How would a no-deal Brexit impact your organisation's ability to exchange data with EU countries?
12 Oct 2018
A major concern for marketers is what happens to UK-EU data flows if there is no deal on data.
At 11 pm 29 March 2019, the UK is scheduled to leave the European Union. While Theresa May is striving to secure a new deal with the EU that maintains trading links, including the free flow of data, nothing is certain.
Imagine that come 30 March the UK has not agreed on a new trading relationship with the EU and leaves the bloc with no-deal. The UK will have implemented the General Data Protection Regulation (GDPR) regardless and the Government have already passed the Data Protection Act 2018. The UK will have a robust data protection framework.
The Government have also pledged that they would not prevent data from being sent from the UK to the EU. The problem is that under the GDPR an EU based organisation cannot transfer personal data to an organisation based in a non-EU country, unless special safeguards are in place to protect the data, in the same way as it would be under the GDPR
There are a number of potential legal solutions to this problem and I will explore them here.
1. Adequacy decision
The European Commission can make a determination that a country outside the EU has equivalent data protection standards to the GDPR and that individuals have equivalent protection and rights as they would do under the GDPR. The European Commission has given adequacy status currently to a number of countries – see. However, the EU has stated that it will not consider an application from the UK for data protection adequacy status until the UK leaves the EU at the end of March 2019. Organisations will, therefore, have to use one of the other methods below for transferring personal data from the EU to the UK while the EU considers the UK’s application for data protection adequacy status. It is hoped that the UK will eventually be granted data protection adequacy status but at the moment we do not know how long the application may take.
2: Standard contractual clauses
The EU Commission allows data to be transferred internationally if an organisation puts in place standard contractual clauses. The Commission has outlined what needs to be included in a contract in order for the data transfer to be valid. Many organisations already use standard contractual clauses, also known as model contractual clauses, to transfer data outside the EU. Using them is relatively easy to do and doesn’t require external legal help in most instances. Members can always come to the DMA for advice on how to use this option.
However, there is one major drawback to this option. Standard contract clauses are currently being challenged in the courts by privacy activist, Max Schrems, who successfully led a case against the US Government, accusing them of breaching EU data protection standards. The legal challenge to contract clauses is on-going. If Max Schrems wins the case it is almost certain that the European Commission will produce a revised and updated version of the standard contractual clauses to take account of the court’s decision. An organisation will simply have to update their standard contractual clauses to take account of the revised and updated version
See the Commission judgement about what you need to include in your contracts.
3: Binding corporate rules
This is for international data transfers within a corporate company. Abiding by binding corporate rules allows a global company to transfer data across its various brands across national borders. In essence, it is equivalent to adhering to a code of conduct, as all parts of the organisation agree to uphold strong data protection safeguards, therefore, facilitating the flow of data. However, it is by no means a timely option, as it takes on average 12-18 months to complete and a European regulator, like the Information Commissioner’s Office, must approve it. No one knows post-Brexit whether the UK ICO will be able to approve binding corporate rules from UK organisations without reference to other regulators in EU Member States.
To date, it has been mainly large multinational corporations that have subscribed to binding corporate rules. It is not an option for SME’s nor is it an option available at short notice due to the amount of preparatory work required, how long it takes and the cost of getting legal support to draft the binding corporate rules. Organisations will likely only have a minimal amount of time between learning of a no-deal Brexit and requiring a new way to transfer data from the EU.
4. Certified codes of conduct
The GDPR allows international transfers to take place if an organisation abides by a certified code of conduct. The DMA Code, for example, could become a certified code of conduct, meaning it would need to follow certain requirements contained in GDPR and be approved by the European Data Protection Board. The EDPB are the supreme data protection authority in the EU.
FEDMA is the body that represents Europe’s DMA’s and their current code, which was based on the 1995 Data Protection Directive was approved at an EU level. However, it was a lengthy process and took a few years to conclude. Therefore, it is likely that the process will again be drawn out under GDPR, which makes this solution unsuitable in the event of a no-deal Brexit. If and when the new FEDMA Code of Conduct is approved by the EU it will only be able to be used for the transfer of personal data in relation to direct marketing activities.
These are the four main legal solutions available if the UK leaves the EU without a deal on data. Hopefully, the Government is able to secure a Brexit deal that maintains the free flow of data and minimises disruption for the data and marketing sector. That said, in these turbulent political times, it is better to be prepared.
What would you do?
We would like to know what you would in the event of a no-deal Brexit come spring 2019. We have prepared a very short survey so please let us know how your business would deal with this possibility.
Select an option below and click the button with a blue arrow to submit your answer.