Tag Archives: no deal

Operation Yellowhammer

Ornithology

What has Brexit to do with a small member of the bunting family? A bird that is migratory, apparently recognising no national boundaries. One that is found throughout Europe and thrives in its adopted homes in Australia and New Zealand.  So widespread is the Yellowhammer (Emberiza citronella) that it has been adopted as the state symbol of Alabama.

Clearly someone in Whitehall running the No Deal contingency planning is a keen birder. Or has a sense of humour.

Political Wrangling

In extraordinary scenes this week Parliament was prorogued until 15th October.  It is a move that is not without controversy and we shall see the judgement of the UK Supreme Court next week. 

One of the final acts of outgoing Parliament was to pass legislation compelling Government to publish the dossier on the potential consequences of a “No Deal” Brexit, a document bearing the codename “Operation Yellowhammer”.    

Extracts from the Yellowhammer report had been leaked and published in the Sunday Times a few weeks ago.  Following the publication of the extracts arguments raged about the age of the Yellowhammer document and whether or not it represented a “Worst Case” or “Base Case” planning scenario.

Wednesday evening saw the publication of a remarkably matter-of-fact 5-page Operation Yellowhammer document with the status “Official Sensitive”. The report is dated 2nd August and it apparently represents the Government’s “Reasonable Worst Case Planning Assumptions”. 

Implications for UK Companies receiving Personal Data from EU

Under the general heading “Key Planning Assumptions” are sections on the widely discussed impacts on HGVs entering the UK particularly at the Channel ports and disruption to the supply of fresh food and medicines.

Listed at Number 9 (of 20 assumptions) is the following:

“The EU will not have made a data decision with regard to the UK before exit.  This will disrupt the flow of personal data from the EU where an alternative legal basis for transfer is not in place. In no deal an adequacy assessment could take years.”

This is an important consideration for companies in their No Deal contingency planning. Under the No Deal outcome, the UK becomes a Third Country and would no longer be covered by EU ‘free flow of data’ rules. 

As the Yellowhammer report states the UK would need to apply for an adequacy decision to ease the flow of personal data from EU member states.  Typically, an adequacy assessment from the EU can take 2 years – sometimes longer.

To date the EU Commission has adopted 13 adequacy decisions with: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (for companies using the EU-US Privacy Shield or Swiss-US Privacy Shield). Most recently the EU agreed a reciprocal adequacy decision with Japan. South Korea started the process of applying for an adequacy decision from the Commission in 2015. The decision is still awaited. 

What to do?

The previous blog (“55 Days to Go”) covers the steps that UK companies need to take when handling data from EU member states.

Privacy Notices

Companies must also review and update Privacy Notices to include amongst other items:

  • The legal basis for processing personal data
  • Collection and use of personal data for direct marketing, analytics, research purposes – where applicable
  • Collection of HR personal data
  • Transfers of personal data outside the EEA and the transfer mechanisms in place to govern those transfers

What Next?

An update on the August version of the Yellowhammer report which will include the current contingency plans in the case of a No Deal Brexit has been promised. It will be interesting to see if any progress has been made on the status off data flows in recent weeks.

Meanwhile the Government continues to insist its preferred outcome from the Brexit negotiations is a deal with the EU.  If a deal is secured it may be that the current flows of personal data to and from the EU are not materially affected.

Watch this space.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 12th September 2019

Brexit: 55 Days to Go, or is it?

It has been a momentous week for UK politics. With Parliament back from the summer recess MPs moved to seize the Order Paper from Government. There then followed an audacious move to legislate against a “No Deal” Brexit, a move which would hamstring the Government’s Brexit negotiation strategy. The Government’s strenuous attempts to prevent the passage of legislation to take the “No Deal” option out of the equation led to the withdrawal of the whip (in effect the suspension) of 21 Conservative MPs.  The legislation that would prevent a No Deal outcome will return to Parliament early next week.  It remains to be seen whether the legislation achieves Royal Assent and is written into law.

