New government guidance on cross-border flows of personal data is helpful, but serious questions remain unanswered.
The free movement of personal data within the European Union has been one of the bedrocks of data protection law since 1995, and the General Data Protection Regulation (GDPR) maintains this as a key objective. As the recitals to GDPR explain, such free movement contributes to economic and social progress and to the strengthening and convergence of economies within the EU's internal market.
However, since June 2016, when the United Kingdom voted to leave the European Union, a question which has concerned and vexed data protection lawyers, as well as many businesses, is what the UK's position on the transfer of personal data between EU states and a post-Brexit UK will be. In particular, a "No-deal" Brexit scenario presents immediate and pressing concerns for anyone in the UK who needs to continue receive personal data from anyone in the EU.
This is because, once the UK is no longer part of the EU, even though it will have data protection laws broadly similar to those of the EU, it will become a "third country" for the purposes of GDPR. This means the starting position will be significant restrictions on the ability of companies and other entities in the EU to transfer personal data to the UK. In the absence of a formal determination by the European Commission that the UK has in place an adequate level of protection, transfers to the UK will, as a matter of normal practice, only be allowed to take place under certain restricted circumstances. As a bare matter of fact, an adequacy determination by the Commission can only be made once the UK becomes a "third country", and the process of determining adequacy can take some considerable time.
In an attempt to address concerns, on 13 September the UK Government published, in its series of technical notices covering the eventuality of a no-deal Brexit scenario, guidance on "Data protection if there's no Brexit deal". Within this is the submission that transfers from the UK to the EU can continue unabated – the UK will have sufficient assurance of the EU's data protection arrangements to ensure that. But, as for transfers from the EU to the UK, the guidance confirms that "for the majority of organisations the most relevant alternative [to an adequacy determination]…would be standard contractual clauses" – these are clauses, approved by the Commission, that create obligations on the parties involved in the transfer of personal data to ensure appropriate protection is in place.
There remain questions, however. For instance, model clauses only work within the confines of a contractual relationship. Transfers of personal data not covered by contract are potentially problematic and may need to avail themselves of derogations or exceptions, which could well require legal or regulatory input or guidance. Add to that the current versions of the Commission's model clauses have not even yet been updated to reflect GDPR, making them singularly unhelpful for the drafters of contracts, and are under challenge as to their validity before the CJEU.
Furthermore, while it is to be hoped that an adequacy determination from the Commission will eventually be forthcoming, there are indications that such a determination might not be a "done deal". For many years the Commission has expressed concern about the UK's implementation of European data protection law, and – as with so many things relating to Brexit – there may well be a reluctance to allow the UK to leave the EU and be seen to suffer no consequences for doing so.