Contribution by Mike Bradford,  BIIA’ expert on privacy and data protection:

One question that is becoming increasingly topical is the impact of Brexit on businesses in respect of data and the UK’s post Brexit position vis a vis EU / global operations.  Below is what a number of commentators are predicting.

Under the General Data Protection Regulation, personal data may not be transferred outside the EEA unless there are protections in place to guarantee individuals equivalent rights and protections to those they enjoy in the EU.

Those countries which are considered to have a data protection regime which provides an adequate level of protection equivalent to that in the EU, may benefit from a Commission Adequacy Decision which allows the free-flow of personal data from the EU. Currently, 11 jurisdictions (including the Channel Islands), have full Adequacy Decisions. Japan and Korea are currently being assessed and the US has a partial (and controversial) Adequacy Decision in relation to transfers under the EU-US Privacy Shield.

In the absence of an Adequacy Decision, a number of other data transfer mechanisms can be used, principally, the EC’s standard contractual clauses (SCCs), or Binding Corporate Rules (BCRs). There are other limited options available.

The default position when the UK leaves the EU is that it becomes a ‘third country’ for the purposes of transfers of personal data from the EU. That means it will either need an Adequacy Decision or that organisations will need to use one of the data transfer mechanisms to export EU data to the UK.

It seems relatively likely that the UK will get an Adequacy Decision because firstly it would be difficult for many EU organisations if they find they cannot export personal data to the UK: secondly the UK has the same data protection laws as the EU and the GDPR be come into UK law under the EU Withdrawal Bill and provision is also made in the UK’s Data Protection Act 2018 (DPA), for the GDPR to apply after Brexit.

In terms of data transfers out of the UK, we have the same restrictions on data exports as the rest of the EU at the moment. The GDPR will apply after Brexit to require that data exports to third countries from the UK take place only under protective arrangements.  Data exports from the UK are likely to pose less of a problem than data exports from the EU to the UK.

Finally – the ‘no deal’ Brexit scenario.  Things would undoubtedly get very complex if we cannot get a deal on data protection and SCCs and BCRs would become the obvious way to carry on trading on an EU basis.  The fly in the ointment around the UK getting an adequacy decision is that the powers of its security and law enforcement agencies are not in harmony with EU law, and there a number of controversial derogations from the GDPR set out in the DPA.  While getting an adequacy arrangement seems likely, it is not a foregone conclusion.

As with all things Brexit, while GDPR and DPA 2018 are the only current ‘Brexit-proofed’ statutes under UK law, our advice would be to enjoy the long hot summer but prepare for a winter of discontent….!

Mike Bradford’s latest newsletter can be downloaded by clicking on this link: Regulatory Strategies Newsletter – Aug 18
Here are the key topics covered in the latest issue.

  • ICO receives record number of breach notifications
  • ICO’s annual report reveals increased public awareness of privacy and information rights issues
  • UK government still seeking bespoke data protection deal
  • ICO issues Facebook maximum £500,000 fine under 1998 DP Act
  • European Parliament passes non-binding resolution to suspend EU-US Privacy Shield
  • South Wales company fined £60,000
  • Company failing to register with ICO and comply with Information Notice is fined
  • Police paedophile documents found near skip

Mike Bradford
Regulatory Strategies Ltd
Mobile: 44 (0) 7837 998 626