The EU and the UK are currently negotiating terms and need to agree the future of their relationship by 31st December 2020, or face a no-deal scenario ("No-deal Brexit").

In the event of a No-deal Brexit, the UK will become a "third country" within the meaning of the EU General Data Protection Regulation ((EU) 2016/679) ("GDPR"). The effect of this is that data transfers will no longer be considered as intra-EU transfers of data. Therefore personal data will no longer be permitted to flow from the European Economic Area ("EEA") to the UK without additional safeguards.

The European Commission can determine, whether a country outside the EEA offers an adequate level of data protection by adopting what is termed an ‘adequacy decision’. International data transfers to countries for which the European Commission has adopted an adequacy decision do not require the implementation of any additional measures.

The European Commission has already stated that Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay provide adequate protection. Prior to a recent ECJ decision (Schrems II) the United States of America were also recognised as providing adequate protection.

In the event of a No-deal Brexit it could take some time for the European Commission to make an adequacy decision in relation to data transfers from the EU to the UK. During this period, and afterwards, if it is found that the UK does not have an adequate regime, EU-based entities must adopt one of the mechanisms provided for in the GDPR to transfer data to the UK. These are:

1.     standard contractual clauses adopted by the European Commission ("SCCs");

2.     binding corporate rules ("BCRs");

3.     codes of conduct; or

4.     certification mechanisms.

WHAT TO DO NOW?

In light of the uncertainties around the outcome of the negotiations at the end of the transition period, EU-based entities should put in place the necessary measures to transfer personal data to the UK in compliance with the GDPR (relying on one of above grounds).

The most pragmatic of these options is probably to adopt the SCCs and businesses with EU entities would be wise to start amending existing contracts now to include such clauses and ensuring that all new contracts contain these provisions.  Please note that different sets of Standard contractual clauses are available on the European Commission's website depending on the role of the UK entity receiving the personal data (either as a Data Controller or a Data Processor).

THE DECISION IN SCHREMS II

Although it is considered likely by many commentators that the European Commission will find the UK’s regime adequate, thereby negating the need for such additional measures, there is a concern given the decision in Schrems II, that the European Commission will find the UK regime inadequate and/or unable to comply with SCC’s.

In the case now known as Schrems II the ECJ considered that the requirements of U.S. domestic law, to enable access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, resulted in limitations on the protection of personal data which are not equivalent to those required under EU law, and on that basis declared the Privacy Shield adequacy decision invalid. This decision thereby removed the basis on which EU based entities were legally able to export data to the US.

How is the decision in Schrems II relevant to the UK?

The concern is that as the UK’s intelligence services have similar powers to require the disclosure of data to facilitate its security investigations as that of the US, the UK may be tarred with the same brush as the United States whose surveillance laws were deemed too intrusive and exploitative of EU personal data.

We must wait for the European Commission to determine this but for the time being businesses might consider adopting the SCC’s as outlined above, and keeping abreast of latest guidance issued by the Information Commissioner (ICO).