What happens to data flows after a no deal Brexit?

What happens to flows of personal data across borders after Brexit, and how might your organisation be affected?

For more up to date information please visit the Data Protection and Brexit area of the Information Commissioner's Office (ICO) website

While the provisions of the GDPR will continue to apply after the UK leaves the EU—regardless of the status of an exit deal—there could be an impact on international transfers of personal data: both to and from the UK after leaving the European Union.

This may put the operations of some organisations under pressure in the event of a 'no deal' exit if they have not prepared adequately. The UK government has recently issued guidance on its preparations and intentions regarding data protection law if there is no deal.

This article looks at the current position and how voluntary, community and social enterprise organisations could be affected, and what can be done to prepare.

Summary

  • European data protection laws will be incorporated into UK law, therefore the GDPR will continue to apply to all personal data processed in the UK.
  • Brexit will have an impact on the free flow of personal data to and from the UK, particularly if there is no deal.
  • If you use cloud storage, bespoke software, outsourcing, or online services to process or store personal data, you may be making transfers to data centres outside the UK.
  • If receiving data from the European Economic Area (EEA), or sending data to a country outside of the EEA, appropriate safeguards must be in place.
  • Organisations should review their current transfers of data—received from or sent to other countries—and assess how they might be affected.

What happens to data protection in the UK after Brexit?

It is a guarantee that the standards of the EU General Data Protection Regulation (GDPR) will be incorporated into the UK's own data protection laws, post-Brexit.

However, when the UK leaves the European Union it will be considered a 'third country' under EU data protection law. This means that as the UK will be outside of the EU's legislative framework it's data protection laws may be regarded as incompatible with the EU's—at least during an initial period—despite the continuing application of the GDPR's provisions.

This third country status may affect flows of personal data between the EU and the UK in the event of no deal.  At the moment, such flows are 'unrestricted' as the UK is part of the European Economic Area (EEA) through its EU membership. If an exit deal were to be agreed before the actual date of the UK exit, then organisations can be assured that there will be no change as the UK would be in a 'transition period'. Transfers to the rest of the world may be affected, but in a different way.

The UK government and the Information Commissioner's Office have taken steps to raise awareness of the issues. The UK government will no doubt keep the public updated on developments, so pay attention to relevant updates. Significant updates will also appear on this article.

To understand the potential impact of what no deal could mean (or what could happen beyond a transitional period), it is first necessary to understand the current position of international transfers of data under EU law.

 

Appropriate safeguards for restricted transfers

Under the GDPR, any transfers of personal data from the EEA (all of the EU members plus Iceland, Liechtenstein and Norway) to a third country is referred to as a 'restricted transfer'.

Restricted transfers require that appropriate safeguards are in place to ensure that the same level of protection travels with the data, or the transfer is not legal.

This is the current principle for transfers to third countries which will continue to be binding for UK-based organisations too, under the UK's post-Brexit data protection regime. More importantly, these safeguards will also be necessary for any transfer to the UK from the EEA, as the UK will itself be a third country.

The special mechanisms that allow a restricted transfer to occur are defined in Chapter V of the GDPR.

There are essentially four of these:

  1. An adequacy decision for the destination country
  2. An appropriate certification mechanism (the EU-US Privacy Shield)
  3. The existence of standard contractual clauses
  4. Derogations for specific situations

(N.B. Binding corporate rules, or approved and enforceable codes of conduct may also be applied, but these are normally applicable only to transfers made by or within multinational companies, so we will ignore these for the purposes of discussing the Northern Ireland voluntary and community sector—but they can be found in the relevant Chapter of the GDPR).

Brexit, and the outcome of any deal negotiated, agreed or rejected, may have an impact on these mechanisms for any transfer concerning the UK, so it is important to understand how they may be affected in the context of your own data transfers.

Adequacy decisions

An adequacy decision is a determination, made by the European Commission, that the country in receipt of the data transfer offers an adequate level of data protection.

There are currently a small number of countries that have so far received an adequacy decision: Andorra, Argentina, Canada (commercial organisations only), the Faroe Islands, Guernsey, Jersey and the Isle of Man, Israel, Japan, New Zealand, Switzerland and Uruguay. Personal data may flow freely to these countries. These decisions will be preserved for transfers from the UK on a transitional basis.

Though the UK is currently part of the EU data protection regime it does not automatically leave as a third country with the assurance of an adequacy agreement for itself, particularly in the situation of no deal. In fact, the European Commission has stated that it is not possible to consider the UK's position for adequacy until after it has left.