In the meantime, the plan to prorogue Parliament for five weeks ahead of the Brexit deadline moved on apace despite a number of legal challenges.

Elsewhere 

This week also saw the Prime Minister’s own brother, Jo Johnson, resign as Universities Minister registering his objection to the direction of the Brexit negotiations which he viewed as no longer in the national interest. 

On a happier note Downing Street announced the arrival of a new resident as the Prime Minister and his partner unveiled Dilyn their new puppy.

The Prime Minister is keen to reinforce his Government’s resolve to achieve Brexit, with or without a deal by the 31st October deadline. But despite his vigorous defence of this policy it remains unclear whether this will be achieved.

Implications for businesses

Amongst all this political turmoil it is difficult for businesses to plan ahead especially if the business model includes data transfers to or from EEA companies.

In the case of a No Deal Brexit on the date of departure the UK becomes a ‘Third Country’ in terms of EU data transference rules.  This means companies that the UK will not have adequacy status, so needs to take particular steps when processing EEA* data, for example, the data of your customers or prospects or clients.

What you need to do

The UK will recognise all EEA countries as adequate under UK law.  So there are no issues with you continuing to send personal data to the EEA. 

The reverse, however, is not the case so there will be major changes when transferring personal data from the EEA to the UK.  You need to prepare:

  1. Know your data” specifically that data you process about EU individuals.  Make sure your data mapping is up to date and identifies those individuals outside the UK, but within the EEA.
  2. Take appropriate GDPR safeguards for processing and transfers of EEA data, and update your privacy policy accordingly
  3. Use Standard Contractual Clauses to enable transfers of personal data from the EEA to the UK and vice versa.
  4.  If you are using Binding Corporate Rules, these will need to be adjusted slightly post-Brexit.

*EEA = The 27 European Member States, plus Iceland, Liechtenstein and Norway.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Countdown to Brexit… 69 days to go

The new Parliamentary session starts on 3rd September. Inevitably the session will be, once again, dominated by Brexit. With so little time between the start of the session and the Brexit deadline of Hallowe’en (31st October) there will be little Parliamentary time given over to any issues other than the terms of the UK’s exit from the EU. Parliamentary time is limited further by the Party Conference season with a further recess between 14th September and 9th October.

The Conservative Party Conference runs from 29th September to 2nd October in Manchester.  Members of Cabinet will be expected to attend and no doubt their speeches from the platform and on the fringe will be scrutinised for new policy initiatives and especially the direction of policy post Brexit. 

Over the summer the political agenda was dominated by possibility of a “No Deal” Brexit with MPs from all parties floating a variety plans for how such an eventuality could be prevented. Prime Minister Johnson has been resolute in his belief that the No Deal option cannot be removed from the table.     

Data Protection Implications

The new Prime Minister wasted no time in assembling his new Cabinet, making his intentions very clear by appointing, with few exceptions, long-standing Brexit supporters. Notable among the exceptions were the appointment of Amber Rudd to the Work & Pensions brief she has held since November 2018 and Nicky Morgan who assumes a Cabinet role as Secretary of State for Digital, Culture, Media and Sport. This is of particular interest because the brief includes Data Protection regulation and writing the “UK GDPR” into UK law.

When the UK exits the EU, as is planned, the EU GDPR will no longer be  applicable in the UK (although the Data Protection Act 2018 which references the GPDR will still apply). The UK government intends to write the GDPR into UK law, with changes to tailor it for the UK.The government has already published the – ‘Keeling Schedule’ for the GDPR, which shows the planned amendments. It can be found here http://bit.ly/2Nsy9sw 

The amendments primarily relate to references to the European Parliament, EU Member States, and the EU Commission.

What Next?

Deal or No Deal on the exit date, the UK will become a ‘third country’ (to use the jargon).  It has been suggested that there will be a period of at least 2 years of negotiations to finalise the full terms of the divorce arrangements.  During this time the UK Government will continue to allow transfers to the EU.  This will be kept under review by the new Secretary of State.  Watch this space!

Gareth Evans 23.08.2019