Concerns have been raised about the future of data if there is to be a 'no-deal' Brexit.
If the UK leaves the EU without a transitional deal in place, it will become a ‘third country’ under the General Data Protection Regulation ("GDPR"), of Europe's data protection regime. If that happens any transfer of personal data to entities in the UK from the EEA (being all EU countries plus Iceland, Liechtenstein and Norway) would need to comply with the restrictions imposed by Chapter V of the GDPR in respect of transfers to 'third countries'. The Bailiwick of Guernsey is not an EU member state, but is deemed to operate with data protection ‘adequacy’ by the EU, and therefore it is acknowledged as an “authorised jurisdiction” in respect of the GDPR. On exit date, absent a development, the UK will not be in the same position as it has not been so acknowledged (as a member state, it has not yet had to be – GDPR had automatically become part of UK law).
There has however been some recent action to address the issue, including the passing by the States of Guernsey of an Ordinance, namely The Data Protection (Authorised Jurisdiction) (Bailiwick of Guernsey) Ordinance, 2019, which designates the United Kingdom as a "designated jurisdiction" in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017. This Ordinance comes into effect on "exit day" and expires on 31 December 2020, the intended date of the end of the post-Brexit transition period. What this means in summary is that it would, in the event of a 'no-deal' Brexit, allow entities within the Bailiwick of Guernsey to continue to share personal data with those in the UK as they would with any other adequate jurisdiction. Absent such a determination, transfers could only have been made in accordance with the significantly more complicated regime used for transfers to unauthorised jurisdiction. This change should largely maintain the status quo until the Ordinance is no longer in place (note, the Bailiwick’s adequacy decision is due to be reviewed by the European Commission by 2020).
In order to ensure the continued flow of data between the UK and other European countries should there be a 'no deal' Brexit, the EU will need to provide for an adequacy determination of its own, similar to those it has granted to Guernsey and 11 other non-EU countries. The uncertainty lies in not knowing how long it may take for such a deal to be struck (or if it will be).
Preparation for 'no-deal' should ideally include an understanding of the data transfers that a business is likely to conduct now and in the future with counterparts based in the UK. This may require a review of the agreements currently in place that govern how data is transferred and processed, with consideration given to whether these need to be updated or replaced to deal with the consequences of the UK being a 'third country' under the GDPR.
Practical examples of the impact of such a 'no deal' scenario are already evident – such as one major US financial technology company which had all of its servers in London, but now has a duplicate operation in Amsterdam. The outcome has potential to economically impact businesses, small or large, which process data as part of their day to day operations.
As discussed above, the States of Guernsey have addressed the potential data flow consequences of a 'no-deal' Brexit in respect of the UK becoming a 'third country' but the EU have not. Businesses operating in the Channel Islands which transfer data between group companies, or other businesses in Europe and the UK, should therefore be aware of the potential legal consequences. The Information Commissioner's Office in the UK has produced advice on data protection if there is a 'no-deal' Brexit which is available here. The key point, from this advice, being that appropriate agreements should be in place to ensure data transfers and data processing are being carried out in accordance with the legislation that applies in the Channel Islands and to the extent relevant, the GDPR. Unfortunately, a 'no-deal' Brexit is likely to mean more bureaucracy, not less, at least for data protection purposes.
With just days left to prepare for a potential 'no-deal' Brexit, if you require assistance or advice on data protection, please feel free to contact us.
