In light of recently-issued UK government guidance on the effects of a ‘No-Deal Brexit’ on data protection law and practice, Victoria Hordern, Head of Data Privacy, has responded with her thoughts on what this guidance will mean in practice for organisations which could be impacted by this turn of events.
Victoria’s comments provide an overview of the government’s guidance and set out what those who may be hit by the consequences of a No-Deal scenario need to know.
Her analysis also touches on the issue of data transfers post-Brexit, and goes on to examine what the future might hold with respect to how EU data protection authorities may respond to the consequences of a No-Deal Brexit.
Remarking on the UK government’s release of this guidance, Victoria comments that:
“The main implication [of the guidance] relates to transfers of personal data from the EU to the UK after March 2019 since, with no deal in place, the UK will then be treated as a ‘third country’ in the eyes of EU law. This is despite the fact that, post-March 2019, the GDPR will be incorporated into UK law and sit alongside the new Data Protection Act 2018. In principle, when the UK leaves the EU, the UK is no longer considered to guarantee the protections required under EU data protection law.”
The future of data transfers: should you be worried?
“While the sudden loss of legal certainty for data transfers from the EU to the UK is understandably alarming for organisations both in the UK and in the EU that exchange personal data, to some extent, we have been here before.
“When the European Court of Justice declared Safe Harbor invalid in October 2015, many organisations in the EU that had been relying on the Safe Harbor certifications of US recipients to whom they sent personal data, had to find another route to justify transferring data to the US. It’s worth remembering that in the months immediately following the fall of Safe Harbor, EU data protection authorities did not actively and rigorously clamp down on those EU organisations having to suddenly adapt to the loss of Safe Harbor by finding an alternative data transfer solution.
The UK government has confirmed, however, that the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU. While this provides some comfort for organisations it arguably reduces the UK government’s leverage to obtain a similar commitment from the EU to allow the flow of data the other way”.
“If there is no deal, so long as EU organisations that send personal data to the UK and the UK organisations that receive the data are seen to be seeking to find a solution, it’s not unreasonable to expect EU data protection authorities to take a pragmatic approach rather than to actively enforce the law.
The UK Government continues to lobby the European Commission to formally recognise the UK as an adequate country before Brexit occurs. An adequacy finding for the UK would permit data flows to continue from the EU to the UK without disruption. However, strictly speaking, any adequacy finding involves deliberation over a number of months in order for the Commission to properly assess the UK’s status. While the UK Government would prefer the adequacy finding to be confirmed on or before the UK’s exit from the EU and so ensure no disruption to data flows, the Commission is not likely to provide this reassurance.
Whether or not the Commission considers the UK to have a unique status that deserves to be recognised through a fast-track adequacy recognition remains to be seen and there are certain obstacles – the UK’s Investigatory Powers Act 2016 being one – which potentially stand in the way.”
If you’d like to find out more about the work of our Data Privacy team and how we can help you prepare for the outcome of the UK’s Brexit negotiations, click here to access Victoria’s profile.
Posted on 17/09/2018 in Brexit BriefcaseBack to Knowledge