Data Sharing - What to Do to Prepare for a ‘No Deal’ Brexit

 

Where are we now?

The UK will leave the EU, and will no longer be an EU member state, at 11.00 pm (UK time) on 29 March 2019 unless one of the following events occurs before 29 March 2019:

  • the EU agrees to extend the two-year Article 50 period;
  • a withdrawal agreement is concluded with a different commencement date;
  • the UK revokes the Article 50 notice.

After months of negotiation, the UK and EU agreed a Brexit deal in principle. It comes in two parts: (i) a legally binding withdrawal agreement and (ii) a non-legally binding short statement on future relations. MPs have been debating the deal and a Commons vote on the deal is expected to take place in January 2019.

 

What happens if there is a deal?

If the UK and the EU conclude a withdrawal agreement by 29 March 2019 (or by the end of any agreed extension), it is expected that:

  • a post-Brexit transition period will run from 30 March 2019 (11.00 pm UK time on 29 March 2019) until 31 December 2020. The transition period could be extended for up to one or two years;
  • once the UK leaves the EU, formal negotiations on the future UK-EU relationship will start;
  • during the transition period, most EU law will continue to apply to the UK, most references to EU member states in EU law will include the UK, and the UK will continue to participate in the EU customs union and single market.

 

What happens if there is no deal at exit time?

 If the UK and the EU do not conclude a withdrawal agreement by 29 March 2019 (and there is no extension of the Article 50 period, and the Article 50 withdrawal notice is not revoked), the UK will still leave the EU under Article 50, but without an agreement to govern the terms of withdrawal, and with no transition period.

EU law will suddenly stop applying to the UK at 11.00 pm (UK time) on 29 March 2019 (although UK Brexit legislation will secure some degree of continuity).

The consequence of no deal for data protection is that if there is no European Commission adequacy decision at the point of exit (and the EU has now confirmed that there won’t be), the transfer of personal data from the EU to the UK will require an alternative legal basis, such as binding corporate rules (rarely used in the case of the College and not something to which the College itself has signed up) or standard contractual clauses. The availability of the EU – US Privacy Shield scheme will also be impacted.

 On the positive side, whether there is a deal or not, the UK Government has confirmed that:

  • the GDPR will be retained in UK law after Brexit;
  • the UK will transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue;
  • the UK will preserve the effect of existing EU adequacy decisions on a transitional basis;
  • the UK will recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses in the future;
  • the UK will recognise Binding Corporate Rules (BCRs) authorised before exit day.

 The UK Government, the Information Commissioner’s Office and the European Commission have each issued guidance on how to prepare for Brexit in the area of data protection in the event of a no deal. The information that follows is based on that guidance. If a deal is concluded in time for the 29 March exit or there are other developments that impact the information and advice below, we will revise this web page accordingly.

 

Steps to take to prepare for a no deal Brexit

Step 1: Data sharing contracts/arrangements checks – please take Step 1(i) and (ii) below

(i)            Identify any contracts or other arrangements where:

  • an organisation based in the EEA shares personal data with the College; or
  • where the College shares personal data with an organisation in the EEA and that organisation then transfers the data back to the College in the UK (e.g. this may arise in joint research projects or where cloud IT services are provided to the College).

If you identify any such contracts or arrangements, then please take the actions set out in Step 2(i) below.

Explanation notes:

  • the following countries are in the EEA: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK, Iceland, Liechtenstein and Norway;
  • if personal data is shared and processed solely within the UK – no further measures need to be put in place to prepare for a no deal Brexit;
  • if personal data is transferred solely from the UK to an organisation in the EEA (and not back to the UK) – no further measures need to be put in place to prepare for a no deal Brexit;
  • if personal data is transferred solely from the UK to an organisation outside the EEA, the current rules will continue to apply as before except for sharing of data with organisations in the US on the basis of the EU – US Privacy Shield where the position changes as explained in section (ii) below.

(ii)           Identify any transfers of personal data from the College to organisations in the US where such transfers currently take place on the basis of the EU – US Privacy Shield.

If the College wishes to continue to make transfers of personal data to US organisations under the Privacy Shield, if the UK exits the EU without a deal, you will need to check that the relevant US organisation has made the necessary update to its commitment to compliance with the Privacy Shield to cover both the EU and the UK. Confirmation of the update should usually be possible simply by checking the US organisation’s publicly available privacy policy. More information about the Privacy Shield arrangements can be found on the Privacy Shield website.

If the US organisation has not made such an update, then you should take the actions set out in Step 2(ii) below.

Step 2: Work with the relevant counterparty in the EEA or the US (as applicable) to find a legal basis for continuing to share personal data with them

(i)            Where the counterparty is in the EEA - once the UK becomes a third country on Brexit day (and for so long as the EU has not made an “adequacy decision” for the UK), organisations in the EEA may transfer personal data to the College if:

  • the College has provided “appropriate safeguards” in the form of signing up to the EU Standard Contractual Clauses (SCCs); or
  • the College and the EEA organisation can agree to rely on the basis of the so-called “derogations” - they allow transfers in specific cases, such as:
    • where explicit consent is given by the data subject – but this is not an option where the College is exercising public functions i.e. where the personal data is used for teaching or research purposes;
    • where the cross border transfer is necessary for the performance of a contract – but this is not an option where the College is exercising its public functions or has simply chosen to structure its activities in that manner;
    • where the cross border transfer is necessary for important reasons of public interest (this is a fairly exceptional derogation and would apply rarely).

