Brexit and EU-UK data sharing: Where are we after Yellowhammer?
Leaked "Operation Yellowhammer" documents reveal the UK government's assessment that there will be "disruption" to data flows in a no-deal Brexit, if no alternative legal basis for transfer has been put in place.
The documents also show that the government considers that negotiations on an EU adequacy decision for the UK may take "many years".
The potential for disruption is hardly surprising. One of the central aims of the General Data Protection Regulation (GDPR) is the facilitation of the free flow of data between EU member states.
Leaving without a deal means that, overnight, the UK becomes a "third country" and the principle of the free flow of data will no longer apply.
The government has already taken some measures to mitigate the effect of the sudden end of the application of EU law in the UK.
In a no-deal Brexit situation, the European Union (Withdrawal) Act 2018 will preserve EU legislation, as it applies to the UK the moment before we leave. This means that the same standards will apply in the UK after exit day as they did immediately before it exited the EU.
This will provide a measure of continuity on the domestic level, but cannot mitigate the potential disruption cited in the Yellowhammer documents.
This is because the central aim of the legislation – harmonisation, facilitating cross-border commerce and data flows – will have ended.
The UK's data protection landscape post no-deal Brexit
In terms of data protection, the GDPR will be saved on exit day and turned into domestic law – the "UK GDPR".
The Data Protection Act 2018 will also remain in place.
Data flows in a no deal situation
UK to EU/third countries
As regards data flows in a no-deal situation, there is no change as regards data flows from the UK to the EU.
This is because the UK has deemed the EU to be "adequate" under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Given that the UK GDPR mirrors the EU's GDPR, the familiar tools for sending data from the UK to third countries remain available.
EU adequacy decisions, which were in place prior to exit day, could still be relied upon as they were before the UK left the EU.
When making data transfers from the UK to the US relying on the EU-US Privacy Shield (a framework which enables the transfer of data to US companies which are Privacy Shield-certified), controllers and processors will need to make sure the US entity has updated its public commitments to expressly state that those commitments apply to transfers of personal data from the UK.
Standard contractual clauses could still be used to transfer data from the UK to third countries. The same will be true for the derogations, although as was the case before EU exit, they can only be relied on in limited circumstances.
Binding corporate rules (BCRs) which were in place prior to exit day will also continue to apply.
EU to UK data flows
EU to UK data flows are more complex.
Given that there will be no automatic EU adequacy decision for the UK following its departure from the EU, the most appropriate data transfer mechanism will usually be standard contractual clauses.
However, it is worth keeping an eye on the Schrems II case. If the Court of Justice of the European Union (CJEU) declares standard contractual clauses to be generally invalid, this will cause further headaches for EU businesses wanting to transfer data to the UK (and other third countries).
The Advocate General's opinion, due towards the end of the year, will give a sense of whether this is likely to transpire.
Again, the derogations for transferring data to third countries are limited in scope, so may not be available for sending data from the EU to the UK.
BCRs would also be available as a transfer mechanism, but may need to be amended – for example, if the liability-accepting entity is in the UK, this will need to be changed so that entity is in an EU member state.
Further data issues in a no-deal Brexit
There are other issues to be aware of in the event of a no-deal Brexit.
Controllers and processors caught by the GDPR through its extra territorial provisions, and who had a representative in the UK before exit day, will need a representative in the EU after Brexit to comply with the GDPR.
Similarly, controllers and processors caught by the extra territorial provisions of the UK GDPR will need to appoint a representative in the UK, if they only had a representative in the EU before.
There is, of course, a separate debate about the extent to which this obligation is honoured in practice.
Role of the UK information commissioner
In a no-deal situation, the UK Information Commissioner will no longer have a seat at the European Data Protection Board.
If the UK Information Commissioner was a Lead Authority under the One-Stop-Shop (OSS) mechanism prior to Brexit, then this will no longer be the case in a no-deal exit.
The OSS is intended to ensure that controllers and processors whose processing impacts on individuals across more than one EU or EEA state only need to deal with a single EEA data protection regulatory authority.
However, in a no-deal Brexit, the Information Commissioner will no longer be an EEA data protection regulatory authority.
The UK Information Commissioner will also be unable to approve EU BCRS.
Brexit uncertainty is likely to continue to cause a headache for cross-border data-driven businesses in the run up to 31 October.
Small UK businesses in particular do not have the bandwidth to deal with different scenarios or to spend their limited resources unnecessarily.
However, failure to prepare for no-deal Brexit could leave them in difficult situations and supply chains may be disrupted.
EU businesses who currently trade with counterparts in the UK might decide it is easier to do business within the EU than to put mechanisms in place to transfer data to the UK.
No-deal Brexit, problematic though it looks, is only the start of a protracted period of uncertainty.
Far from bringing the process of exiting the EU to an end, it will simply herald a chaotic conclusion to the first phase of that project.
The main bulk of the negotiations – on the future relationship – have not yet started. There is still a very long way to go before Brexit is over.
Eleonor Duhs, is a director in the technology, outsourcing and privacy group at European law firm, Fieldfisher. She was the lead UK lawyer in negotiations on the GDPR in Brussels. She was also a senior lawyer in the Department for Exiting the European Union, where she led on aspects of the European Union (Withdrawal) Act 2018. To find out more about our data privacy and Brexit expertise, please visit the relevant pages of the Fieldfisher website.