The GDPR is coming into force on 25 May 2018. The UK is leaving the EU at 11pm on 29 March 2019. No doubt these dates are engraved into the minds of most business owners. But while these deadlines are enough on their own to leave you with plenty to worry about, it is also important to consider the interplay between the two – that is to say, what will Brexit mean in terms of the GDPR?
In fact, the European Commission (the “EC”) believes this is so important they have released a statement reminding businesses that when the UK leaves the EU, the UK will become a “third country” for the purpose of data transfers under the GDPR.
But what does this mean in practical terms?
Once the GDPR comes into force and BEFORE we ‘Brexit’:
- businesses processing data in the EU can freely share data with the UK, simply by virtue of the UK’s membership of the EU; and
- businesses processing data in the EU which wish to share data with non-EU countries (or ‘third countries’) will have to rely on one of the following ‘safeguards:’
- Adequacy Decision – the EC has the power to determine whether a country offers an ‘adequate’ level of data protection. At the moment, the EC has so far recognised the following countries as ‘adequate’: Andora, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and United States (limited to the Privacy Shield framework)
- Binding Corporate Rules (“BCRs”) – multinational companies transferring data internally can use BCRs, which operate like a code of conduct to ensure that data transfers within a corporate group are safe. These BCRs must contain (1) privacy principles; (2) tools of effectiveness, such as audits and training; and (3) a method of proving that the rules are binding. Before you can start using them, the Information Commissioner’s Office (the “ICO”) must approve your organisation’s rules. (See more details on BCRs, including a list of which organisations currently use them).
- Contractual Clauses – the EC has issued three sets of Standard Contractual Clauses (“SCCs”) for data transfers. It is important to note that SCCs cannot be varied and that, practically speaking, SCCs will mainly be useful for one-off transfers. If you are regularly transferring data between organisations, it would be more time and cost-effective to rely on the other safeguards listed, which will save you having to negotiate contracts each time you transfer data. It is also possible to rely upon non-standard contractual clauses where they have been authorised for use by the ICO.
- Approved Codes of Conduct – your company can sign up to a code of conduct, which must be approved by, and will be subject to mandatory monitoring by, the ICO. However, where the data transfers are cross-border, the code of conduct must also be approved by the European Data Protection Board. The code must be accompanied by binding and enforceable commitments, meaning that, if breached, action can be brought against the third party data controller or processor. Breaching the code of conduct can result in administrative fines, which can be up to as much as 2% of your company’s global turnover. Under previous EU data protection legislation, codes of conduct did not exist as a safeguard mechanism.
- Certification Mechanisms - this is a way of demonstrating that you have established appropriate safeguards relating to the adequacy of data transfers. As with the codes of conduct, the ‘third party’ data controller or processor must make a binding and enforceable commitment, and the certificate will be issued by the ICO. These certification mechanisms are provided for in the GDPR, and did not exist under previous EU data protection legislation.
In very specific cases, derogations apply which mean that transfers of data to data processors in third countries will be allowed, even where none of the above safeguards are in place. These derogations include:
- where the data subject has provided their consent;
- where the transfer is necessary for the performance of a contract;
- in order to exercise a legal claim; or
- for public interest reasons.
Transfers to the UK after Brexit
After Brexit, the UK will become a third country. This means that data controllers in EU countries will have to identify a specific legal basis within the GDPR upon which it can legally transfer personal data to the UK (i.e. ensuring that one of the safeguards listed above is in place or relying upon a specific derogation). This will impact any UK business which depends upon receiving personal data from data controllers in the EU, including those who depend upon trade with EU countries, and international firms with offices abroad. Regrettably, in the context of international data transfers, the GDPR will present yet another complication for UK-EU trading companies in the wake of Brexit.
An adequacy decision for the UK?
The UK Government recognises the imperative of obtaining an adequacy decision, which would be the simplest means of ensuring that data controllers throughout the EU can legally transfer personal data to the UK without further reliance upon the safeguards, all of which require a significant amount of legal input and expense, and preparation in advance of the data transfer. The GDPR will continue to apply when the UK exits the EU and the UK Government has demonstrated its commitment to the principles of the GDPR within the Data Protection Bill. However, any decision on adequacy will have to wait until we reach the ‘data protection’ stage of the Brexit negotiations. Where the only certainty with respect to Brexit is that nothing is certain, this presents an added challenge to companies with business relationships in the EU.
Is there anything to be done now?
It is important to note is that all of the above is subject to any transitional arrangement being made during the Brexit negotiations. If such an agreement is reached, it is likely to contain provisions about how data can be transferred between the EU and the UK post-Brexit. Alongside considerations with respect to transfers of data from the EU to the UK, thought will need to be given to the transfers by UK data controllers internationally. Similar safeguards are likely to apply within the domestic data protection regime which applies post-Brexit, but the UK will also need to make its own determination concerning adequacy of protection within third countries.
Therefore, in preparing for the introduction of the GDPR in May, you should be looking further ahead and considering the implications of the UK leaving the EU. Where your business is reliant upon data transfers from the EU, you should Brexit-proof your international data transfers by lining up one of the other safeguards in case the UK is not granted adequacy. And at the moment, judging by the careful wording of the EC’s recent statement, this is by no means a foregone conclusion.