On 11 December the House of Commons will vote on the Prime Minister’s Brexit withdrawal agreement but, until then, there are still a number of unanswered questions, including the issue of transferring data internationally post-Brexit.
While the government has assured people and businesses in the UK that they will still be able to transfer any data they want into Europe after Brexit, receiving it as easily has not yet been confirmed by the EU.
Leading Ipswich-based law firm, Prettys, has an expert Data Protection team highly experienced in dealing with a wide range of issues. Matthew Cole heads up the team and explains what could happen following the vote. He also gives advice to organisations on how they should approach their data sharing processes going forward.
What regulations are currently in place?
Currently with Data Protection law and GDPR regulations, if you’re within the European Economic Area (EEA), you are free to transfer data over national borders.
However, if you are transferring data from within the EEA to outside of the EEA, then you can only do it under certain grounds. These are:
- If the third party has an adequacy agreement in place
- If you have explicit consent from the data subjects to transfer their information
- If permission has been given in a contract with the data subject
If none of these factors apply, then a safeguard is required to transfer the data. And safeguards take one of three forms:
- Binding corporate rules
- A contract with European Commission model clauses
- A code of practice that enables transfers, such as the U.S. Privacy Shield
What happens if the withdrawal agreement is passed?
Should Parliament approve the withdrawal agreement, we will not have to worry about data transfer until 31 December 2020. This is when the transition period comes to an end and the withdrawal agreement works towards the parties getting an adequacy agreement.
The transition period will allow the UK to get to a stage where the EU recognises it as an adequate jurisdiction and data can continue to flow as normal.
This should be fairly straightforward, as our country already has good data protection and information regulations in place following GDPR.
What happens if the withdrawal agreement is not passed?
Unless there is any other intervention, such as a second referendum or the Article 50 notification is revoked, it would mean the UK crashes out of the EU and, ultimately, all bets will be off.
We will effectively become a ‘third country’ from 11.00pm GMT on 29 March 2019. This will make things complicated, as there will be no recognition in place from the EU and no adequacy agreement.
This means that we will be able to continue transferring data into the EU but they will find it much more difficult to receive it.
So, what can businesses do in the meantime?
The first thing businesses need to do is get an audit to indicate where they currently share data in Europe and where data is received.
They also need to be aware of:
- Where their servers are hosted
- If their websites are maintained in other countries
- If they’re using cloud services based in other countries
Once they have established where their data transfers occur, they can then look for any significant data flows between member states and the UK and establish whether they have the ability to continue transferring this data. This may require them to put a safeguard in place.
Binding corporate rules are usually the best option here but, with all the regulatory bodies they need to go through for approval, it would not be possible for a business to get this in place by late March.