Organisations are having to take a number of measures to ensure that they are prepared to deal with the fallout from Brexit. One of these includes reviewing the impact that Brexit will have on the processing of personal data and the steps which an organisation will need to put in place to address that impact.
This briefing is the first of two in which we explore some of the implications of Brexit for UK businesses and their use of personal data, namely:
- how transfers of personal data between the UK and the EU will be regulated post Brexit;
- that UK businesses operating within the EU will need to adjust to having a new regulator; and
- that UK businesses dealing with EU citizens and their personal data will need to appoint a representative in the EU.
In this briefing we focus on data flows, and look at whether organisations will have to put additional measures in place in respect of their data flows from the UK to the EEA, and vice versa, once the UK becomes a third country.
But before we do, we turn our attention briefly to the question that we know has been on your minds since the very first suggestion that we might be heading for a European exit.
Will the UK's data protection standard change?
Not really. At least not for the moment, and the UK Government has not given any indication as yet that it might do anything other than maintain the status quo. The EU Withdrawal Act will incorporate the General Data Protection Regulation 2016/679 (GDPR) into UK law and the Data Protection Act 2018 will continue to sit alongside it, so, reassuringly, the time and money that businesses have invested in becoming GDPR compliant will not be wasted. The Government has also proposed additional legislation to take effect on exit day, which will "anglocise" certain aspects of GDPR so that it makes sense when applied as part of UK domestic law.
However, although on the face of it the legal backdrop will not materially change, difficulties arise when considering the implications of the imminent status change of the UK when it ceases to be a Member State, in particular in relation to continued data flows.
What is the problem with data flows?
The GDPR allows for unrestricted personal data flows between EU and EEA member states, the theory being, that personal data can be considered to be in 'safe' hands in those states which have adopted the GDPR. However, problems potentially arise with third countries outside the club, as they might not have such high standards to ensure the continued safety of personal data leaving the EEA to such destinations. The GDPR treats transfers to such destinations as restricted transfers and requires organisations to only transfer personal data using a GDPR compliant safeguarding mechanism. One of these mechanisms is that the destination country has had an adequacy decision made in favour of it by the European Commission (essentially, confirmation by the EU that it considers that country to be a safe destination for personal data caught by GDPR); other mechanisms include EU approved standard contractual clauses, known as 'model clauses', which oblige the recipient in the destination country to sign up to contractual obligations to keep any data it receives safe; and there are other derogations which we refer to briefly later on in this briefing.
So, the big question is, what will happen to data flows as between the UK and the EEA?
UK data flows to the EEA
Current proposals are that transfers of personal data from the UK to the EEA will continue to be permitted, without the need for organisations to put additional measures in place. In theory, this should mean that no further action is necessary in order to send personal data to EEA-based third parties. As a matter of good practice however, it will be worth keeping an eye on any changes to the domestic laws of relevant Member States in the event that new laws create further hoops for the UK to jump through in the future.
UK data flows to other third countries (outside the EEA)
The EEA has passed adequacy decisions with respect to a number of third countries (at the time of writing, 12 countries including Canada and Japan), and agreed the Privacy Shield mechanism for those organisations in the United States that wish to sign up and commit to it. Proposed draft legislation which will come into effect on B(rexit)-Day, states that the UK will continue to recognise these adequacy decisions when it comes to transferring UK personal data to recipients based in those countries. Data transfers from the UK to the US which rely on the Privacy Shield mechanism can also continue, provided that the relevant Privacy Shield participant has updated its commitments to state specifically that they extend to personal data received from the UK in reliance on the Privacy Shield, and that its privacy policies include similar wording.
The same draft legislation states that EU model clauses will continue to be recognised as a valid safeguarding mechanism (where appropriate) under which organisations in the UK can transfer personal data. Similarly, existing model clause contracts which are in place to govern the export of data out of the UK will continue to be recognised.
So far so good.
EEA data flows to the UK
However, transfers of personal data within GDPR scope from the EEA into the UK are unfortunately, not quite as simple. Unless such matter is addressed in any Brexit deal that is struck, or the EU passes an adequacy decision in respect of the UK in time (see below for our thoughts on this), when the UK leaves the EU and becomes a third country, organisations transferring personal data from the EEA to the UK, will need to do so using a GDPR compliant safeguarding mechanism in the same way as they do for any other third country.
