No-Deal Brexit – what impact will it have on cross-border transfers of personal data
With so much political uncertainty surrounding Brexit and what it might mean for the UK, businesses can be forgiven for assuming that they can do little to plan for it. However, in terms of data protection, there are a few important steps that a business can take to prepare. One of the most important of these steps relates to ensuring that cross-border transfers of personal data can continue in the event of a no-deal Brexit.
International Data Transfers
Transfers from the EEA to the UK
Irrespective of whether there is a no-deal Brexit or not, the GDPR will continue to apply in the UK in conjunction with, and subject to, the Data Protection Act 2018. However, this does not mean that nothing will change in relation to transfers of personal data from the EEA. This is because, unless a withdrawal agreement mandates otherwise (which, at least in the short term, seems unlikely), the UK post-Brexit will be considered a ‘third country.’
The result of the UK being a “third country” is that the GDPR’s general prohibition on the transfer of personal data from any country in the European Economic Area (“EEA”) will apply. As such, companies will need to rely on a GDPR compliant lawful transfer mechanism (e.g. the Standard Contractual Clauses) in order to permit the transfer of personal data from the EEA to the UK.
Transfers to the EEA from the UK
The UK government has confirmed that the UK will continue to allow the free flow of personal data from the UK to the EEA in the event of a no-deal Brexit (meaning that no lawful transfer mechanism is required in relation to these data flows).
Transfers from the UK to non-EEA countries
With respect to data transfers from the UK to non-EEA countries, the same law will continue to restrict those data transfers as is currently the case. So, in other words, the European Commission’s adequacy decisions will continue to apply and, with respect to non-adequate countries, companies will still need to rely on a valid lawful transfer mechanism to transfer personal data to those countries.
What to do now?
In the short term, no additional steps are required for data transfers from the UK. However, businesses should review this position carefully as the UK and EU data protection regimes may diverge post-Brexit. For example, there is no guidance on the approach the UK government will take if and when the European Commission grants further adequacy decisions, e.g. will the UK government automatically deem that country adequate or will it mandate that additional hurdles must also be met?
With regards to data transfers from the EEA to the UK, all UK businesses should consider if they are receiving personal data from organisations based in the EEA. For example, if UK companies acquire marketing lists from EU based organisations to assist them with promoting any of their products then they will need to ensure that this information is transferred to the UK lawfully. Whilst, pre-Brexit, it may not be proportionate to amend all existing contracts with EU based organisations, we would recommend that all businesses identify those data flows that are material to its operations (or include valuable or sensitive personal data) and ensure a lawful transfer mechanism is put in place for those data flows before the UK leaves the EU. The Information Commissioner’s Office has stressed that no business should presume that free flows of personal data from the EEA are guaranteed and so all businesses should plan accordingly.
For more information please contact Freddie Law on +44 (0)20 7427 6522 or at freddie.law@crsblaw.com.
Our thinking
Fiona Edmond
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Mark Howard
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
Emma Humphreys
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Gareth Mills
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
Mark Howard
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Rebecca Burford
Charles Russell Speechlys advises Appital Ltd on £2.5m Investment led by Frontline Ventures
Appital is an Equity Capital Marketplace which aims to bring innovation to Equity Capital Markets.
Mark Hill
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Adrian Mayer
Charles Russell Speechlys advises Metier on US$39m investment into Africa Mobile Networks
AMN builds, owns, operates and maintains mobile network infrastructure in Africa.
Olivia Crane
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Richard Davies
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
Daniel McDonagh
Blue Sky Linking
Daniel looks at Sky's recent success in obtaining interim protection from infringement of their broadcast rights
Sonia Kenawy
The regulation of big tech: a changing tide?
Sonia takes a look at the two main areas where the UK is increasing the regulation of Big Tech in 2021
Daniel McDonagh
Don’t Gamble on Bingo Ads, Warns ASA
The ASA has issued a reminder to advertisers that bingo adverts will be treated as gambling ads for the purpose of standards regulation.
Marc-Us Ong
Recording Phone Calls: Don’t take Consent for Granted
What if an interviewee who is being called and interviewed “live” does not actually know he/she is on live television?
Nia John
Continuing Progress in the Sphere of Inclusive and Non-Discriminatory Advertising
The latest developments from the ASA, CAP and BCAP relating to the advertising regulators’ attempts to tackle discrimination in advertising.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
Marc-Us Ong
Top 7 Data Protection Tips for Employers
Here are our top 7 data protection tips for employers.
Olivia Crane
Gone Phishing
There has been an increase in online phising attacks over the past year - but why?