‘No-deal’ Brexit risks U.K. and EU data transfer problems

“Until the European Commission rules that data protection in the U.K. is on a par with that in the EU, the U.K. will be considered as a third country and there will be restrictions on data flows,” said Elizabeth Denham, U.K. Information Commissioner, at the 40th International Conference of Data Protection and Privacy Commissioners in October.

Despite the U.K. and EU agreeing a Brexit withdrawal agreement, there is no guarantee that U.K. Members of Parliament will back it, so a “no deal” scenario still looms large.

An Information Commissioner’s Office (ICO) spokesperson said: “The draft Withdrawal Agreement provides that during the implementation period to December 2020, the General Data Protection Regulation (GDPR) will continue to have effect in the U.K. So personal data will continue to flow within the European Economic Area, just as it does now, with no need for special measures.” She added: “The political declaration also makes clear the importance of trying to achieve an adequacy decision during the implementation period and ensure future regulatory cooperation.”

The U.K. government had already set about warning U.K. businesses during the summer of the risks of potential disruptions in data flow. On 13 September the Department for Digital, Culture, Media, and Sport (DCMS) issued technical guidance outlining the consequences for U.K./EU data protection under a “no-deal” Brexit.

The guidance clarifies that while the United Kingdom will retain GDPR, and that personal data transfers from the United Kingdom to the European Union will remain valid, the legal framework governing the transfer of personal data from the European to the United Kingdom will change—and will require “specific safeguards”—unless a deal is agreed.

The U.K. government has already set about warning U.K. businesses of the risks. On 13 September, the Department for Digital, Culture, Media, and Sport (DCMS) issued technical guidance outlining the consequences for U.K./EU data protection under a “no-deal” Brexit.

“Regarding the U.K. as a third country is not the best way forward. The U.K. has contributed a great deal to EU data privacy issues, and I think it would be a hard task for the European Commission to find the U.K. inadequate in terms of data protection.”

Elizabeth Denham, U.K. Information Commissioner

The guidance clarifies that while the United Kingdom will retain the EU General Data Protection Regulation (GDPR) and that personal data transfers from the United Kingdom to the European Union will remain valid, the legal framework governing the transfer of personal data from the European Union to the United Kingdom will change—and will require “specific safeguards”—unless a deal is reached.

Under the GDPR, organisations within the European Union are only permitted to transfer personal data outside the European Economic Area (EEA) if certain conditions are met.

The U.K. government wants to secure an “adequacy determination” within the ultimate withdrawal treaty to maintain a free flow of data between the United Kingdom and the European Union. An adequacy determination would mean that the European Commission deems the U.K.’s level of personal data protection essentially equivalent to that of the European Union and would enable data to flow unrestricted.

Presently, however, such an outcome remains uncertain; and the U.K. government advises organisations to take contingency action, such as using standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract.

Also, given the lack of movement on Brexit negotiations, law firms such as Norton Rose Fulbright and DLA Piper suggest firms make contingency plans and consider such clauses.

“Regarding the U.K. as a third country is not the best way forward,” said Denham. She added that “the U.K. has contributed a great deal to EU data privacy issues, and I think it would be a hard task for the European Commission to find the U.K. inadequate in terms of data protection.”

Giovanni Buttarelli, European data protection supervisor, echoed her thoughts, noting that “the U.K. has made an important contribution to data protection and privacy issues as an EU member.” Buttarelli says he hopes an “agreement can be reached.”