Generic filters
Exact matches only
Filter by Custom Post Type

Further guidance on data transfers in the event of a no-deal Brexit

Following guidance issued by issued by DCMS and the ICO at the end of last year (discussed in our bulletin), the European Data Protection Board (EDPB) has published its own information notice on data transfers from the EEA to the UK post-Brexit in the event of a no-deal.  The notice confirms that, after 29 March 2019, if the UK leaves without a deal, transfers of personal data from the EEA to the UK can only take place using:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Codes of Conduct and Certification Mechanisms
  • Derogations (including, for example, explicit consent of the data subject)

Personal data transfers from the UK to the EEA will, at least transitionally, be allowed to continue as currently, due to the UK government’s decision to recognise the EU’s data protection regime as adequate.

The EDPB identifies the following five steps that a business should take to prepare in relation to transfers of personal data from the EEA to the UK:

  1. Identify its processing activities that will involve a personal data transfer to the UK
  2. Determine the appropriate data transfer instrument for its situation
  3. Implement the chosen data transfer instrument to be ready for 30 March 2019
  4. Indicate in its internal documentation that transfers will be made to the UK
  5. Update its privacy notice accordingly to inform individuals

The most likely mechanism to be used for such transfers will be SCCs adopted by the European Commission.  The EDPB stresses that these are a ‘ready to use’ instrument and must not be modified (although they can be included in a wider contract, and additional clauses may be included provided they do not contradict the SCCs).

In addition to considering data flows between the UK and the EEA, businesses need to consider data flows from the UK to other territories, and compliance with the new ‘UK GDPR’ that will be in effect on Exit day (through The Data Protection, Privacy and Electronic Communications (Amendments etc) EU Exit) Regulations 2019 – discussed in our bulletin).

In particular, the UK government has decided to adopt adequacy decisions already adopted by the EU, including, in relation to the United States, the partial adequacy decision in the form of the Privacy Shield.  The US Department of Commerce has issued guidance to Privacy Shield participants confirming that they should update their Privacy Shield commitments (i.e., in their Privacy Notices and any relevant HR privacy policy) by Exit day to include reference to the UK, and also to maintain a current Privacy Shield certification. The UK government has also issued a further draft statutory instrument (The Data Protection, Privacy and Electronic Communications (Amendments etc) (No 2) Regulations 2019) which also provides that, in a no-deal scenario, transfers of personal data from the UK in reliance on the Privacy Shield can only take place if the certified Privacy Shield company has a compliant privacy policy.  Businesses transferring personal data to the US should therefore bear this requirement in mind when making transfers post Exit.

Shaper: Jon Bradford

Jon Bradford, a highly experienced early stage investor, is the Founding Partner of Motive Partners, a financial technology investment company.   Founder and Co-Founder of many other businesses including Dynamo Ventures, an early stage seed investor focused on Supply Chain and Mobility, Jon is well-accredited with the title “Godfather of European Accelerators” for founding Ignite100 Accelerator [...]


Jazz Shapers - 4 days ago

Shaper: Tamara Littleton

Tamara Littleton is Founder and CEO of The Social Element, a social media agency advising some of the world’s biggest brands on how to use social media to solve business challenges. Having left her role running a BBC web team, Tamara founded The Social Element in 2002 before the explosion of social media with the [...]


Jazz Shapers - 2 weeks ago