Brexit, Your Business and Data: Personal Data Transfers

Posted: 11/08/2018 - 02:21

As the U.K. government perseveres with the unenviable task of negotiating the U.K.'s exit from the European Union (EU), U.K. businesses are becoming increasingly wary of the uncertainty that remains around their future operations with regard to the use of personal data. The issue will impact outsourcing providers that (as part of the services they provide) process data about EU data subjects on behalf of a data controller who is subject to GDPR, most notably in the field of IT. 

With B-Day (Brexit) looming closer, the government has released a series of guidance notes intended to help prepare the public for a “no-deal” situation. Although last month's notice in relation to data protection is comforting in some respects, it also raises further issues, namely: 
  • how transfers of personal data between the U.K. and the EU will be regulated post-Brexit;
  • that U.K. businesses operating within the EU will need to adjust to having a new regulator; and
  • that U.K. businesses dealing with EU citizens and their personal data will need to appoint a representative in the EU. 
In this article, we consider the impact of a “no deal” on data flows in and out of the U.K. for outsourcing providers. In particular, we look at data flows from the European Economic Area (EEA) to the U.K. Although the government's guidance only refers to the EU, we must assume that it also catches data received from other EEA countries by virtue of their adoption of the General Data Protection Regulation (2016/679) (GDPR). It is less clear whether data transferred to EEA countries from the U.K. is caught as the guidance doesn’t seem to adequately address the issue. 
Will the U.K.'s data protection standard change? 
Not really. The EU Withdrawal Act will incorporate the GDPR into U.K. law and the Data Protection Act 2018 will continue to sit alongside it, so, reassuringly, the time and money invested in becoming GDPR compliant will not be wasted.  
Although on the face of it the legal backdrop will not materially change, difficulties arise when considering the implications of the imminent status change of the U.K. when it ceases to be a Member State, particularly in relation to continued data flows.  
U.K. Data Flows to the EU 
The government has stated that it will permit transfers of personal data from the U.K. to those Member States remaining in the EU. In theory, this should mean that no further action is necessary (from the U.K.'s perspective) in order to receive personal data from U.K. customers if your business is EU-based. As a matter of good practice, however, it will be worth keeping an eye on any changes to domestic laws of the relevant Member States in the event that new laws create further hoops for U.K. businesses to jump through in the future.  
EEA Data Flows to the U.K. 
Transfers of personal data from the EEA into the U.K. are not as simple. From 29 March 2019, in the event of a “no deal,” the UK will automatically become a "third country" (i.e., a country outside the EEA). At this point, businesses that transfer personal data from the EEA to the U.K. will need to find a GDPR compliant mechanism to continue doing so. If your company is U.K. based, this may impact the ability of your European customers to do business if your products/services include the transfer of personal data (e.g., a provider of payroll services to businesses with EU-based divisions and employees.) 
The government doesn't appear to be particularly concerned with this predicament, as it seems to be hedging its bets that the Commission will soon declare such transfers lawful on the basis of an adequacy decision (a decision that the U.K. has an adequate level of data protection to ensure the safety of personal data outside the EEA). One can see why it would be logical for the Commission to arrive at this conclusion—the theory being that our domestic data protection law will not have changed and the GDPR will still take effect in the U.K. by virtue of the implementing legislation.  
In comparison to the current 12 countries that have benefited from an adequacy decision thus far, the U.K. stands in a favourable position as traditionally it has been one of the Member States that to date has adopted a high standard when it comes to implementing European data protection laws. In addition, the U.K. has one of the most sophisticated and influential data protection regulators in the EU and a long history of operating in line with the Commission's approach to the security of personal data.   
However, upon closer inspection, there are a few flies in the adequacy ointment.   
  • Firstly, the Commission can only make an adequacy decision in relation to a third country, but the U.K. will not become one until 29 March 2019. The Commission has, to date, not announced a proposed timetable for this process.  
  • Secondly, adequacy decisions have historically been time consuming, involving a multi-stage procedure that includes obtaining the approval of the remainder of the EU.  
