Businesses may have to revert to using ‘standard contractual clauses’ to authorise the transfer of data from EU countries to the UK after a ‘no deal’ Brexit, according to the government.
The Department for Exiting the EU (DExEU) issued the guidance today as part of a collection of 28 technical notices aimed at providing businesses critical information needed in the event of the UK leaving the EU without a cooperation agreement.
The guidance says that, even after a hard Brexit and a no-deal outcome, the government would seek to promote close cooperation between the Information Commissioner’s Office and EU data protection authorities to enforce data protection regulations.
Currently, there are no restrictions on the transfer of personal data between EU countries including the UK under the General Data Protection Regulation (GDPR). In the UK this is implemented by the Data Protection Act 2018 (DPA).
The government said that if the UK leaves the EU without an agreement, there would be "no immediate change" in the UK’s data protection standards as set out in the DPA. In addition, the GDPR would be incorporated into UK law as set out in the EU Withdrawal Act.
Under GDPR, organisations are liable for fines of up to four percent of their global turnover for violating data protection regulations.
The government would continue to allow the free flow of personal information from the UK to the EU "in recognition of the unprecedented degree of alignment" between the UK and the EU. However, it added, this would be kept under review.
However, it warns businesses they would need to take action to ensure that EU organisations were able to continue sending them personal data.
The government is hopeful that the EU would make an "adequacy agreement" with the UK in light of the close regulatory convergence between the two parties. However, the government concedes that the EU will not consider taking that step until the UK has left the EU and become a third country.
If an adequacy agreement has not been made at the time of exit, UK organisations needing personal data from EU countries would have to adopt model data protection clauses into their contracts with each other. The clauses bind the parties to certain obligations for the protection and processing of personal data.
Data protection is a complex legal area and the government advises organisations to seek advice from lawyers and the Information Commissioner’s Office.
Jocelyn Paulley, director at the law firm, Gowling WLG told SC Magazine UK that the government will be "very reluctant to accept accept that the ICO will not have a seat at the EDPB [European Data Protection Board]" which works to ensure that data protection legislation is applied evenly across Europe.
"The technical note states that ‘the UK will continue to push for close cooperation and joined up enforcement action between the Commissioner’s office and EU data protection authorities’," she said.
"Data governance is central to the government's plans for growth in key innovative sectors of UK industry, such as fintech, autonomous vehicles and digital health (see the Digital Strategy published in 2017). The ambition is to be a world-leader in these sectors so the UK will need its regulator to be engaged at the highest level with its counterparts in other jurisdictions," Paulley said.
She added: "The ICO is, in any event, cementing its role internationally outside of Europe. Indeed, they are working with the International Conference of Information Commissioners’ (ICIC) Governance Working Group (GWG) which involves regulators from Argentina, Canada, India, Mexico, Serbia and South Africa, to create of a permanent structure of the ICIC and the conference planned for next year."
* This article was edited on 19 September to add comments from Jocelyn Paulley.