Time to prepare for data limbo? A no-deal Brexit and its impact on cross-border data flows
As a no-deal Brexit becomes a distinct possibility the UK government is to start producing guidance to deal with this eventuality. However when it comes to data protection and the cross border flow of personal data – critical to the UK economy – the UK's options in absence of a deal with the EU which expressly addresses data protection are very limited. And this is a crucial issue for our digitally driven economy – cross border data flows in and out of the UK increased 28 fold between 2005 and 2015 and are expected to grow another five times by 2021. Three-quarters of these flows are estimated to be with EU countries.
The impact of a no deal Brexit
It is anticipated that UK businesses will continue to be able to freely export personal data to EU states post a no-deal Brexit – this is because the European Union (Withdrawal Act) 2018 will continue to keep the General Data Protection Regulation (GDPR) in force in the UK (at least initially) and so cross-border flows to the EU will be permitted. But, crucially, from 30 March 2019 a different position will apply to EU businesses who wish to export personal data to the UK. It will be a matter of EU law for them as to whether they will be able to transfer personal data to the UK. This is because from 30 March 2019 the UK will become a "third country" and so there will be no automatic ability for an EU based business to lawfully transfer personal data to the UK.
The European Commission has made its position on the matter crystal clear in its July 2018 Communication on preparing for Brexit:
Currently, personal data can flow freely between the Member States of the EU, when the GDPR (General Data Protection Regulation 2016/679) is respected. Once EU law ceases to apply to the United Kingdom, the transfer of personal data from the EU to the United Kingdom will still be possible, but it will be subject to specific conditions set in EU law.
Companies and Member States' authorities that are currently transmitting personal data to the United Kingdom should therefore be aware that this will become a "transfer" of personal data to a third country, and explore if it could be permitted under relevant provisions of EU legislation. If the United Kingdom's level of personal data protection is essentially equivalent to that of the EU, the Commission would adopt an adequacy decision which allows for transfer of personal data to the United Kingdom without restrictions. However, this decision could only be taken once the United Kingdom becomes a third country. Companies should therefore assess whether, in the absence of an adequacy decision, measures are necessary to ensure that these transfers remain possible. The Member States Data Protection Authorities should assist companies in this endeavour.
In short unless and until the Commission adopts an adequacy decision in relation to the UK (which is likely to take time as a formal legislative process is required) the UK will be in "data limbo" as regards the free movement of data into the UK from the EU. The GDPR is clear that there are only a limited number of ways in which personal data can be lawfully exported to a third country – an adequacy decision is one such possibility. Other options include intracompany binding corporate rules and the use of approved model clauses/data transfer agreements. However, these other options are undoubtedly burdensome, bureaucratic and a challenge, in particular, for SMEs.
Implications for business
Businesses which currently trade cross border with the EU and import personal data need to decide whether they should put contingency plans in place for data limbo following a no deal Brexit. Organisations based in the UK which have significant data processing operations here in relation to data imported from the EU (including cloud based providers based in the UK) should definitely be considering contingency planning. And any cross border contracts currently being negotiated ought to address the risk of a no deal Brexit where the import of personal data into the UK from the EU is a material part of the commercial arrangement.