Data Protection - What are the consequences of a no-deal Brexit?
The Government has published 20 guidance notices to help UK organisations cope with the possibility that a mutually acceptable Brexit deal between the EU and the UK cannot be found. Those involved in the negotiations are playing this down as unlikely, however all parties are agreed on one thing at least – a no-deal Brexit is a possibility that would have such profound implications that it is something for which we must prepare.
If there is no Brexit deal then the UK will ‘fall out’ of the EU on 29th March 2019 and will instantly have the legal status of a ‘third country’ as far as member states are concerned. This means that organisations that currently exchange personal data between the UK and any EU country could find themselves in breach of the law on 30th March.
The relevant Government notice states that as GDPR has been implemented in full in the UK and will continue to operate after Brexit, then it will be lawful for personal data to be ‘exported’ from the UK and ‘imported’ to an EU/EEA country. However, without a deal there is no such guarantee from the EU to allow the export of personal data into the UK.
It will be necessary for the European Commission to begin negotiations for the UK to be granted ‘adequacy’ status. Once adequacy is granted then data can once again be moved freely between all parties.
The process of negotiating adequacy status cannot begin until after Brexit and the UK has become a third country. There is a strict mechanism for the whole process, which can take a long time, in most cases that means years rather than months.
In many respects, the UK will be in a good position to achieve adequacy as it is already highly aligned with the EU legal framework for privacy and data protection. However, there are some areas of disagreement, such as the use of investigatory powers by the police and the intelligence agencies, which could possibly disrupt the smooth progress of negotiations. If relations with the EU after a no-deal Brexit are less than harmonious then a willingness to negotiate to a speedy conclusion may be in short supply.
So, in the absence of a Brexit deal or an adequacy decision, the Government recommend that organisations that need to import data from the EU should establish a legal basis for doing so. For most organisations, the most appropriate alternative will be the use of model contractual clauses.
The European Commission has approved a set of standard clauses that can be embedded into contracts that oblige the signatories to comply with EU privacy and data protection laws.
Crucially, the Government has stated that organisations that find themselves in that position will need to be proactive in making the necessary arrangements. As 29th March approaches, the demand for the services of consultants or lawyers to advise on those contracts is likely to be in high demand and thus difficult to obtain or expensive.
It may be that there is another legal basis or derogation that is available to your organisation so it is important to seek advice. If you import personal data from the EU after 29th March without a recognised legal basis for doing so, then you could be in breach of GDPR and subject to fines from the relevant supervisory authority.
The rules regarding international data transfers are just one aspect of the law covered in our one-day training course: GDPR – Privacy and Data Protection in the UK. We have helped more than 5,000 people to prepare for and implement the GDPR requirements in their organisations. The course is presented all around the UK – see here for details.