IF economic growth in the 20th century was fuelled by the increased speed by which capital could flow around the world, we can expect the 21st to be driven every bit as much by data. The flow of personal data between the UK and other EU countries is vital for the functioning of multinational businesses and the UK and EU economies.
Assuming we are not in the EEA when Brexit occurs, the UK will become a 'third country' for the purposes of EU law, which will potentially impact personal data exports from EU to UK. EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA). The GDPR sets out that it is not permissible to transfer personal data outside of the EU to a third country without an adequate safeguard in place, and infringement of this provision could result in a fine of 4 per cent of a business' annual global turnover or €20 million, whichever is highest.
Businesses need to put in place contingency plans to address the possibility that the flow of personal data between the UK and 27 other EU countries will be disrupted from the point of Brexit.
It is incumbent on all businesses to consider their data transfer options given the potential scenarios that could arise from the point that the UK exits the EU. This includes the possibility that the UK will not immediately benefit from a so-called 'adequacy decision' from the European Commission in respect of data protection.
Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be automatically compliant with EU data protection laws. Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.
While an adequacy decision is likely to be the least disruptive option for UK businesses, the prospect of a ‘no deal’ Brexit makes the likelihood of an immediate adequacy decision unlikely, not least because to seek an adequacy decision a country must already be outside of the EU, and historically adequacy decisions have taken on average around 28 months to be granted.
While the UK has implemented the EU's General Data Protection Regulation (GDPR) in full via the new UK Data Protection Act 2018, the inclusion of exemptions around immigration and the existence of significant powers for UK authorities in relation to communications surveillance, as included the Investigatory Powers Act 2016, could potentially cause issues for the UK when seeking an adequacy decision.
A further complication is that after Brexit, the UK will not be party to the EU-US Privacy Shield, adding complications to US data transfers.
With that in mind, we recommend businesses prepare for an outcome whereby no adequacy decision is immediately available on 29 March 2019 or indeed at all. One of the biggest data issues multinational businesses are concerned about is how intra-company transfers of personal data could be impacted by Brexit. This is a particular issue, for example, for businesses who have an office in the UK and a second office elsewhere within the EU, for example in Dublin. It is essential for these businesses to ensure that their UK offices and operations can access and transfer personal data relating to employees, customers, suppliers etc into and out of their EU offices and operations.
For example, for intra-company transfers, businesses should consider whether binding corporate rules could be put in place in time for March 29. Alternatively, organisations can implement standard contractual clauses, known as ‘model clauses’, which can be utilised to act as an adequate safeguard.
We also recommend that businesses begin reviewing their contracts to ascertain whether there are clauses with absolute prohibitions on transferring personal data outside of the EU and take steps to address this in the context of the UK becoming a third country. It will also be important to review privacy notices to consider what data subjects understand about the movement of their personal data inside and outside of the EU and amend as appropriate.
It is precisely one month, until the much-lauded deadline summit in Brexit negotiations takes place on October 18. Throughout this painstaking process, business has endured uncertainty on an unprecedented scale. However if the flow of personal data in and out of the EU is interrupted for even a short period, the impact on organisations will be seismic. And that is certain.
:: Anna Flanagan is an associate solicitor in the information law team at Pinsent Masons