Companies should prepare for the possibility that, after Brexit, they may not be able to rely on European Union approval of the U.K.'s privacy regime to legally transfer data from the EU to the U.K., the European Commission said.
Companies doing business in the U.K. could be left without a legal basis for transferring data to their U.K. offices if they fail to put alternative data transfer methods in place.
Preparing for Brexit “is not just a matter for EU and national authorities but also for private parties,” the commission, the EU’s executive arm, said in a notice to stakeholders released Jan. 9.
If the U.K. leaves the EU—scheduled for March 29, 2019—without an EU data protection adequacy decision in place, there would be a general bar on data transfers unless it conforms to an alternative EU-approved data transfer mechanism, such as binding corporate rules (BCRs), according to the notice.
BP Plc, FIAT Chrysler Automobiles NV, HSBC Holdings Plc, Unilever Plc, and Barclays Plc are among the largest U.K.-based companies by revenue, according to Bloomberg data.
The notice is a “chilling warning to the U.K. government and businesses of the obvious consequences of not reaching a Brexit deal that covers data protection,” Eduardo Ustaran, co-director of the global privacy and cybersecurity practice at Hogan Lovells LLP in London, told Bloomberg Law Jan. 10.
Companies should heed the commission’s warning, Jessica Simor, a Queen’s counsel with Matrix Chambers in London who specializes in EU and regulatory law, told Bloomberg Law. Although the U.K. government has pledged to change the law to meet the standards of the EU’s new privacy regime, the General Data Protection Regulation (GDPR) taking effect May 25, nothing has been finalized, she said.
The alternative methods companies can use to legally transfer data from the EU to the U.K. post-Brexit include commission-approved model contractual clauses, and compliance with approved codes of conduct or with approved privacy certification schemes, in addition to BCRs, the notice said.
EU law also allows transfers with the consent of affected individuals, for the performance of a contract, and for public interest reasons, it said.
The handful of countries and specific data transfer programs that have so far been granted EU privacy adequacy status are: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. The commission has said that its adequacy decisions for the U.K. dependencies of Guernsey, the Isle of Man, and Jersey won’t be affected by Brexit.
The U.S. doesn’t have general adequacy status, but the EU has approved the EU-U.S. Privacy Shield data transfer program as adequate to protect the privacy of EU citizen data transferred to the U.S.
To contact the reporter on this story: Stephen Gardner in Brussels at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org