For the purposes of the GDPR, a third country is one outside the European Economic Area (the EU and Iceland, Norway and Lichtenstein). There are no further distinctions between the other nations, and Canada (friend, trustworthy, technically savvy!) is treated no differently to North Korea (unknown, risky, “rogue!”). So, once the UK leaves the EU, by definition, the UK is a third country and the rules relating to third countries will apply.
As I write this, another Brexit extension has been agreed and so the reality of what this practically means for businesses can be put-off a little longer. But, some degree of analysis of data flows will allow businesses to understand what needs to be done to ensure there are no unexpected data consequences of Brexit.
The analysis is complicated by the ‘deal/no-deal’ alternatives and the direction of flow of the personal data.
The first rule relating to a third country is that they can do a “data deal” with the EU called an ‘adequacy decision’, which sanctions transfers of personal data of Europeans to those countries without further safeguards in place. Andorra, Argentina, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay have full adequacy decisions in place, and partial arrangements are in place with Japan, Canada and the USA.
After Brexit, the UK will immediately bring a UK version of the GDPR into force (called the UK GDPR). These regulations are substantively the same as the GDPR, and businesses will need to apply all the same principles as before Brexit.
If Brexit is completed on the terms of the current draft of the withdrawal agreement (the so-called ‘Deal scenario’), the UK GDPR will be deemed adequate by the EU, and data flowing from the EU to the UK will not require additional safeguards.
In addition, the UK Government has confirmed that as part of the introduction of the UK GDPR it will recognise the adequacy decisions of the EU and the GDPR itself as adequate for the purposes of UK data flowing to those countries, and as such no further safeguards are needed for data flowing out of the UK, either.
So to summarise, in a ‘Deal’ scenario, data flowing in either direction is protected and an adequacy decision will be in place.
In a ‘No-Deal’ scenario, the UK Government will still recognise the adequacy decisions of the EU and the EU GDPR as adequate for data flowing from the UK. The Government has pointed out that this policy will be kept under review and it is possible that a subsequently negotiated trade agreement will lead to a different policy.
By contrast, in a ‘No-Deal’ scenario, or the withdrawal agreement is altered to remove the agreements relating to personal data, data flowing from the EU into the UK for processing will not be covered by an adequacy decision, and the further rules relating to third countries will be engaged. It is probable that an adequacy decision will eventually be made, but the EU has indicated this may take many months and form part of the wider trade discussions.
The further rules are about safeguarding personal data to the European standard and are technical. They provide for various nuances of circumstances, but the main options are either ‘binding corporate rules’, which are unlikely to be applicable to SMEs and require a bureaucratic ratification process from the supervisory authority and ‘standard contractual clauses’.
The standard contractual clauses must be inserted completely and without modification into the contract between the Europe-based data provider and the UK-based data recipient. The clauses set out the required standards for the protection of personal data and bind the UK-based entity to those. There are no prizes for working out that these standards are those in the GDPR! The clauses also provide the data subject with rights too.
A further consideration for UK-based businesses is whether they need to appoint a European Representative to act on their behalf relating to matters of data protection in Europe. After Brexit, UK businesses who process personal data of Europeans, and do not have a legal presence in the EU, such as an office or subsidiary, need to appoint a representative.
Businesses should be taking steps to understand how data flows to and from the EU and considering incorporating the standard contractual clauses into their contracts that relate to personal data. Without such clauses, European counterparties may legitimately refuse to share personal data with UK businesses and this may delay services or end business relationships.
This originally appeared in Information Age.