Data flows at risk after a no-deal Brexit
Planning for a no-deal Brexit is not easy, even where detailed UK Government and EU Commission guidance is available. The UK's “How to prepare” technical notices and Europe's Contingency Action Plan and Preparedness notices do help in many areas, but there are gaps. We have come across several of these as we support clients making their no-deal plans.
One issue that concerns us is how personal data is to flow from an EU-based processor to a UK controller after a no-deal Brexit. Obviously, while the UK remains a part of the EU, this kind of cross-border transfer is not a problem. If the Withdrawal Agreement is ratified, then during the transition or implementation period running to the end of 2020, the situation would remain largely as it is now. Data flows could continue unimpeded. Once the transition period comes to an end there is more uncertainty, but the future situation looks positive. The Political Declaration on the future relationship between the EU27 and the UK envisages an adequacy assessment starting straight away. The EU Commission promises to begin
“assessments with respect to the United Kingdom as soon as possible after the United Kingdom's withdrawal, endeavouring to adopt decisions by the end of 2020”
The existing closeness of the UK's data protection regime to that of the EU gives confidence that an adequacy decision can be reached.
Much more difficult is the prospect of a no-deal Brexit. Not only would this mean that existing arrangements come to an abrupt end on 29 March 2019, but also that there is no promise to push ahead with reaching an adequacy decision. In fact, the Commission has said in its Contingency Action Plan that
“the adoption of an adequacy decision is not part of the Commission's contingency planning.”
This is quite a tough position and may to some extent be politically motivated. The Commission refers to the other options available to permit international transfers, and especially
“the so-called ʻappropriate safeguardsʼ (e.g. the Commission's approved Standard Contractual Clauses, Binding Corporate Rules, administrative arrangements) that can be used both by the private sector and public authorities”.
It is true that these tools can be used in many situations, but not all. For example, a data controller may use services provided by a processor based in an EU country (Ireland, or Luxembourg, perhaps). Between two controllers, or a UK-based processor and an EU-based controller model contracts can be put in place. But there is no set of model clauses dealing with transfer by an EU-based processor to a third country controller, and the processor may not be happy to continue transferring data in those circumstances.
In some situations it may be possible to rely on other more specific grounds for transferring the data. One of the derogations in Article 49 of the GDPR might be relevant, like explicit consent or necessity for the performance of a contract. But remember that these exceptions are strictly applied and will not always be available to help out.
It is of course important to make contingency plans for a range of possible outcomes. But if an organisation finds that it falls into this gap there may be little that it can do to prepare.