What about international data transfers if there is a no-deal Brexit?
The UK government’s Department for Digital, Culture, Media & Sport (DCMS) has published guidance on how our laws will work with EU law once Brexit is complete. The guidance does not cover sector-specific requirements such as law enforcement and applies irrespective of whether a deal is reached in time, or not.
In the first instance the EU Withdrawal Act will enshrine the current GDPR into UK law, and the UK Data Protection Act 2018 will remain in force. There will, therefore, be no immediate change in the UK’s data regulation standards, and the government has stated that there will be no restrictions on data transfer from the UK to the EU, which can continue exactly as before.
However, unfortunately that is not the case with respect to data transferred from the EU to the UK after Brexit since the GDPR only allows transfer of personal data outside the EEA where certain conditions are met. Once of these is where the EU has opined that a country’s data protection law provides the same level of protection as GDPR. In that case, that country can be declared adequate and data may be transferred without difficulty.
However, the European Commission is unable to consider such a decision until such time as the UK has left the EU and become a third country. If no way around this can be negotiated then at the time of Brexit the DCMS anticipates reliance in the immediate term on the European Commission’s approved model clauses to comply with GDPR. These clauses on the handling of personal data should be used by UK businesses, the DCMS advises, in establishing a legal basis for data transfers to them from EU partners.
The Information Commissioner’s Office (ICO) is, and will remain, the UK’s independent supervisory authority on data protection matters. It has published additional guidance and is available to assist UK businesses in their no-deal scenario planning. The DCMS advises businesses to take a proactive approach to this planning, and to work with the ICO without delay in order to avoid potential problems.