The GDPR, now almost a year old, places restrictions on data controllers and data processors who wish to process “personal data” (information about living individuals) on EU citizens outside the EEA. The intention behind these rules is to ensure that, in the event of the transfer of personal data outside the EEA, those citizens retain equivalent rights and protections in respect of their personal data as if the processing was occurring in the EU.
In particular, under GDPR, transfers of personal data to a country outside the EU may only occur if:
- the EU has decided that the third country provides “an adequate level of protection”, known as an Adequacy Decision or
- the controller (or processor) has provided appropriate safeguards and enforceable rights for data subjects (Adequate Safeguards). Such safeguards are commonly provided by using EU Commission approved model contractual clauses in the contract with the controller/processor outside the EU.
The government has provided guidance on the effect of Brexit on overseas transfers of personal data. Unsurprisingly, the implications for business are more complicated if there is a no deal scenario.
What happens if the UK leaves the EU with a deal?
The implementation period will mean data controllers see no immediate change in their day-to-day obligations.
Personal data will be able to flow freely from the UK to the EEA and from the EEA to the UK during the implementation period.
As set out in the Political Declaration, the EU will begin its assessment of the UK as soon as possible after the UK’s withdrawal, endeavouring to adopt adequacy decisions (which would allow the continued free flow of personal data from the EEA to the UK) by the end of the implementation period.
What happens if the UK leaves the EU without a deal?
The UK will become a ‘third country’ for the purposes of GDPR if it leaves the European Union without a deal. Further, no formal EU Adequacy Decision will be in place (despite the fact that at the point of departure the EU and UK will have identical data protection laws!) allowing unrestricted transfers of personal data from the EU to the UK.
The most significant implication of that will be felt by UK businesses who are involved in material transfers of personal data from EU countries to the UK as controllers and processors will, pending an Adequacy Decision, need to ensure that they have “Adequate Safeguards” (such as model contract clauses) in place to allow such data transfers.
Interestingly, transfers of personal data from the UK to EU will not be restricted in the same way as the UK Government has made it clear that it will allow such transfers without additional protection – in essence accepting that EU countries will provide an adequate level of protection.
ICO Guidance in the event of a no deal
Nearly three years after the Brexit referendum, we are still no clearer on whether the UK will indeed leave the EU and if it does, whether it will do so with or without a deal.
However, if your business is involved in any material transfer of personal data to the UK from the EU, it would be prudent to conduct some precautionary planning in case of a no deal Brexit in line with the ICO’s guidance.