The guidance from the European Data Protection Board (the 'EDPB') sets out that in the event of a no-deal Brexit the UK will become a third country, for data protection purposes, with effect from 00:00 on 30 March 2019. This means that in the absence of an adequacy decision (a determination from the EU that UK offers an adequate level of data protection) the transfer of personal data to the UK will need to be based on one of the following instruments:
1. Standard or ad hoc Data Protection clauses
There are currently three sets of standard clauses available: two different sets of EEA controller to third country controller clauses and one set of EEA controller to third country processor clauses. These clauses may not be modified and must be signed as provided, they can however be included as part of a wider contract. Any ad hoc clauses will need to be authorised by the competent national supervisory authority, following an opinion of the EDPB.
2. Binding Corporate Rules (BCRs)
BCRs are personal data protection policies adhered to by group of undertakings to provide appropriate safeguards for transfers of personal data with the group, including outside the EEA. New BCRs must be approved by the competent supervisory authority following an opinion of the EDPB.
3. Codes of conduct and certification mechanisms
A code of conduct or certification mechanism can offer appropriate safeguards if they contain binding and enforceable commitments by the organisation in the third country for the benefit of the individuals. The EDPB is currently working on further guidelines in relation to both these options.
4. Derogations
Derogations are described as exceptions to the rules of having an adequacy decision or one of the above mentioned safeguards in place before personal data can be lawfully transferred to a third country. They are therefore arguably only to be used restrictively and in relation to processing activities that are occasional and non-repetitive. Derogations include, amongst others, where an individual has explicitly consented to the transfer or where the transfer is necessary for the preformation or conclusion of a contract.
The EDPB recommends that European organisations that currently transfer data to the UK should take the following steps to prepare for a no-deal Brexit:
- Identify what processing activities will imply a personal data transfer to the UK
- Determine the appropriate data transfer instrument for your situation
- Implement the chosen data transfer instrument ready for 30 March 2019
- Indicate in your internal documentation that transfers will be made to the UK
- Update your privacy notice accordingly to inform individuals.