Transfer of Personal Data in the UK after Brexit
As already known, on the 30th March 2019, the United Kingdom (UK) is leaving the European Union (EU) and despite the fact that numerous negotiations are taking place regarding an exit-plan, the possibility that there will be “no deal” between EU and UK still holds.
In case there is no deal, the EU law will cease to apply in the UK, including the General Data Protection Regulation (GDPR or Regulation) 2016/679 and the UK shall be considered, according to GDPR, a third country. This article is aiming to explain how companies who have transactions with UK-companies will be affected and what they need to know.
GDPR rules regarding transfer of data outside EU
GDPR sets that a number of obligations to companies that process “personal data” within EU and failure to comply with the Regulation might result to extremely large fines. Although one of the main goals of GDPR is to promote the free movement of personal data between the European Economic Area (EEA) members, the Regulation prohibits the transfer of personal data to third countries (outside EEA) or international organisations. Transferring of personal data to such countries is subject to very strict data transfer rules set out in articles 44- 49 of the Regulation. In a nutshell, transfer to third countries is permitted if:
- There is an adequacy decision by the European Commission, meaning that European Commission has decided that the particular country ensures an adequate level of protection and therefore a transfer shall not require any specific authorization.
- If there is transfer to other countries, a company may transfer personal data if there are binding corporate rules, approved code of conduct, standard data protection clauses or an approved certification mechanism. It is noted that most companies’ possible option is the standard data protection clauses published by the European Commission.
- Further, a transfer of personal data could take place on one of the following conditions: (i) explicit consent of data subject, (ii) transfer is necessary for the performance of a contract, (iii) transfer is necessary for public interest reasons, (iv) for establishing/exercising or defending legal claims, (v) in order to protect vital interests of data subject or other persons, (vi) transfer is made from a register which is intended to provide information to the public by law, (all together considered as the Derogations). It is noted that the Derogations can only be used in the absence of Standard Data Protection Clauses or other alternative appropriate safeguards (paragraph b).
UK after the 30th of March 2019, in case of a “no deal”
After the 30th of March, if there is no deal between the UK and the EU, UK will be considered a third country. There will be not an automatic adequacy decision, therefore companies in the EU will need to apply standard data protection clauses or the Derogations for transfers of data to UK.
Information Commissioner’s Office of UK (ICO) has published a series of articles and directives in order to assist companies within UK regarding the new status that shall apply and at the same time to assist companies cooperating and transferring data to UK. More information you can see at: https://ico.org.uk/for-organisations/data-protection-and-brexit/.
At the same time, European Commission, the European Data Protection Board (EDPB) have also published some announcements regarding the data protection and Brexit. Companies who have business relationships with companies in the UK (including transferring of personal data) are encouraged to start amending their contracts with the UK companies, adding Standard Data Protection Clauses at their agreements or making sure the data transferring is according to the Regulation, emphasizing the principle of accountability and that private parties also have to be prepared for the withdrawal of UK from the Union.
In general, companies are advised to “plan for the worst”, assume that there will be a “no deal” and that UK will become a third country.
UK’ s adequacy decision
“Adequacy” is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. It is noted that the Data Protection Act 2018 (UK’s data protection legislation) includes almost the majority of Regulation’s provisions, anyone could assume that European Commission could easily decide that UK provides not just an adequate level of protection but the same level of protection of personal data.
However, many argue that the Commission might not be eager to provide an adequacy decision for UK, taking into account that often this decision can be politically oriented and UK just withdraw from the European Union. Other believe that European Commission will use this opportunity take a more detailed look at UK’s crime and national security legislation (such as the Investigatory Powers Act 2016, which has been criticized by the European Court of Human Rights for offering too much power to intelligence services). Even if European Commission proceeded for an adequacy decision, the process lasts several months or even years.
Therefore, companies (in UK and in EU that have business relationships with UK) should immediately consider how they will be able to function and transfer data after 30th March 2019 (UK’s exit from EU). Regarding Cypriot companies that have business relationship with UK companies and usually transfer data from EU/Cyprus to UK, they should consider UK as a third country and apply immediately the measures that they already apply in other countries for UK as well, such as amending their agreement with the UK companies and include the Standard Data Protection Clauses, applying binding corporate rules or examine if any of the Derogations of article 49 apply.
 The European Commission has so far recognized Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan (on 23/1/2019). There is also a specific agreement with United States of America regarding data transfer, the Privacy Shield, which is limited to organisations in the US who sign up to the Privacy Shield framework.
 According to article 47 of GDPR.
 According to article 40 of GDPR.
 According to article 42 of GDPR.
 The Standard data protection clauses are available here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
 See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-nodeal-brexit_en.pdf and https://ec.europa.eu/info/sites/info/files/file_import/data_protection_en.pdf. Furthermore, the Cypriot Data Commissioner has published a relevant announcement as well at the following link: http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/FFF49D18640DA74CC2258393002BCB94?OpenDocument .