In most cases, the College signing up to the EU Standard Contractual Clauses would be the most appropriate mechanism to enable an EEA counterparty to transfer or continue to transfer personal data to the College in the event of a no deal Brexit.

Please use the ICO interactive tool to confirm that the EU Standard Contractual Clauses are appropriate to use in any specific data sharing scenario. When answering questions via the interactive tool, please remember that where the College is exercising public functions such as teaching or research, data subject explicit consent or relying on a transfer being necessary for the performance of a contract are not available to the College (although it may be available to other organisations).

What are the EU Standard Contractual Clauses and where can I find them?

The EU Standard Contractual Clauses are three sets of templates (which may not be amended by the parties):

-       2010 EU controller to non-EU or EEA processor clauses

-       2001 EU controller to non-EU or EEA controller clauses or 2004 EU controller to non-EU or EEA controller clauses – note that the 2004 clauses are preferable to use (as the 2001 clauses are more onerous)

Once you confirm that the EU Standard Contractual Clauses are the most appropriate mechanism to use, you can download the appropriate form of template here:

Alternatively, in the event of a controller to processor arrangement, you can use the ICO’s interactive contract builder to create a contract containing the EU Standard Contractual Clauses for controller to processor by answering a few questions here and downloading and saving the resulting contract  - https://ico.org.uk/for-organisations/data-protection-and-brexit/controller-to-processor-contract-builder/

PLEASE NOTE that the EU Standard Contractual Clauses for controller to processor arrangements have to be used as a supplement to an existing data processing agreement or clauses in a services or other contract in order to satisfy the legal basis for cross border transfers outside the EEA. They cannot be used on their own as a standalone data processing agreement as the GDPR has additional requirements for what provisions need to be set out in data processing agreements (and the EU Standard Contractual Clauses are still to catch up with these). Therefore, if you are considering entering into data processing arrangements with an EEA counterparty where personal data will be transferred from the EEA to the UK and there are no existing data processing agreement or clauses within a services agreement (or other contract) that satisfy the GDPR (except for the non-EEA transfer basis), please reach out to the data protection contacts noted below for advice on what form of document to use.

What if I think the College can rely on one of the derogations (as opposed to signing up to the EU Standard Contractual Clauses)?

If you think that one of the derogations may apply in the context of a specific arrangement, please discuss this with the relevant EEA counterparty first. If they agree, consider with the EEA counterparty if a side letter confirming this conclusion is desirable to be signed. At the very least, please make a file note of the analysis and retain any email correspondence with the EEA counterparty in this regard.

(ii)           Where the counterparty is in the US and the College has transferred any personal data to it to-date on the basis of the Privacy Shield and the US counterparty has not amended its Privacy Shield registration to cover the UK (as explained in Step 1(ii) above) – the College may continue to transfer personal data to the US organisation only if:

  • the US counterparty signs up to the EU Standard Contractual Clauses (SCCs) – as explained in Step 2(i) above (and as per the templates referred to in Step 2(i));
  • the US counterparty is part of a group that has put in place Binding Corporate Rules (BCRs) authorised before Brexit day – BCRs are rarely encountered in practice; 
  • the College and the US organisation can agree to rely on the basis of the so-called “derogations” - they allow transfers in specific cases, such as:
    • where explicit consent is given by the data subject – but this is not an option where the College is exercising public functions i.e. where the personal data is used for teaching or research purposes;
    • where the cross border transfer is necessary for the performance of a contract – but this is not an option where the College is exercising its public functions or has simply chosen to structure its activities in that manner;
    • where the cross border transfer is necessary for important reasons of public interest (this is a fairly exceptional derogation and would apply rarely).

If you think one of these derogations may apply in the context of a specific arrangement, please discuss this with the relevant US counterparty first. If they agree, please suggest to the US counterparty that a side letter confirming this conclusion (and supplementing and amending any other data sharing agreements between the College and that US counterparty) is signed.

 

What if I have questions in relation to the above recommendations or need help preparing any data protection documents?

If you have questions in relation to Brexit preparations in the context of data protection or need help with any data protection documents, please contact in the first instance the College’s DPO or the College’s Deputy DPO via Data-Protection@Imperial.ac.uk for further information.

 

Further publicly available information

The Department for Culture, Media and Sport have provided a brief overview which will be added to as further information becomes known and is available on their website.

The ICO has reiterated that data protection legislation will remain in place and has started to create guidance that aligns to the governments statements regarding a ‘no deal’ scenario.

The guidance currently consists of a ‘Leaving the EU - Six steps to take’, a broader guidance site ‘Data protection if there's no Brexit deal’ and some Frequently Asked Questions.