The UK Department for Culture, Media and Sport (DCMS) and the Information Commissioner’s Office (ICO) have each issued no-deal Brexit data protection guidance. These outline the impact that a no-deal Brexit scenario will have on UK data protection and outline steps that organisations can take to prepare for that possibility. The 'International Transfers' section of the ICO guidance is particularly interesting and examines how businesses with data flows from the European Economic Area may not be able to transfer personal data to the UK once we are a third party without the benefit of an adequacy decision.
The DCMS has released new guidance, 'Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019', which supplements its previous technical note, 'Data Protection if there's no Brexit deal'. In summary, the DCMS guidance states that if there is a 'no deal' scenario then:
- Responsibilities of data controllers across the UK will not change, and data subjects will continue to benefit from the same high levels of data protection as they do now.
- The UK will transitionally recognise all European Economic Area states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for UK personal data. This will mean that data flows from the UK can continue to the EU.
- Where the EU has made an adequacy decision in respect of a non-EU country prior to exit day, the UK government intends to preserve the effect of these decisions on a transitional basis.
- Provision will be made so that the use of Standard Contractual Clauses (SCCs) will continue to be an effective basis for international transfers of personal data from the UK. The ICO has also produced an interactive tool to help you to assess if you need to use SCCs.
- Existing authorisation of Binding Corporate Rules made by the Information Commissioner will continue to be recognised in the UK.
- Controllers of personal data located outside of the UK will be required to appoint a UK representative (as currently set out in Article 27 GDPR). This requirement will only apply to companies offering goods and services in the UK or those companies which monitor the behaviour of any residents in the UK.
The UK Information Commissioner, Elizabeth Denham, has published a blog which sets out how the ICO is helping business prepare for a no-deal Brexit. This includes a 'six step' plan, broader guidance on the effects of leaving the EU without a withdrawal agreement and answers to some Frequently Asked Questions.
Six Steps to Take
The six step guide notes:
- Compliance. Continue to comply with GDPR standards and follow current ICO guidance.
- Transfers to the UK. Review data flows and identify where your organisation receives data into the UK from the EEA to ensure sufficient safeguards are in place to allow the continued flow of personal data.
- Transfers from the UK. Review data flows to countries outside of the UK, as these will fall under new UK transfer and documentation provisions.
- European operations. For organisations that operate across Europe, review data flows, processing operations and group structures to assess the effect of Brexit on your business.
- Documentation. Identify privacy documentation in the event it needs to be updated when the UK leaves the EU.
- Organisational awareness. Ensure key people in the organisation are aware of these key issues and that you keep up to date with the latest information and guidance.
This sets out practical guidance to help businesses in the UK which:
- Operate in the EEA; or
- Send personal data outside the UK; or
- Receive personal data from the EEA.
Further guidance will be published at a later date to assist individuals.
The FAQs provide useful answers to questions such as 'Does the Privacy Electronic Communications Regulations still apply?' and 'Does the Network Information Security Regulations still apply?'. The answer to both of these is 'yes'. As noted in the FAQs, the EU is replacing the current e-privacy law with a new e-privacy Regulation and the ICO notes that it is "unlikely to be finalised before the UK exits the EU". This means the new e-privacy Regulation will not form part of UK law if we leave without a deal (but, of course, businesses operating in the EU will need to comply with its requirements).
Watch this space…
Both the guidance from the ICO and the DCMS focuses on the immediate impact of a no-deal Brexit.
The elephant in the room is a question which remains to be answered – will the European Commission decide that the UK is an 'adequate' third country to enable the continued free flow of personal data from the EEA to the UK, and even if it does, how long will the Commission take to make the decision?