Out-Law News 2 min. read
13 Aug 2018, 5:00 pm
Anna Flanagan of Pinsent Masons, the law firm behind Out-Law.com, said that she has already helped a number of businesses review their data transfer arrangements to account for Brexit risks.
Flanagan said all businesses should consider their data transfer options for a range of scenarios that could arise from the UK's exit from the EU. This includes the possibility that the UK will not immediately benefit from a so-called 'adequacy decision' from the European Commission in respect of data protection, she said.
EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA). One way in which organisations can transfer personal data outside of the trading bloc is where they do so to a country that benefits from a so-called 'adequacy decision' of the European Commission.
Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be automatically compliant with EU data protection laws. Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.
Flanagan said: "Assuming we are not in the EEA when Brexit occurs, the UK will become a 'third country' for the purposes of EU law, which will potentially impact personal data exports from EU to UK. While an adequacy decision is likely to be the least disruptive option for UK businesses, the prospect of a ‘no deal’ Brexit makes the likelihood of an immediate adequacy decision unlikely, not least because to seek an adequacy decision a country must already be outside of the EU, and historically adequacy decisions have taken on average around 28 months to be granted."
While the UK has implemented the EU's General Data Protection Regulation (GDPR) in full via the new UK Data Protection Act 2018, the inclusion of exemptions around immigration and the existence of significant powers for UK authorities in relation to communications surveillance, as included the Investigatory Powers Act 2016, could potentially cause issues for the UK when seeking an adequacy decision, Flanagan said.
"With that in mind, we are increasingly seeing clients prepare for an outcome whereby no adequacy decision is immediately available on 29 March 2019 or indeed at all," she said. "The GDPR sets out that it is not permissible to transfer personal data outside of the EU to a third country without an adequate safeguard in place, and infringement of this provision could result in a fine of 4% of a business' annual global turnover or €20 million, whichever is highest."
Flanagan said that one of the biggest data issues multinational businesses are concerned about is how intra-company transfers of personal data could be impacted by Brexit. They are keen to ensure that their UK offices and operations can access and transfer personal data into and out of their EU offices and operations, she said.
Businesses can address some of the risks of disruption to such operations through contingency planning, she said.
Flanagan said: "For example, for intra-company transfers, businesses should consider whether binding corporate rules could be put in place in time for 29 March 2019. Alternatively, organisations can implement standard contractual clauses, known as ‘model clauses’, which can be utilised to act as an adequate safeguard."
"We also recommend that clients begin reviewing their contracts to ascertain whether there are clauses with absolute prohibitions on transferring personal data outside of the EU and take steps to address this in the context of the UK becoming a third country. It will also be important to review privacy notices to consider what data subjects understand about the movement of their personal data inside and outside of the EU and amend as appropriate," she said.
Flanagan was commenting after a report by the Financial Times highlighted the actions being taken by some businesses in response to Brexit risks to data flows.