No–Deal Brexit and it’s Implications on GDPR Compliant Data Transfer
Prepare for the worst-case scenario
As the United Kingdom has so far chosen not to accept the withdrawal agreement proposed by Prime Minister May, and another date has not been established all Union primary and secondary law will probably cease to apply to the United Kingdom as of 30 March 2019, 00:00h (CET). Consequentially the United Kingdom will as of the lapse of the indicated time and date cease to be a member state of the European Union and therefore become a 'third country' and data transfer will need to be assessed in accordance with the Articles 44 – 50 GDPR.
The majority of concerns is focussing on the supposed “key aspects” of the “No-Deal Brexit”. These are supposedly topics such as the free movement of workers, the maintenance of the "green border" between Ireland and Northern Ireland, taxes, logistic issues, etc. The less visible but at least as prominent consequences in the field of data protection and especially data transfer between the EU and the United Kingdom has remained unobserved by a majority of concerned entities and companies alike.
As the United Kingdom is a major export market for most EU Countries (Fifth most important export market for Germany in 2017), data protection is definitively a most prominent issue. The relevance becomes most obvious once the daily transfer of personal data from customers, suppliers or employees between the EU member States and the United Kingdom is taken into account.
As Westminster rejected the Brexit Deal proposed by Prime Minster May, it is becoming most probable that the EU rules for the transfer of personal data to “third countries” will apply to all personal data transmitted between the EU and the United Kingdom. The options to ensure a legal data transfer between the EU and the United Kingdom are therefore limited to the following:
1. Intergovernmental Decisions
Intergovernmental Agreements will not be in place by the time and date of the No-Deal Brexit. An according solution is therefore most improbable.
2. Adequacy Decision – Art. 45 GDPR
In the absence of intergovernmental agreements, there EU Commission may issue a "direct" adequacy decision” in accordance with Article 45 GDPR. This adequacy decision would state that the United Kingdom’s level of data protection corresponds to that of the GDPR. If adopted by the EU, the "adequacy decision", would allow the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions. A transfer of personal data would then be permissible.
However, there remain reasons against such adequacy decision. This is due to the UK Investigatory Powers Bill of 2016 and the associated comprehensive possibility of data retention, as well as the lack of application of the EU-US Privacy Shield for data transfers in the relationship between the UK and the US. An adequacy decision should therefore face significant concerns.
3. Options of a No-Deal Brexit
Under a No-Deal Brexit and in absence of state level agreements each company will in its own responsibility, need to provide evidence that it has established so-called "suitable guarantees" in accordance with Article 46 DSGVO have been established for each data transfer situation. These include, for example
- Standard data protection clauses: the Commission has adopted three sets of model clauses, which are available on the Commission’s website
- Binding corporate rules: legally binding data protection rules approved by the competent data protection authority which apply within a corporate group
- Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
- Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country.
4. Derogations - Art. 49 GDPR
In the absence of an “adequacy decision” or of “appropriate safeguards”, a transfer or a set of transfers may take place based on so-called “derogations”, Art. 49 GDPR. They allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest.
These tools are well known to business operators in the EU Member States, as they are already being used today for the transfers of personal data to non-EU countries. Despite of their utilization in this context, they remain exceptions and only constitute a last exit. The substantial argumentation and documentation effort involved and the documentary obligation will not transform the exception to a new “standard general rule”. This is amongst other issues due to the circumstance that the declaration of consent would also have to be revised, adopted to the new situation and re-obtained for every consent based processing with regard to the transfer of data from the EU to the United Kingdom. Depending on the individual case, the international reference could also require a data protection impact assessment prior to the execution of the data transfer.
The GDPR therefore offers options for a legal data transfer to the United Kingdom in the now probable No-Deal Brexit scenario. In deviation to an agreement based Brexit, companies must now take immediate action to protect their business continuity. They are under the obligation to implement one of the suitable instruments as quickly as possible. In absence of one of the above-mentioned alternative options, a worst-case scenario will materialize and the transfer of personal data to Great Britain would have to be discontinued altogether. The rights contained in Chapter 8 and especially the penalties contained in Art. 83 and 84 GDPR would apply in full force.
In view of the ongoing digitalisation and increasing value of data, the imminent scenario of a No–Deal Brexit and its material consequences on all personal date transfer between the EU and the United Kingdom substantial data protection impact is imminent. The experienced Team of Stefan Buchholz and Soentje Hilberg are ready to support you in all related matters to avert or at least minimize the imminent threats.