A briefing note on personal data transfers in the event of a no-deal Brexit (no-deal Brexit or Hard Brexit, in the current terminology used by the French media). In the wake of this, the CNIL* communicated on February 20 regarding the possibility of a no-deal Brexit, with appropriate advice. Recent European developments on the issue have pushed back the possible deadline for a no-deal to after March 29. In the United Kingdom, the current negotiations between and within the executive and legislative branches will be decisive in determining the shape and timing of the Brexit. Here are the main points to remember regarding the GDPR** in the event of the UK's exit from the EU without a deal, or with a deal that does not grant the UK "adequate" GDPR status.

The consequences of a no-deal

As of the effective date of exit from the EU, the United Kingdom will be considered as a third country, by default not adequate with the European standard of personal data protection. Thus, data controllers located in the European Economic Area will be obliged to transfer, subject to guarantees, the personal data they hold. These guarantees are listed in the RGPD, and provide for each possible case. The guarantees allowing a transfer of personal data to the United Kingdom as of Brexit, in limited number, are the following:

Standard contractual clauses

These are transfer contracts adopted by the European Commission, whose content is fixed and cannot be modified by the data controllers or processors concerned. These contractual clauses must be signed between the exporter of the data (the one who is at the origin of the transfer) and the importer (the one who receives the data).

Ad-hoc contractual clauses

Unlike standard contractual clauses, ad-hoc clauses can be specific but can only be used when standard clauses are not applicable or need to be modified. They must be authorized by the CNIL, after receiving the opinion of the European Data Protection Committee.

Binding Corporate Rules (or BCR)

They designate a data protection policy within a group of companies. They must be implemented by all member companies of the group, regardless of their country of establishment, and are legally binding.

Codes of conduct and certifications

To constitute safeguards, these tools must include binding and enforceable commitments by the non-EU recipients. They must also be validated by the CNIL, after receiving the opinion of the EDPS. Guidelines and recommendations are currently being developed by the EDPS. In case of a no-deal exit of the UK, these tools will have to be put in place the day after Brexit.

Possible but limited exceptions to the guarantees

The transfer of personal data to a state that does not offer an adequate level of protection is possible without guarantee, in specific situations. These are limited and are possible, if the person whose data is concerned has consented to the transfer, or if the transfer is necessary for :

  • The execution of a contract between the individual and the controller
  • The performance of a contract concluded in the interest of the data subject
  • Important public policy reasons
  • The establishment, exercise or defense of legal rights
  • The safeguarding of the vital interests of the data subject This transfer is also possible without safeguards if it takes place from a register that is legally intended to provide information to the public and is open to public inspection or to any person who can demonstrate a legitimate interest. With respect to personal data sent from the United Kingdom, the British government has announced that the principle of free movement of personal data will prevail, without any specific safeguards required.

CNIL*: Commission nationale de l'informatique et des libertés

GDPR**: General Data Protection Regulation