No-deal Brexit guidance: Data protection
The Law Society has published guidance for solicitors that highlights the changes in civil and commercial cooperation that will occur should the UK leave the EU on 29 March 2019 without having reached an agreement with the EU.
In this scenario, the EU and UK will have failed to sign a withdrawal agreement (governing the terms of the UK’s departure from the EU) and an agreement governing the future relationship between the two parties.
The UK will immediately leave the EU’s institutional structures without a transition period. In many areas, cooperation between the UK and EU will cease, and the applicable legal regime in many practice areas will change.
In this article we consider the implications of lawful transfers of EU personal data in the UK without an adequacy decision. In particular, we consider Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), certification and codes of conduct, and derogations.
Key points to consider relating to data protection:
- Solicitors should review the data flows and transfer mechanisms in their firms to make sure there will be no breach in their data operations if there is a no-deal Brexit. This includes transfers of personal data from the EU to the UK and onward transfers of that data from the UK to third countries (in particular where contracts include clauses where transfer of data outside of the EU is prohibited).
- Solicitors should review which of the safeguards described in the guidance is best suited to the needs of their firm (SCCs, BCRs, etc).
- If at present firms rely on the SCCs in transferring EU personal data outside the EEA to another controller or a processor outside the EEA, they should consider using a different mechanism.
- Alternatively, solicitors may wish to consider changing their firms’ data flows in relation to EU personal data so that it is transferred from an EU data exporter directly to a non-EEA/non-UK data importer under an appropriate data transfer mechanism (eg SCCs).
- In case a firm’s processing relies on consent obtained while the UK is still a member of the EU, solicitors should consider obtaining it again, as it is unclear at the moment whether UK businesses relying on consent in processing EU personal data can continue to do so following a no-deal Brexit. Solicitors should examine the consent language to see if it specifically covers the transfer of personal data obtained outside the EEA.
- Solicitors should review their privacy policies so that clients understand the movements of their personal data in and outside of the EU.
- Firms that have an office in another EU country or process EU personal data should consider other aspects of local privacy laws in that country, as GDPR allows for local variations (eg in relation to data breach notifications, or appointment of a data protection officer).
- Firms that have offices in other EU states and have nominated the Information Commissioner’s Office (ICO) as their Lead Supervisory Authority (LSA) through the ‘one stop shop’ principle under the GDPR will need to consider nominating another EU regulator.
- Firms that will process personal data but do not have an office in another EU state might have to appoint an EU representative and update privacy notices to include their contact details.