The UK Government intendeds to "transitionally recognise" all EEA countries (plus Gibraltar) as adequate destinations for personal data from the UK sent to Europe. 

Example
Your organisation decides to outsource its HR services to a company located in New Zealand. Personal data of employees will therefore be transferred to a third country, and this is a restricted transfer.

As New Zealand is covered by an adequacy decision by the European Commission, it is recognised as an appropriate destination for the data.

The allows the restricted transfer to take place with no need for further arrangements, either currently or after the UK leaves the EU (with or without a deal).
 

However, personal data moving in the opposite direction (from the EEA to the UK) will not be afforded this determination, and it is not in the UK Government's gift to give it.

Reliance upon an adequacy decision for future transfers of personal data to the UK from the EEA can therefore not be assured and may result in what some people are referring to as a "data wall" between the UK and EU countries.

However, there are other mechanisms that could permit ongoing transfers in the absence of an adequacy decision for the UK as a destination for personal data coming from the EU.

EU-US Privacy Shield certification

Though the United States does not have an all-encompassing adequacy decision, the European Commission has determined that companies that participate in the EU-US Privacy Shield certification mechanism do offer adequate safeguards under this framework. 

Therefore, if the US-based participant company receiving the personal data is on the Privacy Shield List, then the transfer can be made. But as this arrangement is between the EU and the US Department of Commerce, the Privacy Shield mechanism will not automatically extend to cover the UK post-Brexit.

Privacy Shield participant companies in the US will be required to update and maintain their public commitments in order to receive personal data from the UK in future. The deadline is provisionally by the end of the UK's "Transition Period" (December 31 2020). However, if the UK crashes out without an exit deal, there will be no transition period and the deadline for Privacy Shield participants will be on the date of exit (i.e. 29 March 2019). See the Privacy Shield and the UK FAQs for more.

The important point to take away from this is that if the US-based Privacy Shield participant company has not updated their commitment by the relevant deadline, then the transfer to the US is potentially in jeopardy

Many online services are provided by US-based companies, and the use of these services in respect of personal data involves a transfer to a third country. You can check the Privacy Shield list or the company's own privacy notice for information about their participation in Privacy Shield.

Example
You use the email marketing service MailChimp to send emails to mailing lists. Using this service means that personal data (such as recipients' email addresses and other information) is being transferred to and stored on the company's servers. MailChimp is a US company and their servers are also located in the US, so this is a transfer to a third country.

MailChimp is a current participant in Privacy Shield, and you can view their entry here. This means that, currently, personal data can be transferred to the US by your organisation in respect of using MailChimp under the GDPR.

In order for you to continue using the service in the same way after the UK leaves the EU, MailChimp must update their Privacy Shield commitment to include the UK by the date of the deadline (either the end of the UK's transition period or the day the UK leaves). This will be reflected on the company's entry on the Privacy Shield list. If they were not to do so, it is possible that the transfer would be in breach of both UK and EU data protection law.

There are many other examples like this—to take another case, the event booking service Eventbrite is also a US-based company and Privacy Shield participant and is widely used in the UK.

Standard contractual clauses

Where a transfer is not covered by an adequacy decision or the Privacy Shield, then the European Commission can decide that standard contractual clauses (SCCs) offer the appropriate data protection safeguards.

The Commission has issued model contracts for transfers outside of the EU with the necessary approval. These can be used to ensure the ongoing transfer of personal data to a non-EEA country, including where the organisation receiving the data is in the UK, and they will be recognised in UK law post-Brexit. The ICO will also be given the power to issue new clauses.

These model contracts can be used wholesale and signed by the relevant parties, and will present an effective basis for international data transfers from the UK (both to Europe and elsewhere) in a ‘No Deal’ scenario.

Derogations for specific situations

Article 49 of the GDPR outlines "derogations for specific situations" covering restricted transfers that can take place in the absence of an adequacy decision, Privacy Shield, or standard contractual clauses.

While these exceptions may cover a wide range of situations, it is important to note that these are true exceptions. The derogations each present their own complexities in to the situation, and the general rule that the transfer should not take place until there is an appropriate alternative in place.

 

What can voluntary, community and social enterprise organisations do to prepare?

The free flow of data within the EU is something that is taken for granted under the single market. However, flows of data—particularly those from the EU to the UK—will be affected by the UK's exit.

Operating on the assumption that a No Deal Brexit is possible or likely, organisations need to prepare so that their transfers of personal data continue to be protected and that they comply with relevant UK and EU law.

