On 9 January 2018, the EU Commission issued a notice stating that following Brexit, the United Kingdom will become a ‘third country’ for the purposes of EU data protection laws. Absent any change in the position before March 2019, this means that organisations based in the European Economic Area (EEA) that have become accustomed to moving personal data freely back and forth to the United Kingdom will have to implement changes to their processes to ensure that they do not contravene EU law by doing so.
The ability to transfer personal data to ‘third countries’
Under both the current EU data protection regime and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), which comes into force on 25 May 2018, there is no restriction on the transfer of personal data between organisations within the (EEA).
However, transfers of personal data to organisations located in ‘third countries’ (i.e. countries outside of the EEA) are generally prohibited unless: (i) the country in which the recipient is located is the subject of an EU Commission adequacy decision; (ii) in the case of US recipients, the recipient is certified under the EU-US Privacy Shield; (iii) appropriate safeguards have been put in place; or (iv) another derogation or exemption applies. The United Kingdom will be hoping for an adequacy decision, but if that cannot be achieved, the other methods to transfer personal data legally will have to be explored.
Under both the current EU regime and the GDPR, transfers of personal data to an organisation within a ‘third country’ may take place freely if the EU Commission has decided that the country ensures an adequate level of protection. Transfers of personal data pursuant to such an adequacy decision are essentially treated the same as transfers of personal data to an organisation within the EEA. The United Kingdom is working towards an adequacy decision by enshrining the terms of the GDPR in domestic law in the form of the Data Protection Bill. The aim of the UK government is to ensure that post-Brexit, UK data protection law mirrors EU law as far as possible, which would make an adequacy decision much more likely.
EU-US Privacy Shield
If a US organisation is certified under the EU-US Privacy Shield, transfers of personal data to such organisation may take place freely as if the organisation was located in the EEA. Under the Privacy Shield, organisations certify that they will comply with a robust set of data protection rules and safeguards.
If an adequacy decision cannot be achieved for the United Kingdom, it is possible that a similar EU-UK Privacy Shield arrangement could be reached to facilitate the free transfer of personal data; of course, this would need to be negotiated at a governmental level.
Where the ‘third country’ is not the subject of an adequacy decision nor is the recipient organisation certified under the EU-US Privacy Shield, transfers of personal data may still be allowed to take place provided appropriate safeguards have been put in place.
Appropriate safeguards may be provided in a number of ways, including by:
- A legally binding agreement between public authorities or bodies;
- Binding corporate rules (a set of legally enforceable rules that authorise the transfer of personal data to ‘third country’ organisations within a group of companies);
- Standard data protection clauses approved by the European Commission;
- Standard data protection clauses adopted by a supervisory authority and approved by the European Commission;
- An approved code of conduct or certification mechanism, together with binding and enforceable commitments of the recipient to apply the appropriate safeguards, including as regards data subject’s rights; and
- Contractual clauses agreed between the transferor and recipient that are authorised by the competent supervising authority.
In the absence of an adequacy decision or appropriate safeguard, personal data may only be transferred to a ‘third country’ organisation if a derogation applies. Derogations include:
- The data subject has explicitly consented to the proposed transfer;
- The transfer is necessary:
- for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- for the conclusion or performance of a contract concluded between the controller and a third party in the interests of the data subject;
- for important reasons of public interest;
- for the establishment, exercise or defence of legal claims;
- to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent.
The EU Commission’s notice
Whilst the EU Commission’s notice makes no comment on the possibility of the United Kingdom obtaining an adequacy decision, the notice does make clear that EU organisations will have other mechanisms to rely on in order to maintain the flow of data between them and organisations located in the United Kingdom following Brexit. The notice also highlights that the GDPR will simplify the use of these other mechanisms by “cutting red tape”.
Whilst the UK government hopes to obtain an adequacy decision (and the previous UK Minister of State for Digital, Matt Hancock, appeared confident that this will happen), given the current uncertainty surrounding most aspects of the Brexit negotiations, nothing can be taken for granted. As we set out above, there are mechanisms that organisations will be able to use to transfer personal data between the EEA and the United Kingdom post-Brexit, but those organisations would be well advised to start thinking now about what measures and procedures might need to be put in place to ensure smooth continuance of operations on 30 March 2019.