On 15 January 2019, the British Parliament rejected Prime Minister Theresa May’s Brexit deal. The vote produced a clear result: no deal. A no-deal Brexit means the UK would leave the European Union (EU) on 29 March 2019, and there would be no agreements in place about what their relationship would be like in the future. But what does the vote mean for data protection in European companies?
The Brexit Agreement essentially stipulated that the UK would have to continue to apply the same data protection rules as other EU Member States, meaning the EU would treat personal data from the UK the same way as personal data obtained in the EU, even though the UK is seceding. The Agreement provides for a transition period until the end of 2020. This would leave enough time for the EU Commission to be able to decide on the so-called adequacy decision in accordance with Art. 45 of the General Data Protection Regulation (GDPR).
After Brexit, the UK will become a so-called third country as defined in the GDPR. The GDPR includes special regulations for data transfer to a third country (Art. 44–49 GDPR).
However, a no-deal Brexit means that there is no such transitional period, and the UK will be treated as a third country upon its withdrawal on 29 March 2019. The EU Commission cannot be expected to issue an adequacy decision within this short period. Even though a no-deal scenario is becoming more likely as the deadline approaches, other scenarios are conceivable: e.g. a vote of no confidence, new elections or a second referendum. Companies exchanging personal data with the UK should definitely continue to monitor developments.
What to do in the event of no-deal scenario?
In November 2018, the EU Commission published a ‘no-deal’ Contingency Action Plan for a no-deal scenario in November 2018. From a data protection point of view, it is worth mentioning that the catalogue does not contain an adequacy decision pursuant to Art. 45 GDPR.
Data transfers from the EU to the UK
The EU Commission published a Notice to stakeholders regarding the UK’s withdrawal from the EU and the EU’s data protection rules. This Notice is addressed to all European citizens, companies and EU Member States, and the EU Commission expressly urges being prepared for all possible scenarios.
In the case of a no-deal Brexit, personal data can only be transferred to the UK from 30 March 2019 onwards if one of the mechanisms stipulated in Art. 44 GDPR applies:
- Transfers on the basis of an adequacy decision (Art. 45 GDPR)
- Transfers subject to appropriate safeguards, for example Standard Contractual Clauses (Art. 46 GDPR)
- Exceptions for specific situations (Art. 49 GDPR):
- Explicit consent from the data subject (Art. 49(1)(a) GDPR),
- The transfer is necessary for contractual reasons (Art. 49(1)(b) GDPR),
- The transfer is necessary for the establishment, exercise or defence of legal claims (Art. 49(1)(e) GDPR), or
- The transfer is necessary for important reasons of public interest (Art. 49(1)(d) GDPR).
Please note that the European Court of Justice (ECJ) is currently examining the legality of the EU Standard Contractual Clauses. However, the use of Standard Contractual Clauses is still possible and common. Please keep yourself informed on further developments regarding this subject.
For companies in the UK
The UK Information Commissioner’s Office (ICO) has released practical guidance on key data protection issues if there is no Brexit deal. The following six steps are recommended:
- UK companies should continue to comply with GDPR standards and current ICO guidance.
- Data transfer to the UK from the EU/EEA: review the data transfer to ensure that adequate security measures are in place (see above);
- Data transfer from the UK to the EU/EEA and any other country outside the UK: comply with the provision of the UK Data Protection Act 2018 on international data transfers (Chapter 5).
- For European corporations: companies operating across Europe should review their processes and data flows, and if necessary, update these when the UK secedes from the EU.
- Organisational awareness: ensure that key people in the organisation stay up-to-date on the latest information and guidance and include the respective steps in any planning for leaving the EU.
The Department for Digital, Culture, Media and Sport has also released practical guidance in case the UK secedes from the EU without a deal. This contains the following general guidelines:
- The UK will recognise all EU/EEA countries and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue. Accordingly, no further mechanism need to be used for data transfer from the UK to these countries.
- Existing adequacy decisions by the EU Commission (e.g. Switzerland) will be recognised on a transitional basis. This means that data transfer to countries with adequacy decision can be continued.
- EU Standard Contractual Clauses may continue to be used with non-EU/EEA Member States.
- UK companies that are not represented in the EU (e.g. by a branch office) must be prepared to appoint an EU representative in accordance with Art. 27 GDPR if they process the personal data of EU citizens or offer goods and/or services in the EU/EEA.
Due to uncertainty surrounding Brexit, the question remains as to what extent transfers of personal data between the UK and the EU/EEA can take place without obstacles in the future. It is therefore of great importance for both the EU/EEA and UK companies to know whether the UK will be regarded as a third country with an adequate level of protection. If the UK is deemed adequately protected, the free movement of personal data between the EU/EEA and the UK will be ensured.