Brexit and GDPR

Under current plans the UK will become – for data protection purposes – a “third country” when it leaves the EU. Although the UK Government has stated that the rules for transferring personal data from the UK to the EU will remain the same, any transfers from the EU to the UK will need to satisfy the “export” clauses in Articles 44 to 49 of the General Data Protection Regulation. These rules could be enforced – as in my blog post on GDPR for universities in North America – by EU regulators prohibiting particular data exports (though I’m not aware of this happening for current third countries), by exporting organisations deciding that transferring data is too risky, or by individuals objecting, either to the exporting organisation or to their national courts.

The simplest solution for transfers from EU to UK would be if the UK were to receive an “adequacy decision” under Article 45, stating that it provided adequate protection for personal data. The current political declaration agreed by EU and UK negotiators suggests that such a decision might be made in 2020 with current arrangements applying during the agreed transition period. In case this agreement is not implemented, however, the UK Government recommends that any organisation receiving personal data from EU partners should ensure that these transfers are covered by contracts including the EU-approved Standard Contractual Clauses (SCCs). Unlike an adequacy assessment, this can be done before the UK leaves.

Where organisations receive information direct from individuals, they may need to provide additional information and assurances about how the data and individuals’ rights will be protected, as there may be uncertainties whether these can still be enforced under EU law.

UK-hosted cloud services are likely to join other non-EU providers in offering SCCs to their international customers. UK organisations are likely to be able to continue to use EU-based clouds as at present: although retrieving personal data from such a cloud might possibly constitute an “export” this does not seem to have concerned Regulators so far [UPDATE: there is no mention of it in the Irish DPC guidance on no-deal Brexit]

Note that the UK’s Data Protection Act 2018 incorporates the export clauses along with the rest of the GDPR, so any UK organisation exporting personal data to the rest of the world will continue to be responsible for ensuring that those provisions are satisfied. This could involve the same UK organisation having to accept SCCs as an importer from the EU, and to insist that other (non-EU) organisations accept SCCs when it exports personal data to them.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *