In this week’s release of ‘technical notices’ by the UK Government, in the case of a Brexit no-deal, Data Protection was included – and the full note (here) sets out “information to allow businesses and citizens to understand what they would need to do in a ‘no deal’ scenario, so they can make informed plans and preparations”.
The most important piece of information in the notice is (edited):
After March 2019 if there’s no deal
If the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards.
However, the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK would change on exit.
You would continue to be able to send personal data from the UK to the EU.
What you would need to do
The EU has an established mechanism to allow the free flow of personal data to countries outside the EU, namely an adequacy decision. The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions. While we have made it clear we are ready to begin preliminary discussions on an adequacy assessment now, the European Commission has not yet indicated a timetable for this and have stated that the decision on adequacy cannot be taken until we are a third country.
If the European Commission does not make an adequacy decision regarding the UK at the point of exit and you want to receive personal data from organisations established in the EU (including data centres) then you should consider assisting your EU partners in identifying a legal basis for those transfers.
For the majority of organisations the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner, and rights for the individuals whose personal data is transferred. In certain circumstances, your EU partners may alternatively be able to rely on a derogation to transfer personal data. We recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners.
The Information Commissioner’s Office would produce additional guidance outlining the steps organisations would need to take to continue to meet their obligations. EU organisations should seek guidance from their respective data protection authorities.
The notices on Copyright (if there is no Brexit Deal) and Intellectual Property where released on 24th September and you can read them here and here.