Brexit is now in doubt. The House of Commons has voted against the withdrawal agreement drafted by the European Union (EU) and the UK government. With little more than two months to go until Article 50 expires and the UK must leave Europe, there are only three practical options: extend Article 50 to give time to renegotiate the withdrawal agreement, have a second referendum, or leave the EU without an agreement – the so-called “no-deal Brexit”.
For those of us who deal with data protection daily in the UK and the EU, this uncertainty raises one big question: what is going to happen to the flow of personal information across borders?
Extending Article 50 wouldn’t change anything immediately, merely prolonging the uncertainty. And a second referendum that overturns the first would cement current regulations, including everything related to the General Data Protection Regulation (GDPR). But a no-deal Brexit would dramatically change how organisations manage data with their EU partners and counterparts.
A no-deal Brexit would not mean organisations in the UK will stop needing robust data protection. The UK Data Protection Act 2018 will be in place, but by leaving the EU, the UK will not have an arrangement for data sharing with the EU because it will also no longer be part of the territorial scope to which the GDPR applies. Instead, the UK will become a so-called “third country”.
Third countries wanting to share data with the EU must fulfil several data safeguard mechanisms as required by the GDPR or go through a robust process to prove their data protection measures are “Adequate” – in other words, aligned with the GDPR.
The European Commission can start the Adequacy process with the UK after Brexit, and in our experience it takes between two and four years for this process to be completed. Even though the UK Data Protection Act 2018 is very aligned to the GDPR, which is likely to shorten this period, the road to Adequacy would itself create a level of uncertainty.
Waiting for Adequacy
While the UK waits for Adequacy status, it will be more difficult for businesses to share data between EU and European Economic Area (EEA) member states and the UK. This is likely to affect most UK businesses because over 75% of international data sharing from the UK goes to the EU.
The effects of waiting for Adequacy will impact data sharing beyond Europe, too, as countries such as Japan and Canada have adopted data protection laws that include export controls in line with EU advice. This could make it more difficult for businesses in the UK to share data well beyond the EU.
The temporary remedy is for UK businesses to promptly review their binding contractual rules (BCR) and standard contractual clauses (SCC) with any inter-group non-UK operations and any EU counterparts and partners, to ensure appropriate safeguards are in place for personal data transfers with the EU.
This is the only way to minimise regulatory constraints on EU businesses working with UK counterparts. But this will put a lot of strain on the internal resources of many pan-European businesses.
Even if BCRs are in place, there is still a question of whether the data protection authorities in the EU will deem them acceptable as per the local data protection laws of their constituency. It might take some time to get a clear answer to this question.
What has the UK government said and done so far?
Amid uncertainty over Brexit, the UK government recently ratified Convention 108+, an agreement on robust data protection principles and rules signed by 25 other countries (19 from Europe and six from the rest of the world). This convention lets the signatory states share data, providing they implement its principles, which are aligned to the GDPR. Although this doesn’t remove the Brexit uncertainty, it will lessen the impact of a no-deal scenario.
The UK government has also published its no-deal Brexit advice on privacy and data protection. This encourages companies to rely on established safeguarding mechanisms, such as Convention 108+, to share data internationally. But until the UK gets Adequacy status, businesses will not necessarily be able to share personal data freely with all their EU operations or counterparts. So they should ensure that contingency plans are in place.
How can businesses prepare for a no-deal Brexit?
It remains unclear what appetite EU regulators have for strictly enforcing GDPR requirements immediately after a no-deal Brexit. UK businesses may find it beneficial to take risk-based decisions depending on the nature and sensitivity of the data and its importance to their operations.
Even so, there are actions that will minimise the impact of a no-deal Brexit on your personal data transfers, such as:
And, more importantly:
Given the chaotic nature of Brexit and the short time remaining before the EU-UK divorce on 29 March 2019, a no-deal Brexit could create a very demanding workload, primarily on UK businesses, with a very short deadline. You should consider now what actions you may need to take to protect your business, employees, customers and stakeholders and start planning the implementation of those actions.