GDPR, Privacy & Brexit

What happens to data protection law in the UK if there is a no-deal Brexit?

Some information to some possible Brexit outcomes.


Brexit & Privacy Coaching


If you have your own business which has a digital footprint, you should review the Privacy Note of your website and the data protection handling.


What happens to data protection law in the UK if there is a no-deal Brexit?


Data protection law in the UK won't change overnight because of Brexit. If the UK leaves the EU without a deal then the GDPR will be saved and turned into UK national law. The Data Protection Act 2018 will also remain in place. So the data protection standards in the UK will remain the same after a no-deal Brexit.


What will happen to data transfers from the UK in a no-deal Brexit?


In the same way that the GDPR will be saved and turned into UK national law, so the transfer mechanisms which currently rely on to legitimize data transfers from the UK, such as Model or Contractual clauses, can remain valid.


What about transfers from the UK which take place under the EU-US Privacy Shield – can they continue in a no-deal Brexit?


Yes, they can. The EU-US Privacy Shield will also be saved into UK national law. This means that the EU-US Privacy Shield will remain as a mechanism for transferring data from the UK to the US after a no-deal Brexit.


So is no change needed at all for transferring data under the EU-US Privacy Shield from the UK to the EU in a no-deal Brexit?


Some small changes are required. In a no-deal Brexit, you will need to update our public commitments to say that those commitments extend to transfers of data from the UK. The public commitments can be found on the US government's Privacy Shield website. You have to update these changes at your Privacy Notice.


Why is it currently not necessary that the public commitments and privacy policy reflect these changes at the moment?


The UK hasn't left the EU, as of yet. When it does, it isn't currently clear whether the UK will leave with or without a deal. If the UK is leaving without a deal, you have to make the relevant changes to your public commitments and privacy policy immediately. In this way, there will be no disruption to UK to US transfers using Privacy Shield.


So is there a need to switch from using the EU-US Privacy Shield to using Model or Contractual Clauses for transferring data from the UK to the US in a no-deal Brexit situation?

No, there isn't. Either Model or Contractual clauses or the EU-US Privacy Shield can be used to transfer data from the UK to the US.

If there is a no-deal Brexit is there a need to update the Model or Contractual clauses which are normally, currently in place in order to transfer data from the UK to the US?

There is no need to do so. The clauses can remain as they are now.

Is there any guidance that explains how no-deal Brexit works?

The US Department of Commerce has explained on their website what would happen as regards transfers from the UK under the EU-US Privacy Shield in a no-deal Brexit. There is also helpful guidance from the UK Information Commissioner's office.

Which provisions of UK national law are relevant in the context of a no-deal Brexit?


In a no-deal Brexit, the GDPR will be turned into UK national law under Section 3 of the European Union (Withdrawal) Act 2018 ("EUWA"). Section 3 of the "EUWA" also saves the EU-US Privacy Shield. Section 2 of the EUWA confirms that the Data Protection Act 2018 remains as a valid law in the UK. Schedule 21 to the Data Protection Act 2018 is inserted by the Data Protection, Privacy and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019 (SI 2019/419). Schedule 21 makes further provision concerning the continued application in the UK of EU adequacy decisions, including the EU-US Privacy Shield (see paragraphs 4- 6) and Model or Contractual Clauses (see paragraphs 7 and 8).

What about a "deal" Brexit? What happens then?

If the UK leaves the EU with a withdrawal agreement in place, the GDPR will continue to apply to the UK, and the transfer mechanisms such as Model or Contractual Clauses and the EU-US Privacy Shield will be available for transfers from the UK to the US. No changes will be needed for your current public commitments or privacy policy because the UK will continue to be treated for all relevant purposes as if it was still an EU Member State. What if Brexit gets delayed beyond 31st October?


The UK will remain an EU Member State. The GDPR will continue to apply and the relevant mechanisms for transferring data from the UK will remain in place including Model or Contractual Clauses and the EU-US Privacy Shield. No changes to your public commitments or privacy policy will be needed.


#Brexit, #GDPR, #Privacy, #dataprotectionhandling, #EU, #EUUSPrivacyShield

#policies

Catriona Cawol Consulting

+442039506292

3C-CatrionaCawolConsulting, Kemp House, 152-160 City Road London, EC1V2NX, UK


  • YouTube - White Circle
  • RSS Social Icon

©2019 by 3C-CatrionaCawolConsulting