The new Prime Minister, Boris Johnson, has not wasted any time in overhauling the cabinet, and in doing so, surrounding himself with prominent Brexit supporters. Many consider, rightly or wrongly, that Johnson has become a figurehead for a “no deal” Brexit and that his appointment this week significantly increases the likelihood of leaving the EU without a withdrawal agreement.
Johnson has consistently refused to rule-out “no deal” and his Brexit planning team – led by former Environment Secretary Michael Gove – are said to be rigorously planning for the possibility of leaving the European Union on 31 October 2019 without a deal.
Amongst the many other potential implications of a “no deal” Brexit, leaving the EU without a withdrawal agreement would, at least in the short-term, have a significant impact on the flow of personal data between the UK and the remaining EU27 Member States.
This article considers how international transfers would be affected and the steps that businesses reliant on transferring data outside the UK can take to plan for a “no deal” scenario.
International data transfers – now
The General Data Protection Regulation (the “GDPR”), an EU regulation implemented in May 2018, imposes specific rules on the international transfer of personal data. Whilst the UK remains a member of the European Union, personal data can be transferred with other countries within the European Economic Area (“EEA”) (i.e. EU Member States, Iceland, Norway and Liechtenstein) without needing to meet any other transfer criteria. That is because the countries within the EEA are all subject to the GDPR, so the level of protection applied to personal data should be the same throughout.
However, the GDPR restricts the transfer of personal data to countries outside the EEA. At present, if your organisation wants to transfer personal data to an organisation in a country outside the EEA (known as a “third country”), then you must first meet specific conditions under the GDPR.
These conditions include whether or not the country in which the transferee organisation is located has an “adequacy decision”. An adequacy decision is a finding by the European Commission that the legal framework in that transferee country provides adequate protection for personal data. There are only currently a handful of adequacy decisions made by the European Commission, including those in favour of New Zealand, Switzerland and Argentina. There are also partial adequacy decisions in favour of Japan, Canada and the USA.
If there is no adequacy decision for the transferee country, then the organisation wishing to transfer personal data outside the EEA must meet further requirements to establish that there are “appropriate safeguards” in place. Those “appropriate safeguards” are intended to ensure that the data being transferred is properly protected.
Meeting these requirements, which include the transferor and transferee entering into data protection clauses approved by the European Commission, are often burdensome and difficult to attain. At best, they impose an additional layer of administration that most businesses would prefer avoid.
International data transfers – “no deal” Brexit
If the UK leaves the EU without a deal, then it would by default become a “third country”. That means that the UK government would need to secure a full adequacy decision (unlikely if there is no deal and in any event may take considerable time) to ensure that personal data can continue to flow freely from EEA organisations and the UK.
Failure to secure an adequacy decision would require EEA organisations seeking to transfer personal data to the UK to meet the additional “appropriate safeguards” requirements under the GDPR. In practice, this may involve the negotiation of specific data protection clauses or identification of other safeguards under the GDPR, giving scope for more protracted negotiation and therefore increased costs. However, as a worst case scenario, EEA organisations may give second thought as to whether to do business with UK organisations to avoid this layer of administration.
In short, the transfer of data from organisations outside the UK becomes increasingly difficult.
Who would be affected?
Simply put: any organisation that transfers or receives personal data from outside the UK. For example, this would include if your organisation receives personal data from customers outside the UK or any non-UK group companies.
It is also likely to have significant impact on organisations’ supply chains. If your business relies on the transferring personal data to and from suppliers outside the UK, then in the event of a “no deal” Brexit, you will need to consider the basis on which you are doing so.
Whilst personal data is not always transferred to and from suppliers, it is likely that many businesses will have a relationship with suppliers that involves the sharing of personal data; for example, cloud storage and software providers, who are often not based in the UK.
Before the introduction of the GDPR, many US software providers moved their data centres to EEA countries so that personal data was held within the EEA; thereby assisting their EEA customers to comply with the GDPR. However, it remains to be seen whether further data centres will be opened in the UK in the event that there is no withdrawal agreement.
If we leave the EU, will GDPR still apply?
In the short-to-medium term, yes. The GDPR has been adopted as UK domestic law through the Data Protection Act 2018, and the UK government have consistently confirmed that despite Brexit the UK will maintain the data protection standards implemented by the GDPR. On that basis, for the time being at least, we will still be bound by the rules set out in the GDPR.
How to prepare?
Of course, there is no guarantee that the UK will leave without a deal on 31 October and as such, there is inevitable uncertainty to Brexit-planning. However, UK businesses can take a number of practicable steps to prepare for the eventuality of a “no deal” Brexit, to ensure that they are not restricted from transferring or receiving personal data from outside the UK.
Most importantly, it will be crucial to understand when you transfer and receive personal data internationally. It would be sensible to carry out an audit of the location of customers and suppliers to determine which (if any) are in non-UK countries. Likewise, if your business is part of a wider group, consider if there are any group companies based outside the UK with whom you share personal data.
If it transpires that customers and/or suppliers are based outside the UK, then the next step would be to review the terms of the contract with that organisation to see what, if anything, has been agreed in relation to data protection. For example, have specific terms been agreed around the transfer and protection of personal data between the parties?
In circumstances where those terms are not sufficient to meet the “appropriate safeguard” requirements under the GDPR, or no terms exist at all, then businesses would need to consider how they can meet those requirements. This will, of course, require assessment on a case-by-case basis.
Whilst no one can predict the UK’s future relationship with the EU, it is clear that a “no deal” Brexit would pose challenges for the UK’s data protection regime. The findings from the recent House of Commons Brexit Committee report, specifically noted that there would be “legal obstacles for businesses that depend on the free movement of data”. On that basis, it would be prudent for those who need to transfer or receive personal data internationally to begin taking commercial steps to prepare for a “no deal” scenario.
If you have any questions regarding the above, please feel free to email Alex Saunders at firstname.lastname@example.org.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.