With the Johnson ministry into its second week, it is important to take stock of what impact Brexit will have on your Privacy and Data Protection provisions. The Prime Minister has made clear that there will be ‘no ifs or buts’ on the withdrawal of the UK from the EU on 31 October 2019 (exit day).
What does this mean for privacy and data protection? There still remain some areas in need of government clarification or that will be determined in any withdrawal agreement. Below, we set out some of the key issues that companies with UK and EU operations need to think about.
1. Personal data flows from the EU to the UK after Brexit. What happens? The UK will be a ‘third country’ without adequacy status.
In the event of a no-deal Brexit, the UK will become a third country. This means that, post-Brexit, data transfers to the UK can only occur under the following mechanisms:
- Adequacy agreement. There is currently no adequacy agreement in place for the UK.
- Standard contractual clauses. These can be used alongside your data processing agreement. They must not be modified, and must be signed as provided by the European Commission.
- Binding corporate rules (BCR). These are personal data protection policies agreed by a group of companies, and approved by the BCR lead supervisory authority (LSA) and the European Data Protection Board (EDPB).
- Codes of conduct and certification mechanisms. These should contain binding and enforceable commitments, such as to provide appropriate safeguards. The EDPB is planning to publish guidance in this area.
- Relying on derogations. There are a number of derogations which allow for the transfer of personal data without the safeguards listed above. However, these are interpreted very restrictively.