Data protection is unlikely to be foremost in people’s minds when considering the impact of Brexit, whether it be soft or hard, deal or no deal.

The UK Government has, however, recently issued papers about various topics in a ‘no deal’ situation and one of these entitled: Data protection if there’s no Brexit deal.

The impact of Brexit

In the event of a ‘no-deal’ Brexit, with no agreed arrangements covering data protection, the Government is advising organisations to prepare appropriate contracts to ensure any transfer of European Union citizens’ personal data to the UK is compliant with privacy laws.

The UK faces the prospect of being regarded as a third country when it exits the EU. As a result, the transfer of personal data from organisations within the EU to other organisations in the UK will be subject to strict data transfer rules, as set out by the EU General Data Protection Regulation (GDPR). EU organisations will have to ensure their transfers to UK are lawful and that’s not going to be as simple as it is now.

You may have heard talk about ‘adequacy’ and speculation if the UK will be given ‘adequacy status’. Let’s explain.

What is adequacy?

It’s all about demonstrating to the EU that the UK is a safe place for data processing so that restrictions on data transfers are not imposed. The European Commission can assess non-EU countries’ level of personal data protection to see if it is essentially of an equivalent level to that of the EU. If a country ‘passes’ the rigorous testing, the Commission can make an Adequacy decision.

Countries with adequacy are not bound by the appropriate safeguard requirements set out in Article 46 and Article 47 of GDPR and personal data can flow unrestricted.

The European Commission has so far recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. We should also mention the US-EU Privacy Shield, which is a recognised control for data transfers between the US and EU. This is limited to organisations in the US who sign up to the Privacy Shield framework.

Most recently in July this year, the EU and Japan agreed to recognise each other’s data protection systems as ‘equivalent’.

Will the UK automatically be awarded adequacy status?

Unless a Brexit deal is reached between UK & the EU which covers data protection & data transfer arrangements, the answer is no. The Commission would need to go through an assessment process before adequacy could be granted. Despite pleas from the UK Government for this process to start, the Commission’s current position is that it will not commence the process until the UK has left the EU and become a third countryArticle 45 of GDPR sets out what the Commission should take into account when considering whether to grant adequacy.

Is the UK likely to be awarded adequacy status?

If the UK leaves the EU in March 2019 with no agreement surrounding data protection & data transfers, the UK Government has stressed, “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.

It is widely hoped this will go a long way in persuading the EC to grant adequacy. However, there are concerns the Commission will take a more detailed look at the UK’s crime and national security legislation during its assessment, and in particular the controversial Investigatory Powers Act 2016. This has been criticised by the European Court of Human Rights for giving too much power to security and intelligence services which could violate individual privacy.

The EC’s process for reaching an adequacy decision typically lasts several months (even years) and there is no guarantee it will be granted.

So, what do organisations need to do?

Let’s be clear, if no agreement is reached the UK will become a third country to the EU and will not have adequacy – at least not right after Brexit. So new restrictions for EU-UK data transfers will apply – at least in theory.

UK to EU transfers

The transfer of personal data from the UK to EU member states will, according to the Government, remain unaffected. The Government has stated, “In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”

EU to UK transfers

UK organisations which receive any transfers of personal data of EU citizens, or any personal data from EU member states, need to prepare for the possibility of no deal. Initially, at the least, the UK will not be deemed an adequate country and there will be a burden for compliance with Articles 46-49 of GDPR on organisations sending personal data to the UK.

Organisations are being advised now to work with their EU partners to ensure compliant transfer of personal data between the UK and EU can be achieved.

The Government is advising that for the majority of organisations the most relevant legal basis for such transfers would be Standard Contractual Clauses (SCCs). These EC-approved data protection clauses, often known as model clauses, need to be embedded within contracts (without any changes), or added as an appendix to an existing contract, which may need to be reviewed on this point to avoid ambiguity. They cover the contractual obligations between both parties to protect the rights of the individuals whose data is being transferred. So model clauses are the way to go.

What else?

Organisations based outside the EU which offer goods and services to EU citizens, or monitor the behaviour of EU citizens, fall under the scope of GDPR Article 27, which includes the requirement for such organisations to nominate a representative in one of the EU member states. So, after Brexit, when the UK is outside the EU, this article will bring many UK organisations within its scope.

Also, worth considering is whether your organisation is currently relying on the EU-US Privacy Shield. If so this will need revisiting, as upon Brexit the UK will not be part of this arrangement.

In this period of uncertainty, it would appear prudent to start preparing for what may come – i.e. abide by existing legislation but anticipate possible changes and scrutiny to businesses processes impacted by cross-EU data-sharing. One would need a crystal ball to predict the outcome of any Brexit deal (at the time of writing only six months away), but it is entirely possible a period of ambiguity might result as political manoeuvrings are completed.

As ever, businesses which act in good faith, recording and justifying any changes to business processes and decisions, will be less vulnerable than those which do not – Keep Calm and Data On!

Written by Simon Blanchard, Senior Opt-4 Associate