Earlier this month the European Commission’s Directorate-General for Justice and Consumers (DGJUST) published its “Notice to Stakeholders: withdrawal of the United Kingdom from the Union and EU rules in the field of data protection”. The notice should come as no surprise as it simply reiterates the applicability of the general European Union data protection law regime that restricts data transfers outside of the EU unless adequate safeguards are in place or the third country guarantees an adequate level of protection.
While the UK has indicated that it wishes to remain closely aligned with EU Data Protection law (it will, after all, at the point of withdrawal have implemented the General Data Protection Regulation (“GDPR”)), the outcome of the Article 50 negotiation process and whether the terms of any withdrawal agreement will address data transfers between the UK and the remaining 27 EU member states) is uncertain. In those circumstances, the notice serves as a valuable reminder of the legal implications of Brexit on the ways organisations and businesses process personal data and to consider implementing one of the mechanisms available to them for the purposes of personal data flows to third countries.
The Border Cow and Data Transfers
The importance of EU-UK cross border data flows cannot be underestimated. Much like milk from the proverbial Irish border cow grazing in the south, that is processed in the north, only to end up on supermarket shelves south of the border, the flow of personal data between the EU and the UK is a complex web of transfers back and forth that is deeply engrained in the operations of many businesses and organisation that cannot be entangled at a moment’s notice. According to the Frontier Economics independent report “The UK Digital Sectors after Brexit”, three quarters of the UK’s data transfers are with EU countries. Some of the world’s largest technology companies such as Amazon, Microsoft and IBM, rely on data centres in the UK.
With an ever-increasing use of cloud storage and SaaS based applications, the day-to-day operations of many businesses and organisations rely on the free movement of data between the UK and the rest of the EU. For processors, data processing contracts will generally prohibit data transfers outside the European Economic Area (“EEA”) with some data controllers (such as public bodies) restricting data transfers to within the EU. Given the broad legal definition of “transfer” (which includes simple processing activities such as making personal data accessible and accessing such data from a third country), the UK’s departure from the EU will have a profound impact on the current data processing arrangements.
Data transfers to third countries are permitted which the European Commission has decided provide an adequate level of protection (known as an “adequacy decision”). It has been widely speculated that the European Commission might make an adequacy decision in respect of the UK and arguably this would be the best outcome for business as personal data will be permitted to flow from the remaining 27 EU member states and the three EEA member states without further restriction.
However, an adequacy decision is not a fait acompli and will most certainly not be in place at the moment the UK formally ceases to be an EU member state for one very obvious reason: an adequacy decision can only be made in respect of a third country and therefore the UK will have to formally leave the EU before an adequacy decision can be made in respect of it.
The adequacy procedure itself also involves several steps and is a lengthy process. By way of example, it took the 42 months to recognise Israel as providing adequate protection, 27 with respect to Andorra and 17 for Argentina. This is an average of just over 28 months.
The procedure commences with a proposal from the European Commission, followed by an opinion by member states’ data protection authorities and the European Data Protection Supervisor, and an approval from the “Article 31 Committee” (a committee comprised of member states’ representatives). The decision is then adopted by the College of Commissioners. Under certain circumstances, the European Parliament and the European Council may request the Commission to maintain, amend or withdraw the adequacy decision. An adequacy decision may further be challenged before the Court of Justice of the European Union (“CJEU”).
If and when the level of protection provided by the UK is assessed, the UK’s domestic law (general and sectoral), international commitments, existing and functioning of the supervisory authority (the Information Commissioner’s Office) will be scrutinised. The UK can only be expected to perform well on most criteria. The main potential problem identified by commentators to date is the Investigatory Powers Act 2016, which allows for broad interception, interference and communications acquisition powers which may be found not to be sufficiently limited to adequately safeguard the rights of individuals.
Alternatives to an adequacy decision
In the absence of an adequacy decision or during the interim period between UK’s formal withdrawal and the adoption of the adequacy decision, businesses and organisations transferring data to the UK must ensure that they put appropriate safeguards in place or can rely on the derogations available.
Under the GDPR (which will be in force at that point), the following alternative mechanisms for international data transfers may be used:
(a) Standard contractual clauses (which themselves have been the subject a challenge by data protection activist Max Schrems and await the outcome of a preliminary reference ruling of the CJEU to be sought by the Irish High Court);
(b) Binding corporate rules (for intra-group data transfers);
(c) Approved codes of conduct or have been certified in accordance with an approved certification mechanism;
(d) Reliance on one of the derogations listed in Article 49 of the GDPR:
(i) The data subject has explicitly consented to the transfer;
(ii) The transfer is necessary for the performance of a contract or the data subject has requested the implementation of a pre-contractual measure;
(iii) The transfer is necessary for important reasons of public interest;
(iv) The transfer is necessary for the establishment, exercise or defence of legal claims;
(v) The transfer is necessary in order to protect the vital interests of the data subject or other persons;
(vi) The transfer is made from a public register open to consultation; or
(vii) The transfer is a once-off non-repetitive transfer concerning a limited number of individuals.
Conclusion – Brexit means Brexit
Although the outcome of the Article 50 negotiation process remains unclear, the UK will cease to be a member state of the EU on 29 March 2019 (or later if the Article 50 process is extended in accordance with its terms) and third country for data protection purposes.
The European Commission has continually emphasised that that the private sector must prepare for the day the UK ceases to be part of the EU. When it comes to data protection and transfers of personal data, businesses should map their personal data flows, review contracts and data protection policies and take measures ahead of March 2019 to identify and implement an appropriate mechanism for transfers of personal data to the UK. Failure to do so may result in an administrative fine of up to €20 million or 4% of the company’s total worldwide annual turnover for the preceding financial year, whichever is greater, and in potential claims for pecuniary and non-pecuniary damages from individuals.