GDPR, data transfers and Brexit

While the UK is a member of the EU, transfers of personal data between the UK and other member states in either direction are lawful, as a member state is automatically assumed to operate a privacy regime of adequate standard. Subject to compliance with the GDPR, a UK business may process the personal data of subject in the EU, use an EU data processor, share personal data with another EU data controller, or act as a data processor for an EU data controller without the need to further demonstrate adequacy in each individual case.

Once the UK leaves the EU (nominally in March 2019) the situation may well change - at least for an interim period of indeterminate duration. The Data Protection Act 2018 notwithstanding, the UK will at that point become a ‘third country’, losing its automatic assumption of adequacy. UK businesses will thereafter, with quite limited exceptions, only be able to participate in relevant data transfers if either the EU as a whole has made an ‘adequacy decision’ in favour of the UK, or alternatively all transfers are individually subject to approved standard contractual clauses that prescribe sufficient protection. It must be assumed that post-Brexit the UK’s relevant data processing is likely to be subject to more critical scrutiny than at present, so full compliance with whatever obligations are imposed by the EU will be essential.

The UK Government currently expresses optimism that we can enter into a ‘special relationship’ with the EU that will provide greater freedoms for personal data exchange than would an adequacy decision, and that by implication this could happen via a rapid, seamless transition from the current regime. However European Chief Negotiator Michel Barnier has categorically rejected this idea, stating in public in May 2018 “It is the United Kingdom that is leaving the European Union. It cannot, on leaving, ask us to change who we are and how we work”.

An adequacy decision is therefore the most realistic long term solution for the UK, but obtaining one is not guaranteed to be either swift or certain. It can only be applied for by a non-member state (and thus not until after Brexit), all the 27 EU remaining states have to approve the decision, and the entire privacy regime of the applicant state must theoretically be taken into account. Here, the UK might stumble. For example, the Investigatory Powers Act 2016 has been deemed incompatible with EU law by the European Court of Justice in respect of data retention, and some provisions of the Data Protection Act 2018 potentially deny certain categories of data subject access to justice, notably in respect of immigration data. Even if such issues do not prevent an adequacy decision ultimately being granted, they could well delay it.

Consequently, despite the Government’s optimism, the prospect of a seamless transition from the UK’s current status to an adequacy decision and ‘business as usual’ is by no means assured, so we must anticipate some possible period as a third country without adequacy, and at the very least make workable plans to protect UK businesses from its adverse effects on the freedom to exchange personal data with EU businesses.

A temporary measure to allow continued lawful transfers would in principle be ‘standard contractual clauses’ for use between independent data controllers and between data controllers and processors. These are provided for in the GDPR: ‘(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority.

These clauses are, however, intended to be imposed on third country parties to processing by ‘data exporters’ in the EU initiating or authorising transfers in the capacity of data controller. By implication only businesses established in the EU can be data exporters, so it does not seem that the UK will qualify.

There is at present no obvious mechanism to cover the situation where a business in the UK as a third country is the de facto initiating party and data controller of data transfers or sharing of EU data subjects’ personal data between itself and an EU business, or between itself and a business in another third country. Courtesy of the extent to which the Data Protection Act 2018 relies on the GDPR (which is not, however, necessarily the same as the UK being subject to the GDPR after Brexit), the UK party will probably still qualify as a data controller, but this may not of itself be sufficient to satisfy the case.

It follows that reliable UK measures satisfactory to the EU are needed to cover for this eventuality, and unless these are accomplished while the UK is still a member of the EU the process is unlikely to be swift or painless.

So UK businesses with commercial ties to Europe may have a problem to which there seems so far to be little if any official progress towards a resolution.

At the time of writing the Information Commissioner’s Office (ICO) has told us that it’s not yet been tasked with establishing standard arrangements for data transfers and sharing initiated by UK businesses as a third country – indeed it is operating on an assumption of an automatic grant of adequacy to the UK. But should this not materialise, European businesses could cancel data sharing agreements with UK controllers, and data sharing transactions between UK businesses and businesses in other third countries of the personal data of EU data subjects might become unlawful.

We all of course hope that the Government's optimism is well founded and that a seamless transition to adequacy will occur, but it would be negligent to take this for granted.

This means that, at least as a precaution in case there is a delay before the UK is granted an adequacy decision, all UK organisations conducting business with Europe that involves personal data processing will have to review and consider revising all their relevant contracts prior to March 2019. However any necessary revision can not be finalised until standard contractual terms acceptable to Europe have been defined, approved and made available for inclusion.

The business community must therefore press for Government to establish a formal mechanism acceptable to Europe to allow relevant personal data transfers to continue in case the UK becomes a third country without an adequacy decision. Bearing in mind that at the time of writing a mere seven months remain until Brexit, by which time all contracts relating to existing personal data transfer and sharing arrangements between UK and European businesses must be in place and effective, and that it can take a business several months to perform the necessary revision of relevant contracts, this is a matter of extreme urgency.

Mike Barwise
Director, BiR