The UK Parliament has today, 15th January 2019, rejected the Government’s Brexit withdrawal agreement with the EU. This turn of events, which was widely anticipated, increases the prospect of a no deal Brexit, i.e. a break-up without a divorce settlement. According to law, the UK will leave the EU on 29th March 2019 with no deal unless Parliament has accepted the withdrawal agreement, or a modified version of it, or a new agreement has been reached with the EU and accepted by Parliament, before then. Although no deal remains an unlikely scenario, it would have consequences for your data protection obligations.
What does this mean for your organisation and the way you manage personal data?
There is much uncertainty about where the Brexit process will go from here. All scenarios other than no deal involve either accepting some other kind of agreement (which will have a transitional period), or a delay to the date of exiting the EU. So in all currently foreseeable circumstances except no deal, existing data protection arrangements will continue to apply from 30th March 2019 for at least some time. However, since no deal remains a possibility, it would be sensible at this stage to work out how your organisation would address that situation – unless your organisation’s solution would be very complex to put in place, that is probably all you need to do for now.
Data flow scenarios
The first thing you should do is consider the data flows that could be affected. The main variants are described below.
A. Data transfers from the UK to the EU/EEA
All UK personal data will continue to be allowed to flow freely to all European Union (“EU”), European Economic Area (“EEA”) states and Gibraltar. The UK Government (Department for Digital, Culture, Media & Sport) has transitionally recognised the unprecedented degree of alignment between the UK and EU’s data protection regimes and would therefore at the point of exit continue to allow the free flow of personal data from the UK to the EU, though this position will be kept under review.
B. Data transfers from the EU/EEA to the UK
In the absence of an EU adequacy decision in favour of the UK (about which, see below), some form of safeguard will need to be put in place under the GDPR/Data Protection Act 2018 (“DPA”) to protect international transfers from the EU/EEA to the UK.
The EU Standard Contractual Clauses (“SCCs”)
One option permitted under the GDPR/DPA would be the SCCs for controller-to-controller, or controller-to-processor transfers. The EU/EEA data exporter should be able to rely on the SCCs when transferring EU personal data to the UK.
This will work in the following situations:
- The EU/EEA data exporter is a controller of EU personal data and your organisation is a UK controller.
- The EU/EEA data exporter is a controller of EU personal data and your organisation is a UK processor.
The SCCs, however, may not be employed when the EU/EEA data exporter is a processor (rather than a controller) of EU personal data. This is because the EU Commission has not produced approved processor to processor SCCs. A different mechanism will need to be used in this scenario.
Binding Corporate Rules (“BCRs”)
EU personal data may be transferred freely to an organisation which has secured the approval of its BCRs of the relevant data protection regulator(s). BCRs allow organisations with operations in non-EU/EEA countries to transfer personal data internationally within the same corporate group. However there is a limited number of companies (around 50 – the list of which can be found here) which have obtained approval by EU data protection regulators. A new one-stop-shop approval system is now in place for multinationals that have their main establishment in one EU country, but even with these improvements, it is unlikely that the requisite BCR approvals could be obtained prior to 29th March 2019 if not already in hand or well underway at this time.
EU Adequacy Decision
If the European Commission were to issue a formal adequacy decision concluding that the UK data protection regime offers a level of protection that is “essentially equivalent” to that provided in the EU, this would mean that EU personal data could flow freely between the EU/EEA and the UK. However, the European Commission has previously stated that an adequacy decision cannot be made until the UK has exited the EU. In any case, the decision-making process generally takes time to reach the decision stage (usually at least a year) and, in the case of the UK, concerns may be raised in regard to the bulk collection of personal data under the Investigatory Powers Act 2016 (“IPA“).
If none of the above can be used, then the following derogations may potentially be relied on, subject to various conditions and limitations that are beyond the scope of this blog to cover:
- data subject explicit consent,
- fulfilling a contractual obligation,
- public interest,
- establishment, exercise or defence of legal claims,
- vital interests of the data subject, or
- if it is a one off restricted transfer and you have a compelling legitimate interest.
C. Transfers of EU Personal Data from the UK to non-EU/EEA countries (onward transfers)
Onward transfers of EU personal data from the UK to territories with an adequacy decision (found here) do not require any additional safeguards or authorisations from data protection regulators (although controller to processor transfers will continue to require implementation of the Article 28 clauses).
US Privacy Shield
The EU/US Privacy Shield framework is a form of adequacy decision that permits the transfer of EU/EEA personal data to the US on specific conditions that have to be met by any US organisation willing to become self-certified under the framework.
Standard Contractual Clauses (“SCCs”)
As mentioned above SCCs may be used for onward transfers in the following scenarios:
- EU personal data is transferred from the EU/EEA controller data exporter to your organisation which is a UK processor, and you intend to transfer the EU personal data onward to a sub-processor who is a non-EEA based third party. In this case, this third party can “join” the SCC as a sub-processor with consent from the EU/EEA data exporter.
- EU personal data is transferred from the EU/EEA controller data exporter to your organisation which is a UK controller, and you intend to transfer the EU personal data onward to a controller who is a non-EEA based third party. However conditions must be satisfied, one of which is that the third party must become a signatory to the SCCs.
Binding Corporate Rules (“BCRs”)
Approved BCRs can also continue to be used (see above).
The derogations can also be relied on subject to conditions and limitations (see above).
For further information, the following guidance on transfers has been issued by the UK Government and the Information Commissioner’s Office;
A. Establishment in the EU
If you are a controller or processor in the UK with no establishments in the EEA and you offer goods or services to EU data subjects or your organisation monitors the behaviour of EU data subjects you must appoint an EU representative to liaise with data protection authorities in the EEA.
- The ICO has clarified that this EU representative cannot be a DPO or one of your processors.
- The EU representative’s contact details must be included in your privacy notice(s).
B. Update your privacy notices
You should review and update your privacy information documents to better understand your data flows and flag areas with EU references to prepare for changes.