Unless and until the EU makes an “adequacy decision” confirming that it recognises the UK has having in place acceptable laws to deal with the protection of personal data,  transfers of personal data from the EU to the UK will not be permitted.

While it might be thought that because the GDPR and other relevant legislation in the UK is derived from EU legislation, the EU should be ready to make such a finding, this cannot be assumed for two reasons.

Firstly, concerns may be raised by member states that the UK’s use of mass surveillance techniques under the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016 give rise to data protection issues in the same way that transfers of data to the USA were blocked following the Snowden revelations. Secondly, if the UK leaves the EU without a deal, the EU could be unlikely to prioritise making such a finding pending the agreement of any subsequent deal on other trading issues.

In the event of a No Deal, this will mean that “appropriate safeguards” will need to be put in place to allow for transfers of data from the EU to the UK. Such safeguards include the use of Binding Corporate Rules which is unlikely to present a practical or quick solution, or, more likely, the use of standard model contractual clauses, the use of which is also under question.

There are some other potential consequences of a No Deal Brexit relating to data protection of which businesses should be aware:

UK organisations without an EU establishment which offer goods or services to individuals or monitor the behaviour of individuals in other member states of the EU will be subject to the local enactment of the GDPR as in force in that member state.

For such organisations the UK’s ICO will no longer be accepted by the EU as their supervisory authority for the purposes of the EU GDPR and arrangements would need to be made with another appropriate supervisory authority in the EU.  The organisations may be required to appoint a representative in the EU.

The Government has confirmed that organisations in breach of the GDPR legislation could face the possibility of separate investigations by both the UK and EU regulators and of receiving large fines from both.

In addition to the GDPR, the E-Privacy Directive which deals with proposed reforms in relation to electronic direct marketing, online tracking and cookies is currently being revised by the EU. It seems unlikely that the revised legislation will be finalised before the UK’s exit from the EU. The UK may, in due course, still adopt such legislation and organisations dealing with individuals in the EU will, in any event, be required to comply with its provisions.

In relation to transfers of personal data from the UK to the EU the UK government has previously indicated and it has until recently been generally understood that such transfers will continue to be permitted. The recent September No Deal Guidance from the Government states that organisations should consider taking professional advice before making preparations and so the position in this regard is now less certain.

How can we help?

We can assist you by:

  • advising on the nature of your business’ obligations under the data protection legislation
  • putting in place model contracting arrangements to facilitate required transfers of personal data to your business in the UK from the EU

For help and advice please contact Julian Milan on 0808 166 8974 or email j.milan@sydneymitchell.co.uk.

UK Top Tier Firm 2020 Lexcel Practice Management Standard Birmingham Law Firm of the Year for 2011 Resolution Collaborative Family Lawyer
The Law Society Accredited in Family Law Conveyancing Quality Scheme