Transfers of EU Personal Information Under a No-Deal Brexit Scenario

Privacy and Data Security

March 29, 2019, less than 30 days from now, is the date the United Kingdom is scheduled to leave the European Union. Despite more than two years of negotiations over the nature of the relationship that will exist from March 30 onward between the U.K. and the other 27 EU member states, there is still no agreement in place that is acceptable to all parties, and the potential exists that the U.K. will exit the union under what is referred to as a no-deal scenario.

A no-deal scenario has implications across a broad spectrum of business operations, including, importantly, those relating to privacy. Multinational companies with operations in the U.K. need to be aware of the steps they may have to take should the no-deal scenario result.

A major component of the EU General Data Protection Regulation (GDPR) is its control of transfers of personal information across national borders. The regulation restricts personal information collected in one EU member state from being transferred to another country unless certain conditions are met. These conditions are as follows:

a) Transfers are allowed to other EU member states.

b) Transfers to other countries are allowed if the receiving jurisdiction has data protection laws that have been deemed “adequate” by the EU—for example, Canada, New Zealand, Japan.

c) Transfers to the U.S. are allowed if the organization is a member of the Privacy Shield.

d) Transfers within a single multinational enterprise whose “binding corporate rules” or BCR have been approved by the EU. See list of approved companies here.

e) Transfers to service providers that have “Binding Corporate Rules for Processors” or BCR-P that have been approved by the EU.

f) A contractual agreement exists between the “exporting legal entity” and the “importing legal entity.” These contracts, often referred to as “model contracts,” “model clauses” or “standard contractual clauses,” are EU-provided contracts.

Transfers Between EU Countries and the U.K. Today

Since the U.K. today is a member of the EU, transfers of employee and/or customer personal information from France, Germany and other EU member states to the U.K. are allowed, although it should be noted that local country employment laws must also be considered before any transfers of employee data take place.

If No-Deal Brexit Occurs

If the U.K. leaves under the no-deal scenario, transfers of personal information from the remaining 27 EU member states will no longer be legitimized as the U.K. will no longer be an EU member, so businesses will be forced to consider one of the other conditions described above for EU-U.K. data transfers.

Because the U.K.’s data protection law is based on the GDPR, it should be deemed adequate by the EU, but that determination cannot be made until after the U.K. exits the EU and will probably take a number of months. Consequently, all organizations with operations in the U.K. and other EU member states need to carefully consider their current data flows to ensure the no-deal scenario does not put them in a position of violating the GDPR. The simplest option for companies in this situation is likely to be deployment of model contracts between the exporting and importing legal entities.

If an Agreement Is Made Between the U.K. and EU

If an agreement is made between the U.K. and the EU, part of the agreement is likely to include the provision that the U.K. be immediately granted an adequacy ruling, meaning the status quo remains in place for any existing transfers.

Why It Matters

Organizations that are transferring personal information between EU countries and the U.K. must be aware of the potential no-deal scenario and the legal impact on their data-processing operations. With the official Brexit date imminent, organizations must be prepared to take steps to address this scenario and remain in compliance with the GDPR.

The U.K. Information Commissioner’s Office provides some further guidance on this topic, which can be found here.