Data protection and Brexit: plan for the worst – hope for the best

What’s certain, is personal data laws will change at the end of the transition period (31 December 2020) as the UK leaves the EU. The UK will no longer be governed by the GDPR, and all organisations will need to review and, if necessary, make changes to their privacy notices to reflect the change to UK law. For some, who do not operate in Europe and who do not transfer data outside the UK, little else may change.

What is less certain is the impact of the UK’s status as a “third country” on international data transfers.  As a non-EU member, data transfers from the EU/EEA countries to the UK will be “restricted” unless an appropriate transfer mechanism is used. The Department for Digital, Culture, Media and Sport (DCMS) has been confident that the UK will be given an “adequacy” decision by the EU; which would enable continuation of the status quo and recognition that, as at the end of the transitional arrangements, UK and EU law is aligned.

That confidence will have been undermined by the recent European Court of Justice decision in La Quadrature du Net which has challenged the wholescale data retention frameworks adopted by a number of EU countries and the UK. The ECJ ruling found that national laws requiring bulk data communications to be made available to the security agencies were contrary to EU fundamental rights. Taken alongside the ECJ decision in the Schrems II case earlier in July, which criticised the intrusive nature of the US surveillance laws, it makes it less likely that the EU will be prepared to give an adequacy approval to the UK. Especially given longstanding concerns over the extent of surveillance that the UK has to date been able to justify under the national security exemptions it has enjoyed as a member of the EU.

Whilst the deadline for concluding negotiations on the new trade deal has been set at the end of October, it isn’t certain that the position will be concluded by then.  In the face of this uncertainty, organisations need to be prepared to have in place alternative transfer mechanisms to preserve the lawfulness of their international data transfers.  Whilst there are a number of potential mechanisms, for most organisations the Standard Contract Clauses provides an obvious solution. But beware, they aren’t appropriate for all circumstances, and it can be a time consuming exercise to implement, assuming that the organisation is fully aware of all its data flows. With the 1 January 2021 fast approaching, it is important that the organisations take steps now to be ready, and avoid the potential risk, liability and reputational impact of non-compliance.