Clive Halperin, partner and head of corporate commercial at London-based GSC Solicitors LLP says businesses must make data transfer contingency plans and expect more data protection enforcement as a result of Brexit
This article is the view of the author and not necessarily of Ready for Brexit. It is for general information only and specialist legal advice should be taken in relation to specific circumstances.
The ability to freely transfer data from one country to another is of vital importance to the smooth running of trade and services. For some businesses, such as where there is a cross-border supply of goods and services, this is even more important.
Being part of the EU has meant that generally personal data can be freely transferred between member states (although there are some differences in data protection law between individual EU member states.) However, transferring data outside of the EU and EEA countries to so-called ‘third countries’ can be legally more complicated. After Brexit, the UK will be a third county.
Any business that prepared for GDPR in 2018 or even previous data protection legislation, should have some understanding about the restrictions on transferring data outside of the EEA. Businesses may have encountered some of the complexities of achieving this and remaining legally compliant, even for seemingly mundane tasks such as e-commerce and cloud computing. For other tasks – say medical or political data – this can be much less straightforward.
Several third countries have had an ‘adequacy decision’ made by the European Commission. This is where the EU has decided that the third country has adequate data protection laws and that personal data can flow to EEA countries without any further safeguards being necessary. Examples are Canada (for some purposes), New Zealand and Argentina.
The United States has had a limited adequacy decision made where the Privacy Shield framework is adhered to. The Privacy Shield framework is a process of self-certification; it was adopted after the previous ‘Safe Harbor’ regime was ruled unlawful in 2015 by the European Court of Justice. Many US companies, however, are not part of the Privacy Shield and others may not have all of their services covered by the Privacy Shield.
The European Parliament and Council may also request the European Commission to amend or withdraw an adequacy decision and so even once granted, there is no certainty that it will continue indefinitely.
The proposed Withdrawal Agreement does not provide for an adequacy decision by the end the transition period, although the political declaration issued refers to endeavouring to adopt a decision by the end of 2020. If an adequacy decision is made for the UK, then information should be easily transferred to and from the EU. If the UK data protection laws are aligned with EU law, it is hoped that obtaining an adequacy decision will be straightforward, but this is not guaranteed.
Political and commercial obstacles may appear. EU countries may perceive a benefit in restricting free transfer of data to the UK; they may consider it an advantage to make the UK less attractive to multinational companies or to selling goods and services to EU countries. They might seek to impede the approval of an adequacy decision for the UK or to challenge it, if and when it’s granted.
This may lead some businesses to consider moving operations to an EU country, at least for some services such as cloud-hosting environments.
What if there is a no-deal Brexit?
In the event of a no-deal Brexit, from Brexit Day, the UK will be treated as a third country like any other country for data transfer. The EU Commission indicated in its communication issued on 13 November 2018 that EU entities will need to treat the UK as any other third country and the adoption of an adequacy decision is not part of the Commission’s contingency planning. If a no-deal Brexit looks likely, expect a flurry of new contracts and conditions with European trading partners in early 2019.
Businesses preparing for a no-deal Brexit should be considering what they need to do to ensure that data transfers can continue – some examples are standard contractual clauses, binding corporate rules and obtaining specific consent.
Regulation and enforcement
Businesses should expect and be prepared for the UK regulator, the Information Commissioner’s Office (ICO), to clearly show that it is enforcing data protection laws. While it has this duty anyway, the UK Government will be keen to demonstrate that it is protecting individuals’ data – not least to try and counter any suggestion that the UK is weak in this area and thus should not be granted an adequacy decision; or, if granted, should not keep it.
Many businesses will have reviewed their data protection compliance during 2018 as part of the coming into force of GDPR. Planning for Brexit means that this must be kept under close review, even during any transition period, to minimise the impact of Brexit on data transfers.