What can businesses do?
EU model clauses are for now, the obvious answer for many businesses based in the EEA seeking to transfer personal data to the UK, though this will create an extra layer of administration which will not be appreciated. In addition, the model clauses are currently being examined for their validity as a safeguarding mechanism in the CJEU (a decision is widely expected early in the new year) as part of Max Schrems' ongoing efforts against Facebook. However, for now, they are the most practical and widely available solution for businesses which rely on the inflow of data from the EEA; in any case, if there is a transition period before the UK exits, then this will buy extra time for organisations to wait and see the outcome of the CJEU litigation.
Are there any other options?
It may be possible for businesses to rely on the derogations set out in the GDPR for specific situations, which allow for the transfer of data from the EEA to a third country in the absence of an adequacy decision, model clauses or binding corporate rules (a complex mechanism which could provide a solution for some corporate groups but would need a longer period to implement before B(rexit)-Day). Examples include explicit consent, contractual necessity and cases relating to legal claims. However, use of these derogations was intended to be limited hence only being permitted if they are used in specific situations and if certain conditions are satisfied. For example, not only will explicit consent need to be GDPR compliant, but the information made known to the data subject must include the possible risks of the transfer.
Moreover, many of the derogations under Article 49 GDPR - including the contractual necessity and legal claim derogations - can only be used occasionally and when necessary ("requiring a close and substantial connection between the data transfer and the purposes of the contract"). This means that in practice, whilst the derogations could be useful for occasional transfers in particular circumstances, they are unlikely to be an effective solution in the long term
WILL THE EU PASS AN ADEQUACY DECISION IN RESPECT OF THE UK?
It had been hoped that a deal would be done on this, particularly given that the GDPR is in place in the UK and will remain so, to save many many businesses the extra administrative burden which comes with losing the ability for personal data to move freely from the EEA to the UK. However, the EU doesn't seem to be in a hurry on this, appearing to take the view that the existing safeguarding mechanisms provided in the GDPR provide a good enough interim solution. It is also worth bearing in mind that:
- the Commission can only make an adequacy decision in relation to a third country, but the UK will not become one until the day it leaves the EU;
- adequacy decisions have historically not been particularly forthcoming. Adopting an adequacy decision involves a multi-stage procedure including obtaining the approval of the remainder of the EU, which is likely to be time consuming. Depending on the manner of the UK's exit, it is also possible that Member States may be reluctant to agree to this solution, which would further prolong the process;
- adequacy decisions are not indefinite. These decisions are subject to ongoing review and therefore are capable of being withdrawn at any time, which would bring UK businesses back to square one regarding their ability to process data from the EEA.
Clearly there are a number of factors to consider when evaluating future ability to transfer personal data from the EEA into the UK. Whilst many of us will be keeping our fingers crossed for a speedy adequacy decision, it would be prudent to analyse the data transfers into the UK in respect of your business and their current legal basis to identify the data flows at risk post-Brexit. Businesses should also review their existing contracts for clauses with absolute prohibitions on transferring personal data outside the EEA.
1. Organisations should analyse their data flows from the EEA into the UK (together with any onward transfers of such data to other third countries) and the current legal basis, to identify those flows which are most at risk post Brexit. They should also review their existing contracts for clauses with absolute prohibitions on transferring personal data outside the EEA.
2. The most sensible option to ensure you are able to continue receiving data from the EEA seems to be the implementation of model clauses, though for the reasons outlined above, it may be wise to wait if possible and if time allows before formally putting these in place, particularly because adopting model clauses is a relatively quick and easy process. The key is to invest time sooner rather than later to:
- pinpoint your material data transfers;
- work out the data flows;
- identify with whom you might need model clauses to govern the transfer.
3. Once you've undertaken the analysis above, the implementation of the model clauses could be postponed until there is more certainty regarding their validity.
Deep understanding of the sector and a team which is readily available to respond quickly to requests for advice.
Legal 500 2020
The firm is very responsive and has a well-thought approach to our requirements. Travers Smith considers the client and their requirements a priority and always responds well.