UK-EU data flow at threat from no deal Brexit, says UK government
iStock.com/stockcam

UK-EU data flow at threat from no deal Brexit, says UK government

The UK government has urged businesses to prepare standard contractual clauses for data transfers with the EU in case the UK leaves the bloc without a formal agreement in place.

The government said that the EU will not make an adequacy decision until after the UK leaves the EU, meaning that British businesses would need to enter into contracts with EU companies to keep receiving data from them.

The GDPR stipulates that data cannot be transferred out of the EU without a "legal basis". If the EU reaches an adequacy agreement with a country, as it did recently with Japan, EU businesses can freely transfer data to that jurisdiction.

Without an adequacy agreement, businesses transferring data across borders have to make individual agreements known as standard contractual clauses to ensure equivalent protections travel with the data. 

However, UK businesses will be able to continue sending data to the EU even in a no deal situation, the government said. “This is in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes”, it said, adding that it will monitor this.

The guidance is part of a raft of information released on 13 September by the government on how businesses should prepare for the possibility of the UK leaving the EU in March 2019 without a formal deal in place. 

Stewart Room, partner at PWC in London, said that the advice suggests there might be a gap between leaving and getting an adequacy decision.

To mitigate the legal uncertainty this provokes, Room said that organisations should prioritise how they maintain data flows with the EU.

But Victoria Hordern, head of data privacy at Bates Wells Braithwaite in London, said that though some businesses will be understandably alarmed, past experiences have shown that the consequences of a no deal Brexit are unlikely to be severe.

After the European Court of Justice declared the former EU-US data transfer mechanism Safe Harbor invalid, EU data protection authorities “did not actively and rigorously clamp down” on EU organisations trying to adapt to this change, Hordern said.

The government’s guidance says companies could also rely on derogations – which exempt data handling from GDPR requirements under certain circumstances – as an alternative to standard contractual clauses.

But Hordern said that these are “interpreted narrowly and are unlikely to offer long term solutions”, meaning that standard contractual clauses are probably the easiest solution.

Observers have suggested that the UK might be able to achieve a fast tracked adequacy agreement, given that it has incorporated the GDPR into its laws. But there is an uneasy relationship between the EU and the UK over data protection, with EU courts repeatedly finding the UK’s surveillance laws to be illegal; most recently by the European Court of Human Rights in a 13 September decision.

Michel Barnier, the EU’s chief Brexit negotiator, told a conference on 26 May that the UK “must understand that the only possibility for the EU to protect personal data is through an adequacy decision.”

Yesterday’s guidance said that the Information Commissioner’s Office would also release additional information for businesses in the event of a no deal scenario. A spokesperson for the ICO told GDR that it is “planning for a number of scenarios” and is preparing practical advice.

PWC’s Room said that there are some gaps in the government’s advice, such as a lack of guidance on what will happen if a UK business receives personal data from individuals rather than organisations in the EU. In that situation, he said, the UK business would need to appoint a legal representative in the EU to deal with any regulatory investigations.

The government guidance said that a no deal scenario remains unlikely.