No deal Brexit and the impact on cross-border data flows
January 16, 2019
The basis on which the UK will leave the EU has still to be decided. The result of the meaningful vote on 15th January 2019 shows that the certainty that businesses are seeking is still out of reach. Until a way through can be found, many businesses in the UK and EU may be accelerating their ‘no deal’ contingency plans.
On 13 December 2018, as part of its ‘no deal’ planning, the UK Government issued a notice (the Notice’) to provide more detail about how our data protection law will work in the event the UK leaves the EU without a deal. This was followed by the Information Commissioner’s Office (‘ICO’) blog setting out how it is helping business prepare for no deal Brexit.
What are the implications of a ‘no deal’ Brexit on cross-border data flows?
The Notice sets out the key components of a ‘no deal’ framework, which provide a level of reassurance in relation to cross-border data flows:
- Transfers from the UK to all EEA countries, and Gibraltar could continue to flow as the UK would transitionally recognise them as ‘adequate.’
- Where the EU has already made an adequacy decision in respect of a third country, the UK intends to preserve this on a transitional basis. To date there are twelve countries with full adequacy status: Andorra, Argentina, Canada (limited to transfers to commercial organisations) Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, Uruguay and United States (limited to the Privacy Shield framework). Therefore, personal data could continue to flow from the UK to the adequate countries.
- European Commission approved Standard Contractual Clauses (‘SCCs’) could continue to be used to transfer personal data from the UK. After exit, the ICO would have the power to issue new SCCs.
- Existing ICO-authorised Binding Corporate Rules (‘BCRs’) would continue to be recognised. The ICO would continue to authorise new BCRs. It is assumed, but not stated in the Notice, that the ICO is unlikely to review new BCR applications after Brexit, other than in relation to transfers from the UK only (not the rest of the EU) – although this point is yet to be determined.
However, the significant issue for many organisations will be legitimising flows of data from the EU to the UK. The Government’s notice is clear: ‘UK organisations will need to work with their EU counterparts to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place.’ The ICO makes the same point in its blog: in the event of a no deal Brexit organisations will need to carefully consider alternative transfer mechanisms to maintain data flows from the EU to the UK.
A Tactical Response?
A tactical response might therefore include the following steps:
- Understanding the size of the issue. Getting a clear picture of personal data flows from the EU to the UK, both in relation to consumer data as well as operational/human resources/finance data. As a tactical move, some organisations are prioritising data flows involving large volumes of personal data, or those data-sets that are commercially critical.
- Assessing how SCCs might practically be put in place: Once the data flows have been understood, and Appendices 1 and 2 of the SCCs have been drafted, organisations will then need to assess how practically to put the SCCs in place. Some organisations may choose to set up teams to send out SCCs and track responses. Others (particularly those with high volumes of contracts) may use technology-enabled solutions to manage the process. Either way, tactical plans will need to consider the ability of the organisation to put in place SCCs within a relatively tight time-frame.
- Reviewing the legal and operational impact of signing up to SCCs: If a Controller and a Processor have already put in place a data processing agreement which contains all the required elements of Article 28 General Data Protection Regulation (‘GDPR’), the SCCs may not feel like a significant leap. There is a large degree of overlap between the provisions set out in the SCCs and the required elements of Article 28. However, it is worth noting that the SCCs do contain some provisions which may not have been included in an Article 28 Controller – Processor data processing agreement. Similarly, in relation to Controller to Controller cross-border data transfers, the Controller to Controller SCCs go significantly beyond the arrangements required under Article 26 of the GDPR. Clearly, the nuances of the SCCs should be understood in order to fully assess the legal and operational impact of signing up to them.
- Understanding the limitations of SCCs: There are no formally approved SCCs in existence for Processor to Sub-Processor transfers. This issue was dealt with in the Article 29 Working Party’s 2010 FAQs on SCCs, which offered some alternative options to cover this type of transfer.
Finally, it is important to understand that the validity of the SCCs are under legal challenge in the Court of Justice of the European Union (‘CJEU’), in the matter commonly referred to as Schrems II. It is understood that the main CJEU hearing in relation to this matter is still quite some time away. At the date of writing, no date has been set for the main CJEU case and the Advocate General and the Judge Rapporteur had not yet been appointed. Against that background, it is important to at least be aware of this legal challenge and put plans in place to monitor developments associated with the case.
If you would like to further discuss your cross-border data flows in the context of Brexit, feel free to get in touch with Polly or any other member of the team.