Brexit and Data ProtectionWe have conducted extensive contingency planning to ensure that we can continue to provide advice to clients after Brexit without being materially impacted by new restrictions.
From a data protection perspective, we have considered the potential effects of Brexit on transfers of data, and particularly transfers of personal data from the EU to the UK. In the majority of cases, we think there is no need to change our working practices.
First, we will maintain Linklaters’ Binding Corporate Rules ("BCRs"). BCRs allow multi-national businesses to make intra-organisational transfers of personal data across borders in compliance with EU data protection law, including the EU General Data Protection Regulation (the "GDPR"). Linklaters’ BCRs have been approved by the European data protection regulatory authorities, permitting us to transfer personal data between our offices on a global basis. We have taken steps to ensure our BCRs continue to be valid after Brexit.
As a general rule, our clients deal directly with their local office. For example, if you are based in France, then it is likely that most of your dealings will be directly with our Paris office. In this situation, you are not transferring personal data outside of the EU. Instead you are transferring personal data within the EU. Any subsequent transfer of data outside of the EU, including to London, is our responsibility and is covered by our BCRs. In such cases, no further action is necessary.
Second, we appreciate that there may be some cases where clients in the EU need to deal directly with our London office, in much the same way as those clients might currently deal directly with our offices in New York or Singapore. We believe that, in the vast majority of cases, the transfer of personal data will be necessary for the establishment, exercise or defence of legal claims. Consequently, such transfers will be justified as they are subject to a specific derogation in Article 49(1)(e) of the GDPR.
Third, where any services are outsourced to third party vendors or suppliers in the UK and it is appropriate to make a transfer of EU personal data to those suppliers, we are taking steps to ensure that appropriate contracts are in place between the relevant Linklaters entities and the suppliers to permit such transfers to continue post-Brexit.
We appreciate that these observations are general in nature, rather than based on your particular circumstances. There may be occasions where an EU-based client engages our London office directly for advice unrelated to legal claims and in a situation where there is no other justification under the GDPR. We think such matters will only occur in rare cases and, in any event, the type of personal data we receive is typically very limited (e.g. professional contact details such as email addresses, titles, work phone number, etc.).
Please reach out to your Linklaters contact or the Global Head of Law & Compliance (firstname.lastname@example.org) with any further questions you may have.