The European Commission has published a notice to stakeholders to address the “considerable uncertainties” in data protection issues arising from Brexit. The Commission confirms that once the UK has left the EU, the EU rules for the transfer of personal data from the EU to a ‘third country’ will apply to data transfers to the United Kingdom. This may have a significant impact on UK businesses.
EU rules only permit the transfer of personal data from an EU member state to a third country under specific conditions. The new General Data Protection Regulation 2016/679 (GDPR) will apply from 25 May 2018. Transfers of personal data that do not comply with the data export requirements of GDPR could lead to fines of up to EUR20 million or 4% of total annual worldwide turnover.
The Commission may decide to make an ‘adequacy decision’ in respect of the United Kingdom, if it considers that, as a third country, the United Kingdom offers a level of data protection that the Commission considers to be adequate. Such a decision would allow the transfer of personal information from the EU to the United Kingdom without the need for any further legal safeguards. This ‘business as usual’ scenario would be the best outcome for UK businesses.
However, in the absence of an adequacy decision, a transfer of personal data will only be permitted from the EU to a post-Brexit UK where the data controller or processor has provided ‘appropriate safeguards’ in respect of that transfer. Under the GDPR the following appropriate safeguards are available:
- The use of one of three sets of standard data protection clauses issued by the Commission (commonly known as the EU model clauses).
- Intra-group binding corporate rules addressing the protection of personal data that is transferred between business entities in the same corporate group.
- GDPR also provides for approved Codes of Conduct or certification mechanisms, together with binding and enforceable commitments of the controller or processer.
In addition, there are specific ‘derogations’ which allow for the transfer of personal data without authorisation or appropriate safeguards. These derogations are narrowly defined and limited to where:
- the data subject has explicitly consented to the transfer or it is in their vital interests
- the transfer is necessary for the performance of a contract
- it is for the exercise of legal claims or for reasons of public interest.
In its statement, the Commission reiterates a message it included in a notice published last year: preparing for Brexit “is not just a matter for EU and national authorities but also for private parties”. This announcement has wide application.
In the absence of the Commission making an adequacy decision in relation to the United Kingdom as a third country, any UK business with an EU interest will need to ensure that it can either rely on specific derogations or that is has appropriate safeguards in place prior to the transfer of personal data. This includes any UK business with an EU interest through a parent company, subsidiaries, joint venture, customer or supplier relationships or simply where acting as a controller or processor of personal data being transferred from the EU.
In light of the “considerable uncertainties” and the substantial penalties for failure to comply with the requirements of the GDPR, it would be worthwhile for UK businesses with links to Europe to review their existing data protection policies and contracts in preparation for these developments.