The Department for Digital, Culture, Media & Sport (DCMS) has published a technical notice on data protection if there is no Brexit deal. The notice sets outs that if the UK leaves the EU in March 2019 without an agreement with the EU in respect of data protection:
- the UK’s own data protection standards would stay the same because the Data Protection Act 2018 would remain in force and the EU Withdrawal Act would incorporate the GDPR into UK law;
- transfers of personal data from the UK to the EU would be permitted by the UK due to the “unprecedented degree of alignment between the UK and EU’s data protection regimes”, though this would be kept under review by the UK;
- however, transfers from the EU to the UK would be considered transfers from a ‘third country’ by the EU. There are a number of ways to legitimise this. One is an adequacy decision. Whilst the UK would like to have preliminary discussions about obtaining an adequacy decision, the European Commission has not given a timetable for this and has stated that the decision on adequacy cannot be taken until the UK is a third country. Therefore, in the absence of an adequacy decision, another legal basis will need to be relied on by organisations wishing to make transfers of personal data from the EU to the UK. The DCMS suggests that the most relevant basis may be standard contractual clauses (otherwise known as ‘EU model clauses’).
Many businesses operating in the UK receive personal data from the EU on a daily basis, such as where multinational companies have offices both in the UK and the EU, or UK businesses have relationships with organisations that are established in the EU (including EU data centres, EU suppliers and EU contractors).
Whilst the DCMS’ latest notice indicates that the UK government wishes to obtain an adequacy decision in respect of the UK, this differs from the government’s preferred position in June 2018 as set out in an earlier technical note on data protection published by the Department for Exiting the European Union.
The earlier technical notice provided that the UK government wished to have a legally-binding data protection agreement between the EU and the UK that would go beyond an adequacy decision. Such an agreement was envisaged by the UK as having benefits for both the UK and EU, including EU companies only having to deal with a single regulator for any breaches that affected both EU and UK, and the ICO remaining in the European Data Protection Board.
UK and EU businesses should continue to keep an eye out for further developments in this area and be alive to the possibility that they may need to put EU model clauses in place (or another basis) prior to 29 March 2019 if the UK does not succeed in obtaining an adequacy decision from the European Commission or agreeing a legally-binding data protection agreement with the EU.