Impact of a “hard Brexit” on the transfer of personal data between the EU and the UK.
Following the failed attempts to pass the UK-EU withdrawal agreement in the House of Commons and the search for a new leader of the Conservative Party, there is a possibility that the UK will leave the EU on 31 October 2019 with a “hard Brexit”. Read here what UK and EU-based companies need to consider with regard to the transfer of personal data between the EU and the UK in the event of a “hard Brexit”.
The situation regarding Britain’s exit from the EU remains unclear. After the failed attempts to pass the withdrawal agreement between the UK and the EU in the House of Commons, the resignation of Theresa May and the search for a new leader of the Conservative Party, there is a possibility that a future prime minister will lead the UK to a “hard Brexit” on 31 October 2019. Moreover, the EU Commission has so far shown no willingness to re-open negotiations on the withdrawal agreement.
Implications for UK businesses
A “hard Brexit” requires explicit legitimisation of data transfers. With regard to the transfer of personal data between the EU and the UK, UK companies need to prepare if they process personal data of data subjects in the EU or receive personal data from the EEA for processing on behalf. In the event of a “hard Brexit”, the UK would be classified as a third country under the EU General Data Protection Regulation (GDPR) and the transitional periods for the free flow of personal data negotiated in the withdrawal agreement would not apply. As long as the EU Commission has not certified an adequate level of data protection for the United Kingdom pursuant to Article 45 of the GDPR, the transfer of personal data from the EU to the United Kingdom is only possible on the basis of Binding Corporate Rules, EU standard contractual clauses or to a limited extent under certain exceptions pursuant to Article 49 of the GDPR (e.g. consent of the data subject).
Important: British companies should agree on alternative legitimation for data transfer with their European business partners in good time (e.g. EU standard contractual clauses). According to Art. 3 para. 2 in conjunction with. Art. 27 GDPR, companies based in the UK (controllers and processors alike) are required to appoint a representative in the EU if personal data are processed in connection with the offering of goods or services or the monitoring of behaviour of EU data subjects, but the UK company does not operate any establishments, branches or other facilities in the Union. The representative shall be appointed in one of the EU Member States where the data subjects are located. He or she is authorised to act as a point of contact for supervisory authorities and data subjects on behalf of the company and in relation to compliance with the GDPR.
Important: UK companies should check the obligation to appoint a representative under Article 27 of the GDPR and, if necessary, seek a written appointment in good time. More on the topic: EU representative
Implications for EU companies
EU-based companies that offer goods or services in the UK and process personal data of data subjects in the UK in this context will have to comply with UK data protection law in the future. The British government intends to adopt the provisions of the GDPR into the English legal system with minor technical changes (UK GDPR). In the event of a “hard Brexit”, all EU companies that process personal data in the UK market but do not have a local branch would therefore also be obliged to appoint a representative in the UK under Article 27 of the UK GDPR. (The UK Government, 2019) In the event of a data breach involving data subjects in the UK, the UK GDPR would also require the EU controller to notify the Information Commissioner Office (ICO) within 72 hours of becoming aware of the breach.
Important: Companies based in the EU should review their processes, business partners and service providers. Those operating in the UK market should keep up to date with data protection law developments in the UK. If personal data is transferred to UK companies, alternative legitimations for the data transfer must be in place after a “hard Brexit”.