With data being commonly hailed as the contemporary world’s greatest asset, its free movement within the EEA is not only commonplace, but desirable. With the introduction of the GDPR in May 2018, data transfers within European territory remain simple and adequately regulated, protecting rights and interests of data subjects and allowing businesses and organizations to operate within the EEA, including Malta and the United Kingdom, without particular difficulty. However, with impending Brexit appearing to be a particularly acrimonious divorce, the free movement of data from Malta to the United Kingdom may prove to be negatively impacted.
Currently, data transfers may take place from and through Malta to the UK without any substantial legal hurdles; a ‘No-Deal’ Brexit will plausibly render the United Kingdom third-country territory subject to the GDPR’s strict requirements and restrictions upon data transfers being made to such territories. The GDPR in fact requires data controllers and processors engaged in the transfer of data to third-country territories to guarantee that the level of protection afforded to data subjects under the Regulation is not undermined; such transfers must thus be based upon the GDPR’s wide-reaching conditions.
Whilst it is to be expected that the United Kingdom will, in due course, be considered by the European Commission to provide adequate protection to personal data through the issuing of an Adequacy Decision, data transfers from Malta to the UK post ‘No-Deal’ Brexit pending such a decision will necessarily require compliance with the appropriate safeguards required under the GDPR. The GDPR lists a number of ways in which compliance for international data transfers may achieved. Apart from the derogations included under Article 49, other alternatives such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) should be utilized. Mechanisms such as SCCs have been endorsed by the European Commission as a means of ensuring the necessary data protection compliance and would not require the consent of the Information and Data Protection Commissioner for the performance of such a transfer. In cases where the SCCs are not used, alternative appropriate safeguards may be drafted by the parties and applied subject to the approval of the IDPC; similarly, BCRs must be approved by the IDPC subject to the consistency provisions instituted by the GDPR.
Whilst SCCs cater for short-term compliance, when considering contemporary legal challenges, their future legitimacy is not certain: SCCs, although duly endorsed at EU institutional level, may not sufficiently cater for the legal obligations of an overseas party and are yet to be updated post-GDPR. Although it is difficult to determine the extent and effect Brexit will have on Malta to UK data transfers, it is safe to assume that changes in currently applied procedures will be required. Should the United Kingdom be deemed to satisfy all the pertinent requisites for Adequacy status, the European Commission shall have until the end of 2020 to decide whether to approve the UK data protection standards in light of Brexit negotiations. A positive outcome in this context would allow for swift and straightforward data transfers from Malta to the UK as a third-country territory.