In our last blog in this series, we highlighted some of the data transfer implications from the different Brexit scenarios. In this blog, we provide further analysis on the measures required in the event of the UK leaving the EU without a Withdrawal Agreement in place, also known as ‘no-deal Brexit’ or a ‘Hard Brexit’.
As stated previously, the UK’s Information Commissioner’s Office has confirmed there will be no restrictions on the transfer of personal data to the EU. Exporting personal data from the EU to a ‘third country’ (which the UK will automatically become in the event of a Hard Brexit), however, will only be legal in the event that you, as the UK data controller or processor either:
- Have a legally binding contract in place with your EU data controller or processor and the contract includes standard (model) clauses that have been issued, or approved by the European Commission
- Have binding corporate rules (BCRs) in place governing the transfer of data between entities of the same corporate group
- Adhere to an approved code of conduct or certification regime regarding the application of minimum safeguard controls as well as the enforcement of data subject rights.
Implementing any of these safeguards at this stage is going to be a challenge for organisations that have not yet commenced this activity.
There are, however, further options for UK data controllers or processors to consider in the form of general or country specific legal exemptions (Derogations). These are detailed in Article 49 of the GDPR and those familiar with the regulatory text will see more than a passing resemblance to the bases for ‘Lawfulness of processing’ detailed in Article 6.
Where an EU data controller is unable to implement a suitable contract (see A above) or BCRs (see B above) with a UK data controller or processor, exporting personal data from the EU will only be legal under GDPR where either:
- The data subject has consented to the specific transfer, after being informed of the potential risks
- The transfer is necessary for the performance of a contract between the data subject and the controller
- The transfer is necessary for protecting the interest of the data subject or the wider public
- The transfer is necessary to support legal proceedings
- The transfer is necessary for the compelling legitimate interests pursued by the data exporter.
These derogations, however, come with a number of specific and expressly enumerated conditions. One such condition, which affects the legal basis for processing, set out in E, G and H is that the transfer must be ‘occasional’. Data transfers that occur regularly between the data exporter and a UK data controller or processor will not qualify under either of these derogations.
In the absence of an adequacy decision (or an equivalent), UK organisations will need to act fast to ensure that operations relying on data imports from the EU are not disrupted. Organisations that maintain accurate ‘Records of processing activities’ will have documented, where applicable, transfers of personal data to a third country take place and the safeguards relied upon for the transfer of data.
All UK firms should be reviewing their current arrangements for importing data from the EU and working with their EU data exporters to agree, or put in place the appropriate safeguards to continue the free transfer of data post Brexit.
 See GDPR Article 46 (2) a), c), d)
 See GDPR Article 46 (2) b), Article 47
 See GDPR Article 40, 42, 46 (2) e), f)
 See A29WP Guidelines on Article 49 of Regulation 2016/679
 See “The Brexit black hole of data transfers” Part 1