• Home
  • Latest
  • Further guidance on data transfers in the event of a no-deal Brexit

Further guidance on data transfers in the event of a no-deal Brexit

Posted on 25 February 2019

Following guidance issued by issued by DCMS and the ICO at the end of last year (discussed in our bulletin), the European Data Protection Board (EDPB) has published its own information notice on data transfers from the EEA to the UK post-Brexit in the event of a no-deal.  The notice confirms that, after 29 March 2019, if the UK leaves without a deal, transfers of personal data from the EEA to the UK can only take place using:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Codes of Conduct and Certification Mechanisms
  • Derogations (including, for example, explicit consent of the data subject)

Personal data transfers from the UK to the EEA will, at least transitionally, be allowed to continue as currently, due to the UK government's decision to recognise the EU's data protection regime as adequate.

The EDPB identifies the following five steps that a business should take to prepare in relation to transfers of personal data from the EEA to the UK:

  1. Identify its processing activities that will involve a personal data transfer to the UK
  2. Determine the appropriate data transfer instrument for its situation
  3. Implement the chosen data transfer instrument to be ready for 30 March 2019
  4. Indicate in its internal documentation that transfers will be made to the UK
  5. Update its privacy notice accordingly to inform individuals

The most likely mechanism to be used for such transfers will be SCCs adopted by the European Commission.  The EDPB stresses that these are a 'ready to use' instrument and must not be modified (although they can be included in a wider contract, and additional clauses may be included provided they do not contradict the SCCs).

In addition to considering data flows between the UK and the EEA, businesses need to consider data flows from the UK to other territories, and compliance with the new 'UK GDPR' that will be in effect on Exit day (through The Data Protection, Privacy and Electronic Communications (Amendments etc) EU Exit) Regulations 2019 – discussed in our bulletin).

In particular, the UK government has decided to adopt adequacy decisions already adopted by the EU, including, in relation to the United States, the partial adequacy decision in the form of the Privacy Shield.  The US Department of Commerce has issued guidance to Privacy Shield participants confirming that they should update their Privacy Shield commitments (i.e., in their Privacy Notices and any relevant HR privacy policy) by Exit day to include reference to the UK, and also to maintain a current Privacy Shield certification. The UK government has also issued a further draft statutory instrument (The Data Protection, Privacy and Electronic Communications (Amendments etc) (No 2) Regulations 2019) which also provides that, in a no-deal scenario, transfers of personal data from the UK in reliance on the Privacy Shield can only take place if the certified Privacy Shield company has a compliant privacy policy.  Businesses transferring personal data to the US should therefore bear this requirement in mind when making transfers post Exit. 

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

COVID-19 Enquiry

I'm a client

I'm looking for advice

Something else