What happens to data transfers and the ICO in a No Deal Bexit? The EDPB has published some notes

February 27, 2019

The EDPB has published two guidance notes for a no-deal Brexit: one relating to data transfers and the other relating to the role of the ICO as a BCR supervisory authority if the UK leaves the EU without a deal.

Data transfers

If there is no agreement between the EEA and the UK (no-deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019. This means that the transfer of personal data to the UK has to be based on one of the following “data transfer instruments” as of 30 March 2019:

  • Standard or ad hoc data protection clauses
  • Binding Corporate Rules
  • Codes of Conduct and Certification Mechanisms
  • Derogations

The note provides information to commercial and public organisations on these data transfer instruments under the GDPR for the transfer of personal data to the UK if there is a no deal Brexit.

The EDPB builds upon the guidance provided so far by supervisory authorities and by the European Commission. EEA organisations may turn, if necessary, to the national supervisory authorities competent to oversee the related processing activities.

An organisation transferring personal information to the UK after 30 March 2019 needs to follow the following five steps:

  1. Identify what processing activities will require a personal data transfer to the UK
  2. Decide on the appropriate data transfer instrument(s) for your situation
  3. Implement the chosen data transfer instrument(s)
  4. Indicate in your internal documentation that transfers will be made to the UK
  5. Update your privacy policy

According to the UK government, the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit. To this end, the UK Government’s and the ICO’s website should be regularly consulted.

Role of ICO

If there is a no-deal Brexit and the ICO no longer has a role in the BCR community, companies are advised to consider the following:

  • Groups headquartered in the UK wishing to apply for BCRs: such groups should identify the most appropriate BCR Lead Supervisory Authority in a EU member state
  • Current Applications: Groups for which BCRs are at the review stage by the ICO need to identify a new BCR Lead Supervisory Authority. The new BCR Lead Supervisory Authority will take over the application and formally initiate a new procedure at the time of a no deal Brexit
  • Draft BCRs submitted to EDPB: if a draft ICO decision for approving BCRs is pending before the EDPB at the time of a No-deal Brexit, the Group needs to identify a new BCR Lead Supervisory Authority. The new BCR Lead will take over and re-submit a draft decision for the approval of the BCRs to the EDPB
  • Authorised BCR holders: BCR holders need to identify the new BCR Lead Supervisory Authority.

Lead Supervisory Authorities should be identified by using the criteria set out in Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors.

In any of the above scenarios, the Supervisory Authority that may be approached to act as the new BCR Lead Supervisory Authority will consider in cooperation with other concerned Supervisory Authorities whether it is the appropriate BCR Lead on a case by case basis and inform the group accordingly. For any questions or further information, groups should contact the ICO.