As the Brexit turmoil continues in the UK with the UK government still to agree on an appropriate way forward, EEA businesses are gearing up for a no-deal Brexit.
When that comes to data protection, as we’ve discussed before, Brexit, particularly a no-deal Brexit could have implications for your businesses if you’re processing EU citizen’s data at the request of an EU data controller. Simply put, in a no-deal scenario the UK would be a “third country” and any EU to UK data flows would be seen as restricted transfers under GDPR. This is because it is unlawful to transfer data outside the EU unless appropriate safeguards are in place; these safeguards are usually:
- An EU adequacy decision
- An EU agreement with the country that binds businesses in that country to EU standards of data protection (e.g. the EU-US Privacy Shield agreement)
- The use of legally binding contracts, by using “model clauses” dictated by the EU in their regulations
In the event of a no-deal Brexit there will be no adequacy agreement in place, nor will there be any agreement which just leaves the contractual route.
The use of standard data protection clauses (or model clauses as they’re sometimes referred) basically requires a “cut and paste” of one of the EU’s Standard Contractual Clauses into an agreement between both parties.
With more and more businesses across the EU (not just the UK) preparing for a no-deal Brexit we’re beginning to see some UK companies being asked to sign model clauses in anticipation of a no-deal Brexit. Without these contracts in place, basically EU to UK data flows would have to stop.
The question is, should you sign them?
Well this depends. Arguably, it’s still uncertain whether we’re leaving the EU on the 12th April 2019, 22nd May 2019 or some other time, not at all, with a deal or with no deal, so you could say that you should only need to worry about them once it’s clear that a no-deal is imminent (and definite) and so you would be within your rights to not sign them just yet.
But if this isn’t practical then provided the contracts you’re being asked to sign are literally the EU’s model clauses then in theory signing them is binding your organisation to EU data protection standards which of course, whilst we’re still in the EU (even if the withdrawal agreement is signed and we enter the transition period), you are bound to anyway. But this is only going to be the case if the contract is simply the model clauses – if your client has added something extra, or done something different then you may need to be careful what you’re signing.
What to look out for
Check that these really are the EU’s Standard Contractual Clauses you’re being asked to sign and that you’re not being asked to sign something different or indeed you don’t need to, because your client has misunderstood the rules.
Then you need to join the Digital Compliance Hub – not only have we produced some guidance information about Brexit, EU to UK data flows and what to do about being asked to sign model clause contracts, but we’ve also launched for members a model clause review service – a simple sanity check that you really are signing the right thing. Plus, of course Hub members get access to phone and email support should they have any specific Brexit, model clause or other data protection issues. Get on board yourself – it’s like having your own Data Protection Manager but without the cost of hiring a DPO.