With the decision of the EU leaders to postpone Brexit, the future relationship between the EU and the UK is still up in the air and the risk of the UK leaving the EU without a deal is still a very possible outcome. The question remains: how will EU based companies and organizations who are active in the UK (or deal with UK companies in their business relationships) have to adapt?
With regards to the transfer of personal data, the European Data Protection Board (EDPB) has now clarified in its Information Note of 12 February 2019 on data transfers under the General Data Protection Regulation (GDPR) in the event of a no-deal Brexit (“Guidance1”), if (and how) personal data can still flow freely between the European Economic Area (EEA) and the UK.
When transferring personal data to the UK
Should the UK leave the EU without a deal, the UK will become a so called “third country” to the EU. In this case, according to the Guidance, if personal data is being transferred to the UK, five steps need to be taken for EU companies and organizations to remain ‘compliant’ under the provisions of the GDPR.
- First, EU companies and organizations will need to identify what activities (operational or other) will imply the transfer of personal data to the UK and map these data flows. For example, a Belgian logistics company that provides the name, telephone number, e-mail address, etc.… of its carrier drivers to its customers in the UK will effectively transfer personal data to the UK.
- Secondly, a third country’s data protection system can be declared adequate, by means of a European Commission’s decision, meaning that no additional requirements are to be met before personal data can be transferred to that country. However, given that the UK has not (yet) been subject to such an adequacy decision, and under the current status, organizations who wish to transfer personal data to the UK will have to adopt one of the following data transfer instruments:
- A first possibility would be to include an unaltered version of the Standard Data Protection Clauses or ‘SCC’s’ (as approved by the European Commission) in the agreement with the non-EEA (i.e. UK) counterpart. These clauses guarantee that the UK companies and organizations that are bound by the agreement (and the SCC’s) comply with the provisions of the GDPR and therefore sufficient safeguards are offered to the data subjects and their personal data.
- For intra-group transfers (e.g. multinationals) or transfers within international organizations (e.g. NGO’s), a second possibility would be to adopt Binding Corporate Rules. These are personal data protection policies which furnish relevant safeguards for transfers of personal data within the group of companies or the organization, including transfers outside of the EEA. These so called “BCR’s” must be approved by the competent national supervisory authority, following an opinion of the EDPB.
- Associations or other bodies which represent categories of companies may prepare Codes of Conduct, which can offer appropriate safeguards for transfers of personal data if they contain binding and enforceable commitments for the organization in the UK.However, in certain situations, the GDPR also provides for derogations on the aforementioned rule which requires a data transfer to a third country to be based on an adequacy decision or a data transfer instrument. For example, data can be freely transferred in case of an informed consent, where the data subject has explicitly consented to the transfer of their personal data to a third country, after being informed about the risks inherent to the transfer.
- Once the data transfer instrument has been chosen by the company or the organization, it will need to be implemented before the departure of the UK from the EU (under a no-deal scenario).
- To comply with the transparency requirement under the GDPR, companies and organizations will need to indicate in their internal documentation that they will transfer personal data to the UK.
- Finally, companies and organizations will need to update their privacy notice accordingly to inform individuals about the change.
When receiving personal data from the UK
Similarly, in the event of a no-deal Brexit, the EDPB considered to what extent EEA companies and organizations will still be allowed to freely receive personal data from the UK.
According to the EDPB, the UK government has stated that in case of a ‘no deal’ situation, it is the intention to enable data to flow from the UK to EEA countries without any additional measures. The question on how this will be done in practice is currently still left open (and will hopefully be clarified in the coming weeks).
1. European Data Protection Board, Information note on data transfers under the GDPR in the event of a no-deal Brexit, 12 February 2019, (link).