Consequences of a no-deal Brexit on personal data transfers to the UK

On 15 January 2019, the House of Commons of the United Kingdom voted against the Withdrawal Agreement negotiated between the UK government and the European Union in the context of Brexit.

If that no-deal Brexit scenario persists after 29 March 2019, the following consequences on transfers of personal data to the UK will have to be taken into account.

On 30 March 2019, the UK will be considered as a “third country”, within the meaning of the EU General Data Protection Regulation[1] (GDPR), for the purposes of personal data transfers outside the European Economic Area.

A no-deal Brexit would entail that the restrictions on transfers of personal data to third countries set out in the GDPR will apply. In other words, transfers of personal data from businesses subject to the GDPR to the UK will no longer be permitted, unless these businesses can rely on one of the appropriate safeguards or derogations provided for in the GDPR.

One of these safeguards consists of adequacy decisions from the European Commission ensuring, after due analysis, that a third country has data protection standards equivalent to those provided for under the EU legislation. Although it would be fair to think that the UK would be granted an adequacy decision if the analysis process was carried out, it is very unlikely that outside of a Brexit deal this could happen by the end of March 2019. Thus, other safeguards must be considered.

Most of the other possible safeguards that exist would, in accordance with their interpretation under the European Data Protection Board guidance[2] be either difficult if not impossible to adopt within such a short timeframe (e.g. binding corporate rules) or not currently available (e.g. certification mechanisms or codes of conduct). Most of the available derogations are not satisfying for non-occasional transfers. Because it must, in particular, be specific and can be withdrawn at any time, consent would also not in most of the cases be the most appropriate legal basis to allow the transfer as it is burdensome and time consuming to gather and always at risk of being unilaterally withdrawn.

Therefore, in most cases, the soundest alternative would generally be for EU-based data exporters to enter into Standard Data Protection Clauses[3] (also known as EU Model Clauses) with the relevant UK data importers.

In these times of uncertainty, EU businesses subject to the GDPR should review their personal data flows and, if appropriate, review their situation to ensure that personal data transferred to the UK will still be made in compliance with EU legislation in case of a no-deal Brexit.

The National Data Protection Commission in Luxembourg, the CNPD, confirmed the above in a “Brexit” report published on their website (in French)[4].

For further information, please contact Linda Funck or Gary Cywie.

[1] Regulation (EU) 2016/679
[2] See Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 adopted on 25 May 2018 by the EDPB.
[3] https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.
[4] https://cnpd.public.lu/content/dam/cnpd/fr/dossiers-thematiques/transferts-internationaux-de-données/dossier-thematique-Brexit-Les-consequences-du-Brexit-en-matiere-de-transferts-internationaux-de-donnees.pdf