What if there’s no Brexit deal?
Where does a no deal scenario leave our obligations under EU data protection principles?
The Government has published a short guidance note on what businesses might need to do in the event that we exit the European Union without agreement. It states that whilst a no deal scenario is unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome, they have a duty to prepare UK organisations for all eventualities.
In the UK, the GDPR and the Data Protection Act 2018 together provide a comprehensive data protection framework. Of course, the DPA 2018 will apply regardless of whether we leave the EU with or without a deal so the UK’s data protection standards remain unaffected.
However, the GDPR will only be incorporated into UK law through the enactment of the European Union (Withdrawal) Act 2018 if there is a deal in place. This means that transfers of personal data from organisations established in the EU to those in the UK will change.
In the event of a no deal, the European Commission can issue an “adequacy decision” which would allow for personal data to continue to be transferred between the UK and the EU. However, an adequacy decision cannot be made until the UK leaves the EU and becomes a “third country”. There is currently no timetable in place for finalising an adequacy decision so the UK will be in a lacuna until an adequacy decision is made.
The Government states that you should “proactively consider what action you need to take to ensure the continued free flow of data with Europe’s partners”. In the majority of cases, this will mean relying on an alternative legal basis for transfer, namely the standard contractual clauses adopted by the Commission.
Why is this important?
As the Government says, if the unthinkable happens, we need to be ready. Does that mean we need to start thinking about putting in place the standard contractual clauses with our European counterparts? Sadly, in the Government’s own words, “yes”.
Any practical tips?
A no deal scenario is far from an impossibility. The good news (we hope) is that most businesses are by now GDPR compliant, in that they already have processing and/or controller terms in place with their vendors and customers etc. This should mean a more formulaic approach to setting up the model contract clauses - in other words, the task should not require negotiation of full processing or controller terms, but instead ‘simply’ signing up the relevant parties to the standard clauses. Then again, this is hardly an exciting prospect for GDPR-weary businesses and their lawyers. Let’s hope, if only from a data compliance perspective, that the unthinkable really doesn’t happen…