Escape Plan

Posted on

When/if (please delete depending on your current view) we leave the EU there are, as everyone knows, going to be some consequences. We're going to address some of these over the coming months (or for as long as Brexit remains a possibility, whichever is shorter) and thought we'd start with everyone's favourite subject - Data Protection. If you receive personal data relating to EU subjects from your EU based customers, please read on.

In anticipation of Brexit, the government introduced the Data Protection Act 2018 ("the Act") in order to implement the European Regulation known as the GDPR (General Data Protection Regulation 2016/679 (EU)). The purpose of this was ito ensure that the UK would continue to be subject to the same regulations as EU based businesses after Brexit.

Unfortunately the Act won't be enough if we leave the EU without a deal. At the moment any UK businesses that are receiving personal data from an EU entity do not face any complications, as the UK is an EU member state which is compliant with EU data protection standards set out in the GDPR, so personal data can flow to and from the EU without additional safeguards being put in place.  

However, if the UK leaves the EU and EEA, we will become a “third country” (under the GDPR and various EU treaties).  A third country is a country other than the EU member states and the three additional EEA countries (Norway, Iceland, and Liechtenstein). 

If the UK becomes a “third country”, then unless the EU Commission issues an "adequacy decision" (which is a declaration that a particular country has in place legal protection for the processing of personal data which is as good as the GDPR) then UK businesses will have to implement extra measures in order to process such data legally.  The main solution currently is to use the Standard Contractual Clauses (‘SCCs’) or ‘Model Clauses’ which were written by the EU Commission in 2010. 

SCCs would need to be put in place between any UK entity processing personal data and the entity in the EU sending such data to it.  A copy of these SCCs can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

It is not possible to vary the terms of the SCCs although you can add terms relating to commercial activities. However, be aware that some of the SCC clauses are commercially impractical and may impact negatively on your business activities. Approach with caution (better still, do not approach at all, but speak to us instead).

On top of this, if you are processing personal data and we leave the EU without a deal, you will have to appoint an EU based representative if:

  • your business processes personal data (whether as a controller or a processor) 
  • relating to personal data (‘pd’) of data subjects who are in the EU
  • in order to offer goods or services (whether payment is required or not) or to monitor the behaviour of such individuals

unless

  • such processing is 
    • only occasional; and
    • does not include large scale processing of special categories of data or personal data relating to criminal convictions or offences; and
    • is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, copes and purposes of the processing

OR

  • you are a public authority or body 

(The special categories of data includes various types of very personal data, including data about race or ethnic origin, personal political opinions, religious or philosophical beliefs, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.)

In choosing your representative you should bear in mind that:-

  • it must be established in one of the member states where the data subjects whose personal data you process are located; and
  • it must be authorised to deal on your behalf with all personal data matters including dealing with any supervisory authorities and data subjects.

 The EU Commission is currently showing no signs of issuing an adequacy decision in relation to the UK, so, assuming that you think Brexit is going to happen at some point, it is important that you and your business are making arrangements to ensure the security of any EU personal data that you are processing. If you have not yet implemented any changes in anticipation of Brexit’s potential effect on UK data regulation, or if you have any other questions surrounding personal data processing within your business, our specialist team will be happy to help.