Happy Data Protection Day! GDPR, no deal Brexit
and the Crown Dependencies
Today (28 January 2019) marks International Data Protection Day, the day on which the Council of Europe’s “Convention 108” on Data Protection was opened for signature. The event is celebrated around the world and few could argue the topic has ever had a higher profile. GDPR has brought awareness of privacy rights to the forefront of many businesses' agendas in a manner which has highlighted the tensions around legal and ethical uses of data in our digital age.
It is somewhat ironic that at a time when the international community is celebrating a construct of the EU, the UK Parliament is set to debate and vote on the Government’s revised Brexit proposals. Many businesses in the Crown Dependencies remain concerned about the impact of a "no deal Brexit" on their ability to freely exchange data with clients, suppliers and group companies in the UK, so we’ve summarised our thoughts on the position, for you to mull over whilst enjoying what might be your last continental breakfast.
What's the problem?
Whilst the UK continues to be a member of the European Union, under the 2018 revisions to data protection laws across the Crown Dependencies, businesses are free to transfer personal data to the UK, subject to the same restrictions as though they were transferring it to a controller or processor next door. Under the original Withdrawal Agreement, this would be permitted to continue during the Transition Period (i.e. until 31 December 2020). During this time (alongside the negotiations for a new trade agreement), an adequacy decision would be issued by the European Commission allowing free flows of data and putting the UK on the same footing as the Crown Dependencies (all of whom have had adequacy decisions in place for a number of years).
However, the political landscape is nothing if not fluid at the moment, so there is much uncertainty as to whether adequacy could be obtained (Japan only recently received adequacy, after a process lasting several years), or indeed what any deal would mean for data flows. It is worth noting that given the importance of international data flows, it is difficult to envisage a scenario whereby the EU does not reach a positive deal with the UK, as it is in everyone’s interests to do so.
If there is a "no deal Brexit" on 29 March 2019, then the UK will neither be a member of the EU, nor will it have an adequacy decision. It will therefore be caught by the general prohibition within GDPR, prohibiting the transfer of personal data to so-called ‘third countries’, unless there are adequate safeguards in place. Whilst there are mechanisms to facilitate the transfers, this would create a significant administrative and cost burden for businesses. For all the talk of queues at ferry terminals and delays in the importing of goods, if the free flow of personal data to and from the UK was affected in this way, it would have a far greater impact on businesses, especially in the financial services sector.
What are the Governments of the Crown Dependencies doing about it?
All three Governments are in various stages of their Brexit contingency planning, dealing with a whole array of potential issues and maintaining dialogue with the UK Government and Europe. The only jurisdiction so far to publicly confirm what steps it intends to take is Guernsey, which reserved the ability to “designate” certain jurisdictions as having appropriate data protection standards. Draft legislation has been prepared to formally designate the UK as an authorised jurisdiction until the end of the Transition Period. If passed, this would mean that Guernsey businesses could continue to freely exchange personal data with the UK in the event of a "no deal Brexit". It will be interesting to see whether Jersey and the Isle of Man follow suit.
What can my business do to prepare for it?
Most responsible businesses are in the process of preparing their own Brexit contingency plans to understand what – if anything – they actually need to do about it. The good news is that even if the UK becomes a “third country”, there are steps that businesses can take to avoid any interruption in the free flow of data, by having in place adequate safeguards. Businesses may be able to use binding corporate rules (BCRs), rely upon the EU model clauses or have specific agreements in place. Many large businesses with offices outside the EU already rely on group data sharing agreements that comply with these standards. For those businesses, it may simply be a case of checking that UK group companies are bound by these obligations in the same way as existing non-EU companies.
We are working with a range of clients on such agreements, advising on maintaining data flows, drafting BCRs and checking contractual arrangements with suppliers, all of which might be impacted.
Where you are sharing information outside of a group, for example, if you use a data processor in the UK to run payroll or undertake screening checks on your clients, then you will need to ensure that contracts are updated to incorporate the appropriate EU model clauses, or similar. There is no clear timetable at present as to when and in what form Brexit might actually happen, but once the position is clear, it will be essential to ensure that appropriate mechanisms are in place to ensure that data flows are not interrupted.
On that merry note… Happy Data Protection Day!