HomeInsightsGovernment publishes technical notice on data protection if there is no Brexit deal

The notice explains that if the UK leaves the EU in March 2019 with no deal, there would be no immediate change in the UK’s own data protection standards because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.

Organisations would continue to be able to send personal data from the UK to the EU as the UK would, at the point of exit, continue to allow the free flow of personal data from the UK to the EU.  The UK would keep this under review.

However, the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK would change on exit.  Action would therefore need to be taken to ensure this can continue.

The EU has an established mechanism to allow the free flow of personal data to countries outside the EU, through the issue of “adequacy decisions”.  The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions.  The Commission has stated, however, that it cannot issue an adequacy decision until the UK is a third country.

If the Commission does not make an adequacy decision at the point of exit, the notice states that organisations wanting to receive personal data from organisations established in the EU (including data centres) should consider assisting their EU partners in identifying a legal basis for those transfers.

For the majority of organisations, the most relevant alternative legal basis would be standard contractual clauses, i.e. model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract.  In certain circumstances, EU partners may alternatively be able to rely on a derogation in order to transfer personal data.

In the event of no deal, the Information Commissioner’s Office would produce additional guidance outlining the steps organisations would need to take to continue to meet their obligations.  EU organisations should seek guidance from their respective data protection authorities.

The notice states that the Information Commissioner will remain the UK’s independent supervisory authority on data protection, and the UK will continue to push for close cooperation and joined up enforcement action between the Commissioner’s office and EU data protection authorities.  To read the technical notice in full, click here.

Expertise