What happens to data protection law in the UK if there is a no-deal Brexit?

Data protection law in the UK won't change overnight because of Brexit.   If the UK leaves the EU without a deal then the GDPR will be saved and turned into UK national law.  The Data Protection Act 2018 will also remain in place.  So the data protection standards in the UK will remain the same after a no-deal Brexit.  

What will happen to data transfers from the UK in a no-deal Brexit? 

In the same way that the GDPR will be saved and turned into UK national law, so the transfer mechanisms which we currently rely on to legitimize data transfers from the UK, such as Model or Contractual clauses, will remain valid.

What about transfers from the UK which take place under the EU-US Privacy Shield – can they continue in a no-deal Brexit?

Yes they can. The EU-US Privacy Shield will also be saved into UK national law.  This means that the EU-US Privacy Shield will remain as a mechanism for transferring data from the UK to the US after a no-deal Brexit.

So is no change needed at all for transferring data under the EU-US Privacy Shield from the UK to the EU in a no-deal Brexit?

Some small changes are required.  In a no-deal Brexit, Freshworks will need to update our public commitments to say that those commitments extend to transfers of data from the UK.  Our public commitments can be found on the US government's Privacy Shield website if you search under "Freshworks, Inc.".  You will also be able to see these changes by looking at our Privacy Notice.

 Why don't your public commitments and privacy policy reflect these changes at the moment?

The UK hasn't left the EU, as yet.  When it does it isn't clear whether the UK will leave with or without a deal.  If the UK is leaving without a deal, Freshworks will make the relevant changes to our public commitments and privacy policy immediately. This means that there will be no disruption to UK to US transfers using Privacy Shield.

 So is there a need to switch from using the EU-US Privacy Shield to using Model or Contractual Clauses for transferring data from the UK to the US in a no-deal Brexit situation?

No there isn't.  Either Model or Contractual clauses or the EU-US Privacy Shield can be used to transfer data from the UK to the US.

If there is a no-deal Brexit is there a need to update the Model or Contractual clauses which are currently in place in order to transfer data from the UK to the US?

There is no need to do so.  The clauses can remain as they are. 

 Is there any guidance which explains how no-deal Brexit works? 

The US Department of Commerce has explained on their website what would happen as regards transfers from the UK under the EU-US Privacy Shield in a no-deal Brexit  .  There is also helpful guidance from the UK Information Commissioner's office

 Which provisions of UK national law are relevant in the context of a no-deal Brexit?

In a no-deal Brexit the GDPR will be turned into UK national law under Section 3 of the European Union (Withdrawal) Act 2018 ("EUWA").   Section 3 of the "EUWA" also saves the EU-US Privacy Shield.   Section 2 of the EUWA confirms that the Data Protection Act 2018 remains as valid law in the UK.

Schedule 21 to the Data Protection Act 2018 is inserted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).  Schedule 21 makes further provision in relation to the continued application in the UK of EU adequacy decisions, including the EU-US Privacy Shield (see paragraphs 4- 6) and Model or Contractual Clauses (see paragraphs 7 and 8).

 What about a "deal" Brexit?  What happens then?

If the UK leaves the EU with a withdrawal agreement in place, the GDPR will continue to apply to the UK, and the transfer mechanisms such as Model or Contractual Clauses and the EU-US Privacy Shield will be available for transfers from the UK to the US.  No changes will be needed to our public commitments or privacy policy because the UK will continue to be treated for all relevant purposes as if it was still an EU Member State. 

 What if Brexit gets delayed beyond 31st October?

The UK will remain an EU Member State.  The GDPR will continue to apply and the relevant mechanisms for transferring data from the UK will remain in place including Model or Contractual Clauses and the EU-US Privacy Shield.  No changes to our public commitments or privacy policy will be needed.