With the Brexit vote in 2016, many questions have arisen regarding the flow of personal data from the EU to the UK. There were hopes of seeing the UK among the few countries which are recognised, by the European Commission, as providing an adequate level of data protection. But now, it is widely accepted that the adequacy decision will not be made before the end of 2020, i.e. more than a year after the actual divorce as scheduled.

CNIL's position

In February 2019, the French data protection regulator, the Commission nationale de l'informatique et des libertés (CNIL), clarified that, in the event of a no-deal Brexit and absent an adequacy decision, the UK should be treated like any other country outside the European Economic Area (third country).

The CNIL declared that data controllers and processors woud have to:

identify any data transfers to the UK;

determine and put in place the most appropriate lawful transfer tools;

update their internal documentation so as to add transfers to the UK as of Brexit date; and

update their notices to data subjects to indicate that data transfers out of the European Economic Area also include transfers to the UK.

The CNIL confirmed that, in the absence of an adequacy decision from the European Commission, the following transfer tools will be available:

• standard contractual clauses, otherwise referred to as model clauses;
• ad hoc contractual clauses, to be preapproved by CNIL;
• binding corporate rules;
• codes of conduct and certification mechanisms to be pre-approved by the CNIL.

No grace period

The CNIL allows no grace period for the implementation of the measures related to data transfers to the post-Brexit UK.

It should be noted that the UK recently passed a Data Protection Act, which integrates the GDPR into national law.

As a consequence, the impact of Brexit on the rules related to data processing in the UK as a third country, including information security and the rights of data subjects, is expected to be limited.

However, procedural provisions, such as the one-stop-shop choice of lead supervisory authority or the choice of a single data protection officer in a pan-European organisation, will be affected.

This situation is reminiscent of the after-effects of the Schrems case, where the Court of Justice of the European Union ruled that the "Safe Harbor" status could no longer be relied on to transfer personal data to the United States.

Most companies had to enter into standard contractual clauses with their American data processors.

Even though the process is in itself not technically challenging, it can be long and thus requires planning and sound governance.

Next steps

Please contact us if you have any questions on how data transfers will operate between the UK and the EU after Brexit or if you need any help reviewing your policies and procedures.

Authored by Aissatou Sylla