No-deal Brexit guidance: Data protection
The Law Society has published guidance for solicitors that highlights the changes in civil and commercial cooperation that will occur should the UK leave the EU without having reached an agreement with the EU.
In this scenario, the EU and UK will have failed to sign a withdrawal agreement (governing the terms of the UK’s departure from the EU) and an agreement governing the future relationship between the two parties.
The UK will immediately leave the EU’s institutional structures without a transition period. In many areas, cooperation between the UK and EU will cease, and the applicable legal regime in many practice areas will change.
In this article we consider the implications of lawful transfers of EU personal data in the UK without an adequacy decision. In particular, we consider Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), certification and codes of conduct, and derogations.
Key points to consider relating to data protection:
- Solicitors should review the data flows and transfer mechanisms in their firm to make sure there will be no breach in their data operations if there is a no deal Brexit. This includes transfers of personal data from the EU to the UK and onward transfers of that data from the UK to third countries (in particular where contracts include clauses where transfer of data outside of the EU is prohibited).
- Solicitors should review which of the safeguards described below is best suited to the needs of their firm (i.e. SCCs, BCRs, etc.).
- If at present firms rely on the SCCs in transferring EU personal data outside the EEA to another controller or a processor outside the EEA, solicitors should consider putting in place a new mechanism for that transfer.
- Alternatively, solicitors may wish to consider changing their firms’ data flows in relation to EU personal data so that it is transferred from an EU data exporter directly to a non-EEA/non-UK data importer under an appropriate data transfer mechanism (e.g. SCCs).
- In case a firms’ processing relies on consent obtained while the UK is still a member of the EU, solicitors should consider obtaining it again, as it is unclear at the moment whether UK businesses relying on consent in processing EU personal data can continue to do so following a no deal Brexit. This applies in cases where the consent had been obtained when the UK was still a member of the EU and does not specifically cover transfer of personal data outside the EEA. Solicitors should closely examine the consent language to see if it specifically covers the transfer of personal data obtained outside the EEA.
- Solicitors should review their privacy policies so that clients understand the movements of their personal data in and outside of the EU.
- If you have an office in another EU country or process EU personal data, you should consider other aspects of local privacy laws in that country, as GDPR allows for local variations (e.g. in relation to data breach notifications, or appointment of a data protection officer, etc).
- If you have offices in other EU states and have nominated the ICO as your Lead Supervisory Authority (“LSA”) under the One Stop Shop principle, in a no deal Brexit scenario the ICO will not be able to remain the LSA in relation to EU personal data, and you need to consider nominating another EU regulator as your LSA for the EU personal data, which should be chosen in accordance with the GDPR requirements. In case you do not have an office in another EU state, but will process EU personal data, you might have to appoint an EU representative and update your privacy notices to include their contact details.