24 October 2018
At the start of the year, the European Commission's Directorate-General for Justice and Consumers issued a warning on the data protection ramifications of Brexit that detailed that the United Kingdom will become a 'third country' as of the withdrawal date of 30 March 2019 and thereafter be subject to the same EU rules for the transfer of personal data as other third countries.
Under EU data protection law, any transfers of personal data to countries outside the European Economic Area (EEA) can only be done in accordance with one of the transfer mechanisms provided for by law. These methods include the use of Standard Contractual Clauses (which are pre-approved model contracts for data transfers), Binding Corporate Rules (which are internal corporate rules, typically for use within multinational companies) or Privacy Shield (which is a framework for transatlantic exchanges between EEA countries and the United States). However, another way in which organisations can transfer personal data internationally is where they do so to a country that has been approved via a so-called 'adequacy decision' of the European Commission.
Essentially, countries that have been approved pursuant to an adequacy decision are considered to have legal protections equivalent to those that safeguard personal data in the EEA, in particular as set out under the provisions of the General Data Protection Regulation (GDPR).
Data transfers to such countries are considered compliant with EU data protection laws. However, adequacy decisions are subject to a robust process of analysis that has previously taken up to 28 months to finalise. Only Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay have been approved to date, with Japan currently in the process of securing approval.
Regardless of the finer details of any likely deal or no-deal scenario, by March 2019 the United Kingdom will become a 'third country' for the purposes of EU law. An adequacy decision would be likely to be the least disruptive option for the continued international transfer of personal data. However, the increasing likelihood of a no-deal Brexit, together with the complicated and lengthy process for achieving an adequacy decision means that companies need to prepare now to lessen the risk of disruption. Calls in the UK for an expansion of communications surveillance under the Investigatory Powers Act 2016 seem likely to frustrate any possibility of a pre-March 2019 adequacy decision.
Additionally, the companies that have already implemented Binding Corporate Rules in conjunction with the UK's Information Commissioner's Office (ICO) need to be aware that they may not be able to rely on these following the UK's withdrawal from the EEA. This aspect could be especially disruptive given that the ICO has approved more companies for Binding Corporate Rules than any other EU data protection supervisory authority in Europe.
Given the rapidly approaching deadline, companies should therefore focus on the following:
Under the GDPR the transfer of in-scope personal data to third countries without an approved safeguard is an infringement that could result in a fine of up to 4% of a company's annual global turnover or €20 million (whichever is higher). It is therefore important that companies act now and seek assistance in order to implement efficient and sensible Brexit contingency plans for all data transfer arrangements ahead of the March 2019 deadline.