Brexit, data protection and the transitional period

​Where we are now

The free and (relatively) unimpeded flow of data between the UK and European Union member states is critical for the continued smooth functioning of the UK economy, research projects, charitable endeavours and a host of other activities. Under the General Data Protection Regulation (“EU GDPR”), cross border transfers of personal data from an organisation in the European Economic Area (EEA) to one in a third party country – which is what the UK will be once the Brexit transition period ends at the end of 2020 – are restricted regardless of size, frequency or type.

To further complicate matters, the UK is incorporating GDPR into UK law, with adjustments applying after 31 December that will mirror the EU GDPR but from the perspective of protecting personal data within the UK from being transferred outside the UK.  For ease of reference, we will refer to the post 31 December UK version as “UK GDPR”.  As with EU GDPR, the UK GDPR requires that certain conditions are met before a data transfer can occur.

Adequacy decisions

Under both regimes, the ideal scenario is for there to be an “adequacy decision” in favour of the recipient country.  An adequacy decision is a finding that the legal framework in place within the recipient country provides “adequate” protection for the rights and freedoms of individuals.

There is no adequacy decision in place which will allow the free transfer of personal data from EEA countries to the UK after the end of the transition period on 31 December 2020.  While it might be expected that a finding that the UK’s data protection regime is adequate would be rapidly made, given that EU GDPR is already applicable in the UK, the UK and the EU have a history of conflict in relation to the UK’s treatment of personal data.

The Political Declaration annexed to the EU Withdrawal Agreement, which sets out both parties’ intentions regarding their future relationship, includes a commitment to a high level of data protection to facilitate data flows.  It provides that both the UK and the EU will start making adequacy assessments of the other as soon as possible after 31 January 2020, and will endeavour to “adopt decisions by the end of 2020”.  Given the multi-stage process involved, it is unlikely that an adequacy decision (if one is forthcoming) would be made until very close to the end of the year.  There may be a period in 2021 or afterwards during which a final decision remains outstanding.

Alternatives

In the absence of a concrete finding of adequacy, organisations need to consider their data flows and identify those which may be disrupted in the event that an adequacy decision is not forthcoming.  Where disruption is likely, steps to prevent interruptions to data flows can be put in place.  Options available at present include:

• Legal instruments can be put in place between two public authorities or bodies, provided that they provide appropriate safeguards (including enforceable rights and effective remedies) for the rights of the individuals whose personal data is being transferred.
• Binding corporate rules (“BCRs”) are an internal code of conduct operating within a multinational group.  BCRs must be submitted to an EEA supervisory authority in an EEA country where one of the companies is based, for approval.
• Standard contractual clauses can be put in place between senders and recipients of data, which contain contractual obligations on the data exporter and the data importer, and rights for the individuals whose personal data is transferred.  Standard contractual clauses have been designed and adopted by the European Commission and must be used in their entirety and without amendment.  However they are not suitable for all categories of data transfers.

Conclusions

Given that we are already nearly a month into the 11 month transitional period, and there is limited political desire to extend the transition period, decisions regarding how to handle potential problems with data transfers can no longer be avoided. The majority of UK organisations have already completed reviews of their processing, including full data audits, and will know or be able to identify where problems lie. To the extent that any organisation has not completed that work, it needs to be done on an urgent basis.