The EU agreed to further postpone Brexit until 31 January 2020, the so-called “withdrawal date”. Before such date there will be parliamentary elections in the UK on 12 December 2019.
In terms of data protection, the UK will eventually become a third country in case of a Brexit, meaning that an organisation established in the EEA should implement an adequate data transfer mechanism to share personal data with other organisations in the UK, such as other group offices or service providers. The new postponement gives companies some extra time to look at the possible data transfer mechanisms for implementation after the withdrawal date. Even in case of yet another postponement thereof, sooner or later the UK will become a third country.
In this blog, Timelex will explain the data transfer possibilities in more detail.
Preferred scenario: a deal!
Withdrawal agreement with transition period
Agreeing on a deal (the so-called Withdrawal Agreement) seems to be the most advantageous situation for everyone and therefore also the preferred scenario. It has been subject of several rounds of voting in the British Parliament, but so far nothing has been adopted. A deal will provide some kind of a transitional period with regard to personal data sharing between the EU and the UK. The transitional period should help citizens, companies and administrations to adapt to Brexit.
Data sharing during and after this transition period
During the transitional period, the UK will continue to respect all EU legislation without being able to participate in the institutions or being involved in decision-making processes. In return, during this transitional period, the UK will be able to have access to the internal market and the customs union.
If a deal with a transitional period is adopted, it is likely that the rules applicable to data protection in the UK will remain unchanged throughout the transitional period. However, it should be kept in mind that even in case of a deal scenario, the UK will become a third country after the withdrawal date.
Below we will further explain what organisations can do in case there will be no transitional period or in case it would end.
But what if there is no deal?
A hard Brexit is still possible
Although there is a new postponement of a soft Brexit until 31 January 2020, the possibility of a hard Brexit is still not out of the question. In case of a hard Brexit, the UK will leave the EU without a deal and hence will become a third country under data protection laws. If there is no deal, there will also be no transitional period during which the UK will have to respect EU legislation, including the GDPR.
GDPR rules on personal data transfers
Companies subject to the GDPR should respect the GDPR’s provisions on data transfers to third countries. Any transfer of personal data to the UK after the withdrawal date will have to be based on one of the personal data transfer mechanisms laid down in the GDPR. In essence, personal data transfer mechanisms ensure that the protection offered by the GDPR to a natural person in the EU “sticks” to his or her personal data when such data leaves the territory of the European Economic Area (EEA, meaning the EU Member States plus Liechtenstein, Iceland and Norway).
Standard contractual clauses as a possible data transfer mechanism
With the limited period of time left until the withdrawal date, implementing standard contractual clauses for the period thereafter seems to be the most viable option. These clauses adopted by the European Commission must in their entirety be incorporated in a contractual relationship between the data exporter (based in the EEA) and the data importer (based outside the EEA, e.g. the UK), so that the transfer can be performed in a lawful way.
The standard contractual clauses contain contractual obligations for the data exporter and the data importer and rights for the individuals whose personal data is transferred. This means that they automatically provide an adequate level of protection by having the agreement in place and living up to it.
The current standard contractual clauses were adopted by the European Commission before the entry into force of the GDPR, but they remain applicable until new GDPR compliant clauses are adopted. Different versions of the standard contractual clauses exist and every organisation should make sure to sign the version that is most appropriate for its situation. Also, keep in mind that it is not allowed to modify these clauses, but you may include them in a wider contract also containing other clauses.
In order to continue sharing personal data with the UK after Brexit organisations should start signing standard contractual clauses or implementing other adequate transfer mechanisms (such as Binding Corporate Rules) as soon as possible.
If you have more questions about international data sharing or Brexit, please take a look at www.timelex.eu/en/brexit