1. Work out what international data flows exist, and where they are located

It isn't always obvious that you are making an international transfer of personal data, but if you make use of modern IT options you may be doing so already.

Having data subjects (the people whose data you process) who reside outside of the UK does not count as an international transfer. But if the recipient is another data controller or a processor, then the rules for international transfers must be satisfied.

Recognising where an international transfer is taking place is important. Data transfers don't just happen in specific situations where you are working with an international partner or operating across borders.

You may not be aware of it currently, but if you use a cloud storage service or outsource business services, then personal data may be processed outside of the UK.

For example, if you use Microsoft Office 365 as UK customer, it is likely that most data for these services are stored at UK data centres, and are therefore unaffected. But certain Office 365 products might also store data on servers in the EU, so you should check if this occurs. Handily, Microsoft provide a checker tool for Office that allows you to check where certain services store data (see more on Microsoft data privacy).

If you have followed our guidance on documenting your processing activities, you should have a good idea of what data you process. Use this in reviewing how it is stored to help you determine where international transfers are taking place, thinking about what systems you use.

2. Think about how these could be affected by a no deal scenario

This definitely isn't the easy part of the task, and you will be operating on certain assumptions, but it is important to be prepared now or risk difficulty if the UK crashes out of the EU without a deal.

If you are transferring personal data to a country in the EU or EEA, then it is fairly safe to operate on the assumption that they will be unaffected by Brexit.

But if you are receiving data from a country in the EU/EEA, there is not likely to be an adequacy decision in place if the UK leaves without a deal. That transfer may therefore be affected if there is no alternative mechanism currently. It is the sender who will need to ensure the arrangements are in place, but it may affect your own operations if they haven't prepared themselves.

If you are transferring personal data to another third country outside of the EEA that does not have an adequacy decision (listed on the EC website), you will need to ensure that an appropriate safeguard is currently in place and that it continues to be adequate after the exit date. The rules are likely to remain similar as the EU data protection framework is being incorporated in to UK domestic law, but this doesn't necessarily mean that what is appropriate now is appropriate in future.

3. Put the necessary arrangements in place and document changes

So that you can ensure the smooth continuation of normal operations, you will need to address any need for contingency planning.

If you've discovered that you are receiving personal data from the EU and need to continue receiving it on a regular basis, then you need to ensure that the appropriate mechanism for transfer is in place before the UK leaves without an exit deal. You can work with the EU-based sender to put these in place.

For example, if you receive data from a partner organisation on the other side of the border, you can work together to put the standard contractual clauses in place, and use the model contracts.

Or, if you are transferring data to a US-based company that is a current Privacy Shield participant, then you need to check that they have signed the public commitment to include the UK by the relevant deadline so the transfer can continue.

You should make a record that you have identified where a data transfer is affected and sought to make alternative arrangements. You may also need to update your privacy information to reflect any change in how transfers are made, where necessary and particularly in the case of current UK-EEA transfers.

Example
A health and wellness organisation working in the border area of Northern Ireland has participants who reside in the Republic of Ireland. Collecting and storing information relating to these people (the data subjects) is not affected by the rules around international transfers so long as the personal data is not subsequently transferred to a recipient outside of the UK.

However, if the organisation works on a funded project with a partner that is established or located on the other side of the border and personal data is transferred between them, then the GDPR's provisions applying to international transfers would be triggered after the UK has left the EU—regardless of where the data subjects reside.

In this scenario both organisations are data controllers—while they work in partnership they make their own decisions about how the data is being used.

As the UK government has stated its intention to allow personal data to flow freely to the EU and EEA after Brexit, then data transfers from the UK can continue be made as before.

However, transfers to the UK must satisfy one of the appropriate safeguards set out in the GDPR. Under 'no deal', as there will be no adequacy decision for the UK on the date of exit (and Privacy Shield is not relevant), the most presentable option is the incorporation of standard contractual clauses. Both organisations will need to ensure that these are in place before the date of exit so that any transfers from the EU to UK can continue to occur.

 

Links

Information Commissioner's Office

After Brexit

European Commission

UK Government

Privacy Shield

Microsoft

Every effort is made to ensure that the contents of this document are accurate, but the advice given should not be relied on as a definitive legal statement.

NICVA Brexit Articles Timeline

Share your COVID-19 support service

Organisations providing support to people and communities can share their service information here

> Share your support

Not a NICVA member yet?

Save time, money and energy. Join NICVA and you’ll be connecting in to a strong network of local organisations focused on voluntary and community activity.

Join Us

NICVA now welcomes all small groups for free.