On 15 January 2019, the Parliament of the United Kingdom (“UK Parliament”) voted against the draft withdrawal agreement that set out the terms of the United Kingdom’s (“UK”) smooth and orderly exit from the European Union (“EU”). As the conclusion of a withdrawal agreement is looking increasingly unlikely, companies are well advised to anticipate the impact that a no-deal Brexit would have on the transfers of personal data from the EU to the UK by reviewing their data transfers for post-Brexit compliance.
Transfers of personal data under the EU General Data Protection Regulation
The EU General Data Protection Regulation (“GDPR”) guarantees the free movement of data between EU Member States as well as EFTA/EEA Member States (Norway, Iceland, Lichtenstein and Switzerland). While EU provisions aim to promote transfers of personal data within this area, transfers to third countries are severely regulated.
If the UK Parliament fails to approve any draft withdrawal agreement (“no-deal Brexit”), the laws of the EU, including the GDPR, will cease to apply to the UK from 30 March 2019. The UK would then become a “third country” for the purposes of personal data transfers. All transfers of personal data to third countries must be carried out in compliance with one of the clearly defined legal bases set out in Chapter 5 of the GDPR.
The legal bases of Chapter 5 apply to all transfers of personal data to third countries, regardless of the relationship between the transferor and recipient. As a result, also data transfers within the same group of companies must be in line with the requirements of Chapter 5.
Transfers of personal data to third countries
The legal bases governing the transfers of personal data to third countries can be divided into three main categories: adequacy decisions, appropriate safeguards and derogations.
The European Commission (“Commission”) has expressly stated that an adequacy decision declaring the adequate level of protection of the UK is not part of its contingency planning in case of a no-deal Brexit. Companies are, therefore, required to rely on one of the appropriate safeguards and/or derogations listed exhaustively in Chapter 5 of the GDPR.
Recommended actions in anticipation of a no-deal Brexit
Companies are recommended to review all data transfers from the EU to the UK and ensure that at least one of the legal transfer bases of Chapter 5 are in place for every transfer no later than 30 March 2019.
In practice, the most efficient way to transfer personal data from the EU to the UK in case of a no-deal Brexit will likely be the use of one of the standard contractual clauses (“SCC”) adopted by the Commission. Although other legal bases, such as the use of binding corporate rules or data subject consent, exist these are often impractical due to high transaction costs, delays in implementation and/or inability to scale to a large amount of transfers.
The SCC comprise of three sets of standard agreements: two alternative agreements for transfers between a controller and another controller, and one for controller-to-processor transfers. The SCCs aim to ensure that the recipient of the personal data will provide a due level of data protection to the data it receives.
In order to ensure the legality of transfers of personal data to the UK, such SCCs should be in place before 30 March 2019, even if only unilaterally approved by the EU operator.