK leaves the EU and becomes a third country at 11pm GMT on 29 March 2019 without a Withdrawal Agreement and framework for a future relationship in place between the UK and the EU.
If the UK leaves the EU in March 2019 with no agreement in place, there would be no change to UK data protection law. This is because the Data Protection Act 2018 and the EU (Withdrawal) Act 2018 incorporate the GDPR into UK law.
However, the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK would change on exit.
You will continue to be able to send personal data from the UK to the EEA and EU.
However, the EEA and the EU cannot send data back to the UK without a transfer safeguard, like Standard Contractual Clauses, in place.
In the event of a no-deal Brexit, the UK government will:
- Retain the GDPR in UK law via the Data Protection Act 2018 and the EU (Withdrawal) Act 2018
In a ‘No Deal’ scenario, responsibilities of data controllers across the UK will not change. Data subjects will continue to benefit from the same high levels of data protection as they do now. The same GDPR standards will continue to apply in the UK and the Information Commissioner will remain the UK’s independent regulator for data protection.
- Recognise the EEA, the EU and Gibraltar as ‘adequate’ to allow data flows from the UK to continue
The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. This means that personal data can continue to flow freely from the UK to these destinations following the UK’s exit from the EU. However, the data cannot flow back.
The UK cannot provide for free flow of data into the UK; jurisdictions outside of the UK will provide their own rules on the transfer of data internationally. UK organisations will need to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place before the 29thof March.
3. Recognise existing ‘adequate countries’ for data transfer
Where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to Exit Day, the UK government intends to retain the adequacy status of that country. This will mean that transfers from UK organisations to those adequate countries can continue uninterrupted. Adequate countries are:
- Canada (for commercial organisations)
- Faroe Islands
- Isle of Man
- New Zealand
- USA (limited to those organisations that are on Privacy Shield)
4. Recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses
Standard Contractual Clauses (SCCs) can still be used for international data transfers from the UK in a ‘No Deal’ scenario. In practice, this means that organisations that transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. Under the proposed regulations, the Information Commissioner will have the power to issue new SCCs after Exit Day.
SCCs are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner and rights for the individuals whose personal data is transferred.
5. Recognise Binding Corporate Rules (BCRs) authorised before Exit Day
Existing authorisations of Binding Corporate Rules (BCRs) made by the Information Commissioner will continue to be recognised in domestic law. After Exit Day, the Information Commissioner will continue to be able to authorise new BCRs under domestic law.
6. Maintain the extraterritorial scope of the UK data protection framework
The EU GDPR applies to controllers or processors who are based outside of the EEA where they are processing personal data about individuals in the EEA in connection with offering them goods and services or monitoring their behaviour.
The Government intends to retain the extraterritoriality of the UK’s data protection framework. This will mean that that the UK framework will apply to controllers or processors who are based outside of the UK where they are processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour. This includes controllers and processors based in the EU.
7. Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale
Where Article 3(2) of the EU GDPR applies, Article 27 of the EU GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
The Government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.
In addition, a UK controller doesn’t have an office or entity in the EU will be obliged to appoint a representative in the EU, if they are processing EU data on a large scale.
What you need to do
In the event of a no-deal Brexit, you will need to have data sharing agreements andStandard Contractual Clauses (SCCs)in place before the 29thof March with all EEA and EU organisations that send data to you.
We can prepare these agreements for you so please get in touch. Remember, without them, the data flow from the EEA and the EU will stop on the 29thof March if there’s a no-deal Brexit.
Sapphire Consulting Group
Cornwall 01726 247047
London 020 305 68855