Time to act: Maintaining data flows to the UK

Brexit brings with it many uncertainties, especially in the area of data protection. Therewith, it is still questionable whether the level of data protection in the UK will be considered equivalent by the EU after the UK's final withdrawal from the European Union. A non-recognition would result in serious consequences for Swiss companies. Therefore, we highlight the main preparatory measures organisations in Switzerland should focus on in order to prepare for 31 December 2020.

International situation

The UK left the European Union on 31 January 2020. Since then, a so-called transitional period is in force during which EU laws and thus the General Data Protection Regulation (GDPR) continue to apply. This period will expire on 31 December 2020. Thereafter, the GDPR will no longer be applicable in the UK. As the GDPR restricts transfers of personal data from the EU to so-called “third countries”, the UK would then have to achieve an EU decision on data protection equivalence.

However, it is highly questionable whether the UK could achieve such a decision in the near future:

On the one hand, Britain is seemingly trying to take steps towards the EU. For example, the country has adopted the EU GDPR into national law and created the “UK-GDPR” which guarantees similar data protection standards to those in the EU at the end of the transitional period. On the other hand, the UK's recognition of data protection equivalence could be hampered by its potential intelligence agreements with the US and other countries as well as by certain methods of data retention as for example the record of postal items (the ruling of the European Court of Justice on data retention in October 2020 might be relevant in this context).

Challenges for Swiss companies

Should the UK not be recognised as a safe third country at the end of the transitional period, this would have implications on international data transfers based on the GDPR. Moreover, there is a chance that Switzerland would deem the UK as an unsafe third country as well. Therefore, in this worst-case scenario, not only international companies (to which the GDPR applies), but also nationally acting Swiss businesses (that are only subject to the Swiss FADP) would be affected by the restriction on data transfer to the UK. As a result, all these companies would have to put in place appropriate safeguards such as standard contractual clauses or binding corporate rules regarding future data transfers.

Given the urgent risk of a hard Brexit and the lack of an adequacy decision, necessary steps should be taken now to be prepared for 31 December 2020. These should contain:

• Mapping of personal data flows: Are your personal data flows to and from the UK totally mapped? Have you spoken with your clients, suppliers or other group entities about personal data flows to the UK?
• Avoid disruption: What steps can you take in order to enable personal data flows to continue in the absence of an adequacy decision? Which additional safeguards should ensure safe data flows concerning the UK in the future?
• Monitor the situation closely and take action: How are the negotiations between the EU and the UK developing? Will there be an adequacy decision after 31 December 2020?

More Brexit related information can be found here.