No-Deal Brexit—Preventing Disruption to Data Transfers

The EU Data Transfer Rules 

From 1 January 2021, the United Kingdom will be a "third country" for the purposes of the EU General Data Protection Regulation ("GDPR"), and companies in the EEA may transfer personal data to the United Kingdom only by using an approved data transfer mechanism (such as the EU Standard Contractual Clauses ("SCC") or Binding Corporate Rules ("BCR")) or where one of the GDPR exceptions applies. The exceptions are unlikely to apply to regular data transfers. 

In time, it is possible that the EU Commission will grant the United Kingdom an "adequacy decision" (establishing that the United Kingdom's data protection regime is "essentially equivalent" to that of the European Union). This would allow transfers without additional measures being taken. The UK Government's position is to maintain a close alignment with EU data protection laws and to seek such a decision. However, this will take time and is by no means certain. 

For the moment, there is no equivalent issue for data transfers from the United Kingdom to the EEA. The United Kingdom has issued guidance stating that, given the alignment of the United Kingdom and the EU data protection rules, UK companies will continue to be able to send personal data to the European Union after 31 December 2020. This position will be kept under review.  

In addition, data transfers from non-EEA countries to the United Kingdom will need to comply with the data protection rules of those countries. Where a country has an existing EU adequacy decision (such as, for example, Canada, Japan, or Switzerland), it is likely to have rules restricting data transfers to third counties (which will, after 31 December 2020, include the United Kingdom). The position for specific country transfers should be checked. 

Required Steps 

Anyone making regular transfers of personal data from the EEA to the United Kingdom should implement a legal transfer mechanism by 31 December 2020. Those using SCCs should also bear in mind the impact of the recent Schrems II decision and the upcoming SCCs which are currently expected to be adopted in early 2021 (see our Commentary, "Ensuring International Data Flows After Schrems II"). 

In addition, the GDPR applies to non-EU based companies that sell to or monitor individuals in the European Union. From 1 January 2021, UK companies carrying out such selling or monitoring must appoint an EU representative unless their processing is occasional, does not include, on a large scale, special categories of personal data (such as health data) and is low risk.  

The United Kingdom has equivalent provisions for non-UK companies, which from 1 January 2021 will apply to EU companies that sell to or monitor individuals in the United Kingdom.  

Companies should assess if either requirement applies to them and appoint any necessary representatives. They should also update their GDPR notices to data subjects to reflect the post-Brexit situation. This means transfers to the United Kingdom need to be referred to as third-country transfers, including a reference to the safeguards used (such as SCC or BCR) and where those can be obtained. The records of processing activities should also be updated to reflect the data transfer mechanisms in place for transfers to the United Kingdom.  

Finally, companies should address these issues with their key suppliers in the European Union and in other countries with transfer restrictions applicable to the United Kingdom as a third country in order to avoid critical interruptions in the supply of goods and services.