close
Share with your friends
Brexit issue(s) Action required

Orderly Brexit:
In the event that the UK leaves the EU with a Deal, it would be assumed that the EU Commission would adopt an adequacy decision, which would permit transfers of personal data for the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) to the UK, as part of the orderly Brexit. The detail of the agreement would need to be reviewed to confirm this.

No Deal Brexit:
In the event of a No Deal Brexit, the UK (including Northern Ireland) will become a “third country” for the purposes of GDPR after the deadline date for Brexit to come into effect, currently being 31 October 2019 (the “Current Date”), passes with no agreement reached as to how Brexit will occur.

This, in respect of a No Deal Brexit, means that the legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK will change as transfers of personal data to the UK will be subject to the rules on international transfers to third countries provided for in the GDPR and other EU directives and regulations.

Organisations need to prepare now to ensure they have appropriate safeguards in place to allow data flows to the UK to continue after the Current Date and to prevent a No Deal Brexit having a detrimental impact on their business.

To date, the EU Commission has stated that the adoption of an adequacy decision, which would permit transfers of personal data to the UK, is not part of the Commission’s contingency planning in the event of a no Deal Brexit. Therefore after the Current Date there will not be an adequacy decision in place. The negotiations for one could only begin after the Current Date, with a No Deal Brexit meaning that such negotiations may not be prioritised if/when the UK seeks an adequacy decision.

Review Data Flows:
Organisations established in the EU that are transmitting personal data will need to review their personal data flows and seek to isolate personal data that is being transmitted to and processed in the UK. The contracts underlying these transfers should also be reviewed (“UK Transfers”).

Orderly Brexit:

Actions: It is assumed that the EU Commission would adopt an adequacy decision, which would permit transfers of personal data for the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) to the UK, as part of and in advance of the orderly Brexit. Subject to the final wording contained in the agreement in relation to an orderly Brexit and an adequacy decision actually being adopted, no further actions would need to taken in relation to these UK Transfers.

To the extent that there is any doubt on the adoption of an adequacy decision, it would be recommended and most prudent for organisations, to insert model Standard Contractual Clauses (approved by the European Commission) in the contracts relating to the UK Transfers which would provide the appropriate safeguards to permit the transfer of personal data to the UK in any event and would provide as robust a protection as possible.

No Deal Brexit:

Actions: Once UK Transfers have been isolated, there are a number of options available to organisations to lawfully transfer personal data to the UK:

a. the parties to a contract involving UK Transfers may insert model Standard Contractual Clauses (approved by the European Commission) in the contract which will provide the appropriate safeguards to permit the transfer of personal data to the UK (the Data Protection Commission has, in a guidance note released in June 2019, stated that this option is likely to be the most relevant one for impacted Irish organisations);

b. where UK Transfers are being made between entities within a multinational group of companies, or groups of enterprises engaged in a joint economic activity, an application may be made to the competent data protection authority (ies) for binding corporate rules (“BCRs”) to be adopted by the group, that will provide the appropriate safeguards. BCRs are legally binding internal rules, similar to codes of conduct, which set out the group’s common data processing standards;

c. consider whether the UK Transfers would fall within one of the derogations provided in the GDPR namely, where explicit consent to the restricted transfer is provided by the owner of the personal data, where the restricted transfer is necessary for the performance of a contract or where the restricted transfer is required for reasons of public interest, public security or the exercise of legal claims;

d. update the company/group Privacy Notice and other relevant documentation (including any clauses relating to consent) to include the granting of permission to transfer personal data to a third country, as defined under the GDPR.

The UK has stated that it will treat data protection laws in the EU equivalent to UK laws in the event of a No Deal Scenario. As such, the transfer of data from businesses operating in the UK to businesses in the EU should not be impacted in the event of a No Deal Brexit.