As currently being announced in the press, an amended draft text for a Brexit Withdrawal Agreement has been agreed between the UK and the European Union. Next is the vote by Parliament this weekend, where it is far from certain that the proposed bill will receive the majority support necessary to progress through the legislature.
What happens if there is a successful Withdrawal Agreement?
There is an increasing chance that the amended Withdrawal Agreement as published 17 October 2019 (with amendments to replace the backstop) may be approved by Parliament and there could be enough time for the legislation to pass prior to the 31 October 2019. If this is the case and the Withdrawal Agreement is brought into law, there is likely to be a transition period. During that time the GDPR will continue to apply in the UK. However, at the end of the transition period, the default position is the same as a no-deal Brexit, though there may be further adjustments depending on what agreements are made during the transition period.
What happens in the event of Brexit and no deal?
If there is a ‘no deal’ Brexit, under the European Union (Withdrawal) Act 2018, the General Data Protection Regulation (GDPR) will be retained as domestic UK law (UKGDPR).
Currently, GDPR regulates the transfer of personal data outside the European Economic Area (EEA) known as ‘restricted transfers’, and companies should already have arrangements in place covering such data transfers.
Post-Brexit there will be a further two considerations. First, since the GDPR will become domestic UK law, how to remain compliant if a data transfer from the UK outwards now becomes a restricted transfer. Secondly, how can a company continue to receive personal data from outside the UK, even if it is from an EEA country.
- UK outwards transfer post Brexit
As the UKGDPR will apply, it will be similar to the requirements that currently apply to restricted transfers outside the EEA. The main options to remain compliant are having an adequacy decision, or inserting an appropriate safeguard (i.e. the standard contractual clauses into the data transfer agreement).
The UK government has announced that they intend to recognise the EU adequacy decisions made by the European Commission prior to the exit date. The UK government has also stated that with Brexit, transfers of data from the UK to the EEA will be permitted and will be kept under review.
Companies should identify where it is necessary to put in place appropriate safeguards, or where they will be covered by the current EU, and prospective UK adequacy decisions.
- Receiving transfers into the UK
The established EU GDPR will continue to apply to current EEA senders of personal data, and a UK entity may be considered in receipt of a restrictive transfer of personal data if they act as a data controller or a processor located in the UK.
The European Commission has not confirmed that an adequacy decision will be extended to the UK post-Brexit. This means that an EEA sender should put into place appropriate safeguards, which are the standard contractual clauses.
Transfers from countries with EU Commission adequacy decisions will have individual national legislative restrictions on transferring personal data outside the EEA. These national restrictions will need to be complied with after the UK leaves the EU.
Though there may yet be a deal agreed between the UK and the EU, the UK Government’s ‘no deal’ technical note regarding data protection will remain relevant for any possible transition period.
To prepare, it is recommended to have a thorough understanding of where personal data is transferred during the course of business. Companies should identify where it is necessary to put in place appropriate safeguards in the form of the standard contractual clauses. Should the personal data be received from a country currently covered by an EU Commission adequacy decision, this should be kept under review with the understanding that each country may require differing safeguards.