December 6, 2022

Volume XII, Number 340


December 05, 2022

Subscribe to Latest Legal News and Analysis

A Likely Crisis for Data Transfers to the UK post “No-Deal Brexit”

If your company holds or collects data in the US, the UK and elsewhere in the EU, you should be mapping out how data flows through those jurisdictions in anticipation of the UK “crashing out” of the European Union in October, as currently anticipated, or otherwise in the near future, we have no reason to believe that the EU will make data transfer easy for companies in this circumstance.

Under EU data management laws, no one can send, grant access to, or otherwise transfer personal data to a country outside the European Union/European Economic Area (EU/EEA) unless the EU has made a formal decision that its data protection measures are “adequate.” Adequacy for these purposes means treating data in a manner similar to the EU. To date, the European Commission has recognized only Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.

Without an adequacy decision, data cannot flow freely and companies must implement another protection mechanism (e.g., specific contract terms) or fall within a limited exception. Transfers made without such adequacy decisions, protections or exceptions are against EU law and can lead to fines or worse against an offending business.

After a no-deal Brexit (scheduled to take effect October 31, 2019), the UK would change in an instant from being part of the EU data protection regime to being an outside jurisdiction with no evaluation of adequacy. The fact that UK laws, policies and enforcements were clearly adequate as of nearly all of October, 2019 (and for the previous 25 years) will likely not be a consideration, as the EU has little incentive to make business easier for the UK after a complete rejection of the EU and subsequent refusal to accept negotiated terms for departure.

Even if the EU were inclined to assist, once the UK has become a third country it would be necessary for the EU Commission to follow the detailed procedure for making an adequacy decision under GDPR Article 45. This means there would inevitably be a delay before any such decision could be made and formally applied. The EU will likely take its time—maybe up to two or three years—to make an adequacy evaluation for the UK. Nearly everyone expects the higher status to be granted, but not right away. This leaves many companies in a quandary.

A challenge arises where an EU/EEA-based processor sends personal data to the UK. There seems to be no way to assure EU data law compliance where data processed in the EU flows back to its source in the UK to a data controller there. This is because there is currently no EU-approved set of “standard” or “model” 2 clauses for use by an EU/EEA-based data processor when sending data to a data controller in a third country. It also reflects the European Data Protection Board's firm statement that exceptions such as those set out at GDPR Article 49 are intended for use only in relation to processing that is “occasional” or “nonrepetitive.” Consequently, the derogations cannot be used to support a “business as usual” approach. Given those potential difficulties, businesses should map their data flows and to check that any data critical to UK operations will not be trapped within the EU/EEA following a no-deal Brexit.

For flows through the US or in the opposite direction, two companies can simply apply the standard contract terms approved the European Commission (which cannot be amended unless approved by regulators). But these terms only apply to transfers from controller to controller or controller to processor (not processor to processor or processor to controller). So, if these contract terms cannot be used absent an adequacy determination or other change in EU law, what options exist? At the moment, any of those options has been ruled a violation of EU law in one manner or another. Companies in this situation may need to make a riskbased decision without the ability to erase the legal risk entirely.

We continue to watch for developments on how to ease this transition. The European Data Protection Board published an information note on the topic, emphasizing that the no-deal Brexit scenario will require mechanisms to be put in place to allow for the continued flow of personal data from the EU/EEA to the UK. The Information Commissioner’s Office (the UK data protection regulator) has also advised of the same. 

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume IX, Number 239

About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

Andrew Kimble Womble UK IP, Technology and Data, Regulatory, IP Tech Privacy and Cybersecurity

Andrew is a partner specialising in all aspects of data protection and privacy work including data protection audits, data security incidents, cross-border data transfers, outsourcing arrangements, subject access requests, direct marketing and general data protection and freedom of information compliance. He also advises on information technology projects including in relation to outsourcing, ecommerce and consumer law matters.

Andrew is a trainer on the PDP data protection practitioner's course. He also advises the Interactive Media in Retail Group (the UK online retail association...