kamasigns - Fotolia
If the UK leaves the EU with no deal, there may not be a legal agreement in place right away on data flowing from the EU to the UK, according to the government’s No deal Brexit paper on data protection.
The paper said that there will be no changes to the UK’s own data protection standards, in line with the The EU General Data Protection Regulation (GDPR) which was implemented in UK law via the Data Protection Bill in May 2018.
However, the government warns that the legal framework for transferring personal data from organisations in the EU to organisations in the UK would have to change when the country leaves the EU.
This means that although businesses will be able to continue to send personal data from the UK to the EU, and would “at the point of exit continue to allow the free flow of personal data from the UK to the EU”, it may not be the same the other way around.
The European Commission will have to make an adequacy decision on allowing the free flow of personal data to the UK, but the decision may not be made time for Brexit.
“If the European Commission does not make an adequacy decision regarding the UK at the point of exit and you want to receive personal data from organisations established in the EU (including data centres) then you should consider assisting your EU partners in identifying a legal basis for those transfers,” the paper said.
“For the majority of organisations, the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract.”
Read more about Brexit
- The government has published the first of its No Deal Brexit contingency planning notices, containing sobering messages for the UK technology industry.
- Government needs to have an open and welcoming immigration policy after Brexit to protect the UK's tech sector from decline.
- Amid fears that a no-deal Brexit could lead to the reintroduction of EU mobile roaming charges, the government has pledged to set a legislative limit on how much operators can charge.
Commenting on the paper, techUK CEO Julian David said a No Deal Brexit would be extremely damaging to the UK.
The technical notice on personal data is a text book example of the problems that a No Deal Brexit would cause. We recognise it would still be the intention of the UK to seek an adequacy decision and welcome the clarity that the UK is ready to start those discussions now. While we fully support the government in its aim to achieve adequacy, this will not be ready in the event of No Deal,” he said.
“While the decision to unilaterally allow data from the UK to flow to the EU is the right thing to do, the government can do nothing to help UK companies seeking to transfer data from the EU to the UK. Instead, they will have to rely on complex processes such as standard contractual clauses (SCCs).
“SCCs are currently subject to a major legal challenge in the EU and so their future is in doubt. While this is out of the UK government’s control, businesses need to be aware of this fact and it is, therefore, disappointing that it is not recognised in the technical notice.”
He added that techUK is also concerned there seems to be no mention of any support the government can give businesses to help them put in place the contractual clauses needed, which could end up being very expensive for UK businesses, especially small and medium-sized enterprises.
Former minister of state for digital at the Department for Culture, Media and Sport, Matt Hancock, has previously said that he is certain the UK will obtain an adequacy ruling from the EU.
The government has previously highlighted the importance of getting a good deal with the EU on free flow of data.
In January 2018, a House of Commons Digital, Culture, Media and Sport (DCMS) Committee report on the potential impact of Brexit highlighted being able to transfer data across border as absolutely key to many UK technology businesses.
“It is important to recognise that Brexit creates a potential risk that the UK’s ability to transfer data across borders will be limited,” the report said.
Prime minister Theresa May has also been clear on the importance of free flow of data between the EU and UK post-Brexit. In a speech in March 2018, May said there is a definite need for ensuring a data protection deal is in place between the UK and the EU.
She added that the UK wants more than an adequacy agreement to ensure UK businesses are “effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes”.
Read more on IT for government and public sector
What does Brexit mean for the future of UK digital policy? A view from Europe
UK-EU Brexit deal passes Commons with six-month data adequacy bridge
UK-EU Brexit deal: TechUK and DigitalEurope hail new dawn but note unfinished data business
UK-EU Brexit deal: TechUK sees positive runes on digital and data adequacy