At its plenary meeting on February 13, 2019, in Brussels, the European Data Protection Board (“EDPB”) adopted an Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and an Information Note on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority.
The Information Note on Data Transfers reiterates the need for organizations to implement data transfer mechanisms if they wish to continue transferring personal data from the European Economic Area (“EEA”) to the UK following Brexit. As matters stand, the UK is due to leave the EU at 11pm GMT on March 29, 2019. No transition deal has yet been agreed upon, leaving looming the prospect of a “no-deal Brexit.”
The EDPB’s Information Note on Data Transfers lists the following steps that organizations should take to prepare for a no-deal Brexit:
- identify the processing activities that involve a personal data transfer from the EEA to the UK;
- determine the appropriate data transfer mechanism (e.g., standard contractual clauses, binding corporate rules (“BCRs”), derogations);
- implement the transfer mechanism before March 30, 2019;
- ensure internal documentation states that transfers will be made to the UK; and
- update privacy notices to inform individuals that transfers will be made to the UK.
The Information Note on Data Transfers also mentions the UK government’s approach to transfers, which is to recognize existing EEA countries as offering adequate data protection from the point at which the UK leaves the EU. Any formal discussion of the UK’s adequacy, in contrast, will not take place until after the UK has left the EU.
The EDPB’s second Information Note, on BCRs, invites companies that have the UK Information Commissioner’s Office (“ICO”) as Lead Supervisory Authority to take the following steps:
- UK headquartered groups considering applying for BCRs should identify the most appropriate Lead Authority in an EU Member State.
- Groups that have submitted BCR applications to the ICO should identify a new Lead Supervisory Authority, which will take over the application and initiate a new procedure at the time of a no-deal Brexit.
- If a draft ICO decision approving a BCR is pending before the EDPB at the time of a no-deal Brexit, the group should identify a new Lead Supervisory Authority, which will take over and re-submit a draft decision for approval of the BCRs to the EDPB.
- Holders of authorized BCRs will need to identify a new Lead Supervisory Authority.
In addition to the EDPB’s Information Notes, organizations should review the ICO’s guidance, on which we previously reported, regarding the consequences of a no-deal Brexit and the steps organizations should take to prepare.