Data transfers after Brexit: delusions of adequacy?

Amid the current kerfuffle about the terms of the UK’s exit from the European Union, it is maybe not surprising that data protection isn’t high on people’s list of things to worry about (what with such potential trifles as the economy contracting, the NHS collapsing, Something Bad happening in the island of Ireland and the M20 becoming a lorry park). Risks to cross-border data transfers are under the radar at the moment, but if your business model relies on them, you might want to think about making some contingency plans.

Post-Brexit, organisations in the EU will not be able to assume they can easily transfer personal data to us. There IS a mechanism that will allow it, called an ‘adequacy ruling’ – a ruling by the European Commission that deems a non-EU state as having adequate data privacy laws to allow personal data to be transferred to it as if it was an EU member. The hope is that the transition period of a negotiated withdrawal will allow time for the UK to receive such an adequacy ruling (meaning we can take our place alongside such international heavyweights as Andorra and the Isle of Man).

However, a no-deal Brexit would immediately put us outside the EU, with no adequacy ruling in place. While the UK government has stated it will allow the transfer of personal data to the EU, the converse will not be true: EU-based organisations will have no legal basis for transferring personal data to the UK.

There is, of course, a workaround. As well as the adequacy ruling, the GDPR allows two other mechanisms for data flow across EU borders:

  • Multinational companies can agree to abide by Binding Corporate Rules that commit them to sufficient levels of data privacy. They can then transfer personal data within the corporation across borders.

  • Standard Contractual Clauses can be written into a contract between EU and non-EU organisations that allow them to transfer personal data between each other by building adequate data privacy into the business contract.

Neither of these are trivial to put in place, so if your business needs to receive personal data from European organisations, now would be a good time to familiarise yourself with them.

Sadly, though, there is yet more trouble on the post-Brexit data protection horizon. The legal basis for British organisations to transfer data to the USA is the Privacy Shield. However, this was negotiated between the USA and the EU (plus Switzerland) – once we leave the EU, it won’t cover USA/UK data transfers. And just to put the icing on the cake, the legality of Standard Contractual Clauses is currently being considered by the European Court of Justice. A combination of Standard Contractual Clauses becoming invalid and no adequacy ruling being in place would make for quite a dilemma.

Doubtless the ICO and its overseas counterparts are working hard to mitigate these risks – but at the moment the Brexit debate is causing as much uncertainty about how data will cross borders as it is about how people and products will.