UK.gov tells companies to draft contracts for data flows just in case they screw up Brexit
Data adequacy won't be assessed till after departure
The UK government has told companies to start drawing up standard contractural clauses for data transfers in case of a no-deal Brexit.
The warning comes in latest batch of technical notices released to allow organisations to prepare for the event it doesn't manage to negotiate exit terms with the European Union before March 2019.
In the notice on data protection, the government said that although it would greenlight the transfer of UK data to other member states, there were no such guarantees in reverse.
This is because the EU has to rubberstamp the standards of protection applied by the UK – known as an adequacy decision – and Eurocrats have made it clear this won't happen until the UK is out of the bloc.
That leaves a period of time between the official exit date and the adequacy decision – assuming it is granted, which is far from a foregone conclusion – when data will not be able to flow into the UK, which would be a massive blow to companies doing business in Europe.
Brit govt told to do its homework ahead of talks over post-Brexit spy laws and data flowsREAD MORE
The government's attitude thus far has been that the two sides should recognise each other's regimes ahead of the exit date – and the UK government has been accused of being complacent about the ease with which it will get this deal.
Politicians have largely publicly ignored statements from the EU's chief negotiator, Michel Barnier, that emphasised an adequacy decision can only be taken once the bloc can assess the UK's new legal framework.
However, the technical notice acknowledged this is the reality in the case of a no-deal scenario. It aims to make the first move by saying it will recognise the two systems as aligned, but has accepted the EU won't do the same.
"While we have made it clear we are ready to begin preliminary discussions on an adequacy assessment now, the European Commission has not yet indicated a timetable for this and have stated that the decision on adequacy cannot be taken until we are a third country," the notice said.
As such, it said that companies that want to receive personal data from organisations in the EU, including data centres, need to work with their EU entities and partners to find new legal bases to cover those transfers.
"We recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners," the notice said.
They put forward two approaches: derogations provided in Article 49 of the General Data Protection Regulation or set agreements offered by the European Commission known as standard contractural clauses (SCCs).
The latter is likely to be the most relevant, as derogations can only be relied upon if SCCs or another mechanism, binding corporate rules, cannot be used – and both of these have already been branded "unsatisfactory substitutes" for an adequacy deal by MPs on Parliament's Brexit committee.
A primary concern is the onus it puts on the companies, which now have less than six months to organise new contracts.
BT's Brexit boss Stephen Hurley told MPs that, with more than 18,000 suppliers, setting up SCCs would be very cumbersome, especially as the set text "isn't necessarily designed to deal with the modern ways of doing business, and the way flows of data occur in practice".
The committee concluded that the "considerable change from the status quo would place a bureaucratic burden on individual businesses, a burden which would be prohibitive for many small businesses".
There is also uncertainty about the suitability of SCCs, as they are currently the subject of a legal challenge in the EU's top court, in the long-running legal wrangling between activist Max Schrems and Facebook.
The court has been asked to rule on how much protection these clauses – which companies started to use for US data transfer after Safe Harbor collapsed – afford EU citizens whose data is being transferred.
The technical notice also said the UK "will continue to push for close cooperation and joined up enforcement action between the [Information] Commissioner's Office and EU data protection authorities".
The government has chanced its arm here before, calling for continued membership of mechanisms such as the "One-Stop Shop", which allows organisations that operate in a number of member states to deal with just one supervisory authority, and for the ICO to remain involved in the European Data Protection Board.
However, the EU has yet to suggest it will go along with such plans, and Barnier has repeatedly rejected them , saying the EU "cannot, and will not" share its decision-making powers with a third country. ®