27 Aug 2019

If your company holds or collects data in the US, the UK and elsewhere in the EU, you should be mapping out how data flows through those jurisdictions in anticipation of the UK “crashing out” of the European Union in October, as currently anticipated, or otherwise in the near future, we have no reason to believe that the EU will make data transfer easy for companies in this circumstance.

Under EU data management laws, no one can send, grant access to, or otherwise transfer personal data to a country outside the European Union/European Economic Area (EU/EEA) unless the EU has made a formal decision that its data protection measures are “adequate.” Adequacy for these purposes means treating data in a manner similar to the EU. To date, the European Commission has recognised only Andorra , Argentina , Canada (commercial organisations), Faroe Islands , Guernsey , Israel , Isle of Man , Japan , Jersey , New Zealand , Switzerland , Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.

Without an adequacy decision, data cannot flow freely and companies must implement another protection mechanism (e.g., specific contract terms) or fall within a limited exception. Transfers made without such adequacy decisions, protections or exceptions are against EU law and can lead to fines or worse against an offending business.

After a no-deal Brexit (scheduled to take effect 31 October 2019), the UK would change in an instant from being part of the EU data protection regime to being an outside jurisdiction with no evaluation of adequacy. The fact that UK laws, policies and enforcements were clearly adequate as of nearly all of October 2019 (and for the previous 25 years) will likely not be a consideration, as the EU has little incentive to make business easier for the UK after a complete rejection of the EU and subsequent refusal to accept negotiated terms for departure.

Even if the EU were inclined to assist, once the UK has become a third country it would be necessary for the EU Commission to follow the detailed procedure for making an adequacy decision under GDPR Article 45. This means there would inevitably be a delay before any such decision could be made and formally applied. The EU will likely take its time—maybe up to two or three years—to make an adequacy evaluation for the UK. Nearly everyone expects the higher status to be granted, but not right away. This leaves many companies in a quandary.

A challenge arises where an EU/EEA-based processor sends personal data to the UK. There seems to be no way to assure EU data law compliance where data processed in the EU flows back to its source in the UK to a data controller there. This is because there is currently no EU-approved set of “standard” or “model” clauses for use by an EU/EEA-based data processor when sending data to a data controller in a third country. It also reflects the European Data Protection Board's firm statement that exceptions such as those set out at GDPR Article 49 are intended for use only in relation to processing that is “occasional” or “non-repetitive.” Consequently, the derogations cannot be used to support a “business as usual” approach. Given those potential difficulties, businesses should map their data flows and to check that any data critical to UK operations will not be trapped within the EU/EEA following a no-deal Brexit.

For flows through the US or in the opposite direction, two companies can simply apply the standard contract terms approved the European Commission (which cannot be amended unless approved by regulators). But these terms only apply to transfers from controller to controller or controller to processor (not processor to processor or processor to controller). So, if these contract terms cannot be used absent an adequacy determination or other change in EU law, what options exist? At the moment, any of those options has been ruled a violation of EU law in one manner or another. Companies in this situation may need to make a risk-based decision without the ability to erase the legal risk entirely.

We continue to watch for developments on how to ease this transition. The European Data Protection Board published an information note on the topic, emphasising that the no-deal Brexit scenario will require mechanisms to be put in place to allow for the continued flow of personal data from the EU/EEA to the UK. The Information Commissioner’s Office (the UK data protection regulator) has also advised of the same. Womble Bond Dickinson has dozens of privacy lawyers in the US and the UK who can assist with these Brexit issues as the no-deal date (31 October 2019) approaches.