Brexit: practical impacts of no-deal and new CNIL recommendations

As the clock ticks down to a possible no-deal Brexit on 31 October, data controllers and processors on both sides of the Channel are increasingly obliged to review the legality of their personal data transfers to the United Kingdom.


As discussed in our previous articles, a no-deal Brexit would render transfers of personal data from the EU to the UK illegal overnight, unless the organisations involved put appropriate legal safeguards in place. In the absence of those safeguards, such organisations may face fines from data protection authorities and legal action in the courts from affected individuals.

The urgency of this requirement was underlined by FAQs published last week by the CNIL, France’s data protection authority, warning businesses to be prepared for a no-deal scenario as from 1 November 2019.

In particular, the CNIL sets out the five-step programme summarised below for all transferring organisations to follow:

CNIL Recommended Step

Altij Practical Notes

1. Identify your company’s personal data transfers to the UK

E.g. list any external suppliers or group companies based in the UK to which personal data is transferred, review the possible use of UK-located data centres, remote assistance or SAAS solutions, etc.

2. Determine the appropriate legal mechanism to enable the transfer

In practice, this will almost certainly mean the signature of standard contractual clauses adopted by the European Commission (known as “SCCs”).

3. Put the chosen legal mechanism in place before 1 November 2019

Legal departments will therefore need to prepare SCCs for each type of transfer identified and communicate them to the other party involved in time for the documents to be finalised and signed before the start of November.

4. Update internal documentation to take into account transfers to the UK

In particular, this will mean updating the organisation’s “Record of processing activities”, as required by Article 30(1)(c) of GDPR.

5. Update information to individuals to inform them of the transfer of their data to the UK

This relates to the GDPR requirement to ensure full transparency regarding use of individuals’ data. Depending on their circumstances, organisations may for example need to update their online privacy policies, the information notices they provide to their staff or their general terms and conditions.

 

Clearly, given that talks are ongoing between the UK and the EU27, a withdrawal agreement may still be signed prior to the 31 October deadline. In such case and based on the current draft deal documents, data transfers could continue freely during a transitional period while the EU assesses the possibility of granting “adequacy” status to the UK in the longer term. As a result, some companies are taking the approach of signing “provisional” SCCs to take effect only the event of a no-deal outcome.

 

In any event, in view of the scale of data transfers between the two territories (a 2017 report by Tech UK suggested that 75% of the UK’s international data flows are with the EU) and the digital integration of their economies, any result other than an adequacy decision or bilateral data transfer agreement will require a very large number of businesses to take action to ensure regulatory compliance.

Nicholas Cullen is a dual-qualified Solicitor of England and Wales and Avocat in France and a partner in Altij's data protection team. For more information about our data protection services contact us via our online form or e-mail Nicholas on ncullen(a)altij.com.

Une version française de cet article est disponible ici.