Paris, January 28, 2019 - Following the rejection of the negotiated agreement to leave the European Union by British MPs on January 15, 2019, and as highlighted in the article published by REGIMBEAU, the most likely scenario is the `no deal': a withdrawal without an EU agreement.
The EU exit procedure is due to be completed on March 29, 2019, but until that date the United Kingdom remains a Member State of the European Union.
Since May 25, 2018, Regulation n2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) has been in force. As this is a European regulation rather than a directive, the text has been applied directly and simultaneously in all Member States of the EU, without transposition.
With BREXIT, the question of the consequences for the GDPR is raised and, more generally, the fate of operations transferring personal data to the United Kingdom.
- GDPR: AN EXTENDED TERRITORY OF APPLICATION
The purpose of the GDPR was to extend the scope of the application of EU data protection legislation. This is why its scope applies to any processing of personal data:
- which takes place in the context of the activities of an establishment, a controller, or a processor in the EU, whether or not the processing takes place in the EU;
- relating to data subjects located in the EU by a controller or a processor;
- relating to data subjects located in the EU by a controller or processor who is not in the EU if the processing activities are related to:
- the offering of goods or services to concerned data subjects in the EU regardless of whether or not payment is required; or
- the monitoring of the behaviour of data subjects in the EU insomuch as their behaviour takes place within the Union.
Thus, regardless of the nationality of the person concerned, the only criteria taken into consideration are the determination of the actors involved in the processing and the territory where the data subjects are located. Due to its extraterritorial scope, the GDPR will continue to apply to the majority of British actors in their relations with their European partners.
- DATA TRANSFER TO THE UNITED KINGDOM
In the absence of an agreement, on March 30, 2019, the United Kingdom will become a third country with regard to the GDPR. In principle, the transfer of personal data outside the EU territory is prohibited unless the country or recipient provides a sufficient level of protection.
In accordance with Article 44 of the GDPR, any transfer of personal data to a third country is subject to:
- an adequacy decision by the Commission (Article 45 of the GDPR);
- the existence of appropriate safeguards by the controller or processor (Article 46 of GDPR). These may include binding and enforceable legal instruments, binding corporate rules (BCRs), standard contractual data protection clauses adopted by a supervisory authority and approved by the European Commission, codes of conduct or certifications; or
- specific conditions (Article 49 of GDPR), such as the explicit consent of the transfer by the data subject, a transfer necessary for the performance of a contract in the interest of the data subject, etc.
- DATA TRANSFER FROM THE UNITED KINGDOM TO THE EU AND THIRD COUNTRIES
Adopted on May 23, 2018, the UK Data Protection Act (DPA) provides a legal framework adapted to European rules at a national level which will continue to apply after Brexit. The British Government has also published a guide relating to future amendments to national data protection legislation in the event of a no-deal Brexit (No Deal Scenario). Thus, the British Government seems to put forward three possible hypotheses on the issue of data transfer:
- it may recognise, on a transitional basis, all EEA States and Gibraltar as ensuring an adequate level of data protection, which will result in the continued flow of data from the United Kingdom to these countries after Brexit;
- on a transitional basis, the Government may be able to conserve the EU's adequacy decisions (America, Japan, Switzerland, Israel, etc.) which will allow the transfer of data from the United Kingdom to these third countries;
- it may recognise, as an appropriate measure for allowing international data transfers from the United Kingdom, the standard contractual clauses developed by the Commission.
Finally, upon reading this guide, the Government states that the same DGMP standards will continue to apply in the United Kingdom and that the Information
Commissioner Office (ICO) will remain the independent data protection regulator in the United Kingdom.
The challenge for actors is, therefore, to examine whether goods and/or services of subsidiaries, partners and/or service providers are provided within the United Kingdom to then adopt strategies, in particular, contractual strategies, to remain compliant with the requirements of the Data Protection Regulation.
All of REGIMBEAU's teams are available to support and advise you regarding the best strategies to implement for data transfers to third countries, which may potentially include the United Kingdom.