Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said new contractual permission will be needed for UK-to-UK 'data transfers' in a no deal scenario where existing contracts governing those transfers prohibit transfers of personal data to an organisation established outside of the European Economic Area (EEA) in a jurisdiction that is not recognised as having data protection laws that are essentially equivalent to the EU data protection laws.
In a no deal scenario, the UK will be considered a non-EEA country that does not yet have the ‘essentially equivalent’ recognition, she said.
Currently, UK businesses can freely transfer personal data anywhere within the EEA, unless otherwise restricted by contract. This free flow of information is provided for under EU data protection laws – the General Data Protection Regulation (GDPR).
In a 'no deal' scenario, where the UK exits the EU without a withdrawal agreement that provides for the continued flow of personal data between the UK and EU, UK-based businesses should ensure they have permission under their contracts to continue with existing data transfers within the UK or when putting in place new arrangements, Wynn said.
Wynn was commenting after the Information Commissioner's Office (ICO) issued new guidance on data protection in a 'no deal' Brexit scenario. The UK is scheduled to leave the EU on 29 March 2019. While the UK government has negotiated a withdrawal agreement with the remaining 27 EU countries, the deal has yet to be ratified and it has faced stiff opposition from government backbenchers and opposition parties in the UK.
"While the ICO has highlighted safeguards that businesses can put in place to comply with the GDPR when transferring personal data to the EU in the aftermath of a hard Brexit, such as through the use of EU model clauses, businesses should also consider whether their processing contracts need to be amended, or an understanding reached with the counterparty, to permit personal data to be transferred within the UK post-Brexit," Wynn said.
"This is because it is often the case that the data protection clause in a contract will require consent to transfer personal data to organisations that are established outside of the EEA in a jurisdiction that does have the ‘essentially equivalent’ recognition. Post-Brexit, transfers of personal data to an organisation established within the UK will, strictly speaking, constitute a transfer of personal data to an organisation established outside of the EEA in a jurisdiction that is not recognised as providing ‘essentially equivalent’ protection. Therefore, whilst transfers of personal data within the UK will be permitted under the post-Brexit UK data protection law, that transfer could be prohibited under the contract," Wynn said.
"This should not be a contentious issue between the parties to the contract, but organisations should ensure that they have an audit trail of any consent given or obtained, as applicable, as the post-Brexit UK data protection laws will inherit the GDPR's overarching principle of accountability," she said.
The UK government has already taken steps to ensure the GDPR will continue to apply in the UK, at least in the short term, post-Brexit. However, Wynn said that UK businesses should be aware that a no-deal Brexit will not automatically take them outside the potential scope of EU-based regulators.
"In some situations UK businesses would still be subject to EU enforcement of the GDPR," Wynn said. "This includes where UK-based companies outsource the processing of personal data to EU-based data processors and/or where they target their processing of personal data at citizens based in EU27 countries."
"In those contexts, it is worth highlighting that it would only be those specific processing activities that would be subject to the oversight of EU-based data protection authorities and not a UK business' entire data protection compliance programme. Businesses should review their data processing activities on an activity-by-activity and contract-by-contract basis to understand what their risk exposure is before the UK's scheduled leave date in March," she said.
In its guidance, the ICO said UK-based businesses that are not based in any other EU or EEA state but which offer goods or services to individuals in the EEA, or monitor the behaviour of individuals located in the EEA, will need to appoint "a suitable representative in the EEA" to comply with the GDPR.
Public authorities and businesses whose processing is only occasional, low-risk, and does not involve special category or criminal offence data on a large scale, are exempt from this requirement.
"As you will not be an EEA-based controller or processor after exit date, the EU GDPR requires that you must appoint a representative within the EEA," the ICO said. "This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located. You will need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect."
Dublin-based data protection law expert Ann Henry of Pinsent Masons recently said that recently issued guidance on the territorial scope of the GDPR issued by the European Data Protection Board (EDPB) could dissuade EU-based organisations from acting as 'representatives' for non-EEA businesses.
UK information commissioner Elizabeth Denham said that her office also plans to issue further guidance for UK businesses that currently rely on approved 'binding corporate rules' for data transfers to "explain how they may be affected" in a no-deal Brexit scenario.