In the aftermath of the United Kingdom’s (UK) intention to withdraw from the European Union (EU) pursuant to Article 50 of the EU Treaty, all EU primary and secondary law will cease to apply in the UK from 31 October 2019, 00:00 (CET) (‘The Withdrawal Date’). In view of the considerable uncertainties around Britain’s Exit from the European Union (Brexit), all organizations processing personal data have to be legally prepared for when the UK becomes a third country. The UK government and European Data Protection Board (EDPB) have stressed that organizations which: (a) send and receive personal data from international partners including the EU and European Economic Area (EEA); or (b) operate in the EU or EEA, must take appropriate steps to ensure the continuous transfer of personal data following Brexit.
For research organizations such as the Human Brain Project (HBP), it is very vital that personal data processing continues to comply with applicable laws post Brexit. This document sets out actions the HBP is taking to enable the continuous flow of personal data between the UK and EU /EEA in the event that the UK leaves the EU in October 2019.
Data Protection Regimes
The EU data protection authorities in the EDPB regulates the General Data Protection Regulation (GDPR) guidelines at an EU level. In the event that the UK leaves the EU on the 31st of October 2019, the UK Data Protection Act (DPA), 2018 will remain in force in the UK and the Information Commissioner’s Office (ICO) will regulate the UK regime. For UK organizations that have other establishments in the EU / EEA, the EU regime will apply to European activities post Brexit and the ICO will no longer regulate the EU regime. With partners across the UK, the HBP will need to comply with both the UK and EU regimes for transfer of personal data after Brexit.
Transfer of Data from the UK to EU /EEA
The HBP currently complies with personal data protection rules at an EU-level through the GDPR. In recognition of the unprecedented level of alignment between the UK and EU data protection regimes, both the UK government and EDPB have confirmed that, when the UK exits the EU, transfers from the UK to the EU / EEA will not be restricted. This is because the UK government intends to implement the GDPR directly into UK DPA upon exit, albeit some technical adjustments; therefore, at the point of exit, transfer of personal data from the UK will continue to be allowed.
This position will be kept under review by the ICO. Organizations must also update their privacy notices to cover these transfers after Brexit. For the HBP, this means that UK partners will be able to continue to send personal data to the EU / EEA after Brexit without any restrictions. The HBP Privacy notice will be updated to reflect these transfers after Brexit.
Transfer of Data from the UK to Third countries
Rules on transfer of personal data from the UK to third countries are also likely to remain similar. Organizations are currently permitted to transfer personal data outside the EU / EEA once a legal basis for transfer can be established under Article 6 of the GDPR. Currently, HBP partners outside the EU /EEA have adequacy decisions for transfer for personal data processing. The UK government has further confirmed that it will recognize existing EU adequacy decisions after Brexit. This means that UK partners within the HBP can also continue to send personal data to countries outside the EU / EEA upon Brexit based on current transfer arrangements.
Transfer of Data from EU /EEA to the UK
Although Data Export from the UK to EU / EEA will continue to be allowed after Brexit, Data Import, however, will need to comply with the EU GDPR. This means that HBP partners based in the EU / EEA that intends to export personal data to the UK will now need to comply with transfer provisions of the EU GDPR. Pending a formal adequacy decision from the EU on whether the UK’s data protection regime offers an adequate level of protection, EU / EEA organizations must plan to implement appropriate safeguards for transfers of personal data to the UK after Brexit.
One of the ways of ensuring this is through the use of Standard Contractual Clauses (SCCs). SCCs are the most frequently used legitimization measures to validate international transfer of personal data to non-EU countries, in this case, the UK (post Brexit). They involve pre-approved obligations applicable to data importing and exporting of personal data in line with EU standards. Bearing in mind that data export from the UK to EU / EEA will continue to be allowed after Brexit, the purpose of SCC in this regard will relate to importation of data from the EU / EEA to the UK. In addition to the EU template on SCCs, the ICO has also produced an interactive tool to help organizations with SCCs.
The HBP Data Protection Officer is working with the Project Coordination Office (PCO) to ensure the continuous flow of data to UK partners after Brexit. This primarily include amendment of the HBP Framework Partnership Agreement Consortium Agreement (FPA-CA) to include SCCs that should be signed on or before the 31st of October 2019.
Dr. Simisola Akintoye is the HBP Data Protection Officer.