  • Thirdly, it's not just the fact that the GDPR will continue in place in the U.K., which the Commission will take account of; it will also look at the wider regulatory landscape and the extent to which surveillance laws such as the Regulation of Investigatory Powers Act 2000 could override the rights of data subjects.  
  • Finally, adequacy decisions are not indefinite. These decisions are subject to ongoing review and therefore are capable of being withdrawn at any time, which would bring U.K. businesses back to square one regarding their ability to process data from the EEA.  
What can you do? 
While the U.K. awaits its adequacy decision, the GDPR provides for a seemingly more straightforward solution: contractual "model clauses."  
Many U.K. businesses are already familiar with standard, contractual clauses, drafted and approved by the Commission. By requiring recipients to adopt these model clauses, controllers can use them as a mechanism to ensure the safety of personal data being sent outside of the EEA. Many businesses—such as an EU-based company using a U.S. entity for data hosting facilities—have done this as part of their GDPR compliance programme. For now, model clauses seem to be the most practical solution for businesses that rely on the in-flow of personal data from the EEA. 
Are there any other options? 
It may be possible for businesses to rely on the derogations set out in the GDPR for specific situations that allow for the transfer of data from the EEA to a third country in the absence of an adequacy decision or other safeguards. Examples include explicit consent, contractual necessity and cases relating to legal claims. However, use of these derogations is only permitted if they are used in specific situations and if certain conditions are satisfied.  
Moreover, many of the derogations under Article 49—including the contractual necessity and legal claim derogations—can only be used occasionally and when necessary ("requiring a close and substantial connection between the data transfer and the purposes of the contract.") This means that in practice, while the derogations could be useful for occasional transfers in particular circumstances, they are unlikely to be an effective solution in the long term.    
Clearly there are a number of factors to consider when evaluating the future ability to transfer data from the EEA into the U.K., regardless of the outcome of the current Brexit negotiations. While a lot of us will be keeping our fingers crossed for a speedy adequacy decision, it would be prudent to analyse the data flows into your business and their current legal basis to identify if any are at risk post-Brexit. If your company is based in the U.K., you should also review your existing customer contracts for clauses with absolute prohibitions on transferring personal data outside the EEA.
Next steps
The most sensible option to ensure you are able to continue receiving data from the EEA seems to be the implementation of model clauses by 29 March 2019. Adopting model clauses is a relatively quick and easy process but the first step will be to invest time sooner rather than later to:
  • pinpoint your material data transfers;
  • work out the data flows; and
  • identify with whom you might need model clauses to govern transfer.
Once you’ve undertaken the analysis above, the implementation of the model clauses could be postponed until the start of next year, in case of further developments. 
Ultimately, everyone will be waiting to see the lay of the land following the Brexit negotiations. There has been some suggestion that contingency plans drawn up by Brussels for a “no deal” scenario may well provide some limited relief to secure data flows in from the EEA. However, as no detail has been provided, much depends on how the all-important divorce talks progress over the coming weeks/months.
November 2018
The information in this article was correct at the time of writing. However, the position may alter as Brexit negotiations progress. 

About The Author

Anita Sivapalan's picture

Anita is an associate in the Commercial, IP and Technology department at Travers Smith. She advises on IT outsourcing projects, large scale service contracts and software development. Anita also advises on intellectual property issues and data protection, including GDPR compliance.

James Longster's picture
James is a Partner in Travers Smith Commercial, IP & Technology Department. He specialises in Technology, Data Protection and Intellectual Property and is a member of the firm's Technology and Leisure sector groups.
He regularly advises on major IT implementations, IT outsourcings and software development and licensing issues. James also advises clients on privacy and confidentiality issues, including GDPR compliance. His practice also covers all areas of intellectual property rights, with a particular focus on franchising, branding and copyright issues.