What happens to data protection law in the UK if there is a no-deal Brexit?
Data protection law in the UK won't change overnight because of Brexit. If the UK leaves the EU without a deal then the GDPR will be saved and turned into UK national law. The Data Protection Act 2018 will also remain in place. So the data protection standards in the UK will remain the same after a no-deal Brexit.
What will happen to data transfers from the UK in a no-deal Brexit?
In the same way that the GDPR will be saved and turned into UK national law, so the transfer mechanisms which we currently rely on to legitimize data transfers from the UK, such as Model or Contractual clauses, will remain valid.
What about transfers from the UK which take place under the EU-US Privacy Shield – can they continue in a no-deal Brexit?
Yes they can. The EU-US Privacy Shield will also be saved into UK national law. This means that the EU-US Privacy Shield will remain as a mechanism for transferring data from the UK to the US after a no-deal Brexit.
So is no change needed at all for transferring data under the EU-US Privacy Shield from the UK to the EU in a no-deal Brexit?
Some small changes are required. In a no-deal Brexit, Freshworks will need to update our public commitments to say that those commitments extend to transfers of data from the UK. Our public commitments can be found on the US government's Privacy Shield website if you search under "Freshworks, Inc.". You will also be able to see these changes by looking at our Privacy Notice.
So is there a need to switch from using the EU-US Privacy Shield to using Model or Contractual Clauses for transferring data from the UK to the US in a no-deal Brexit situation?
No there isn't. Either Model or Contractual clauses or the EU-US Privacy Shield can be used to transfer data from the UK to the US.
If there is a no-deal Brexit is there a need to update the Model or Contractual clauses which are currently in place in order to transfer data from the UK to the US?
There is no need to do so. The clauses can remain as they are.
Is there any guidance which explains how no-deal Brexit works?
The US Department of Commerce has explained on their website what would happen as regards transfers from the UK under the EU-US Privacy Shield in a no-deal Brexit . There is also helpful guidance from the UK Information Commissioner's office.
Which provisions of UK national law are relevant in the context of a no-deal Brexit?
In a no-deal Brexit the GDPR will be turned into UK national law under Section 3 of the European Union (Withdrawal) Act 2018 ("EUWA"). Section 3 of the "EUWA" also saves the EU-US Privacy Shield. Section 2 of the EUWA confirms that the Data Protection Act 2018 remains as valid law in the UK.
Schedule 21 to the Data Protection Act 2018 is inserted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). Schedule 21 makes further provision in relation to the continued application in the UK of EU adequacy decisions, including the EU-US Privacy Shield (see paragraphs 4- 6) and Model or Contractual Clauses (see paragraphs 7 and 8).
What about a "deal" Brexit? What happens then?
What if Brexit gets delayed beyond 31st October?