Implications on Data Protection law in the event of a no-deal Brexit
Such deal, also called the “Withdrawal Agreement” mainly encompasses the terms of the UK’s exit, and the accompanying “Political Declaration” contains provisions on the future relationship between the UK and the EU, were the result of eighteen (18) months of negotiations. The deal was approved by the British government and the leaders of the other 27 EU countries in November, and Brussels stated that it is the only route towards an orderly Brexit.
The effect of a Brexit deal would involve a transition or implementation period to run until the end of 2020 (subject to extension), during which many existing arrangements would stay in place and the UK would still have to conform to EU rules.
Data protection features in both the Withdrawal Agreement and the Political Declaration, reflecting the significance of the data protection rules to both the EU and the UK. Specifically, Title VII (Article 70-74) of the Withdrawal Agreement contains some specific provisions on data protection. These are also impacted by other provisions throughout the text of the agreement, including by Article 127, which importantly provides that Union law (i.e. the GDPR) will be applicable in the UK during the Transition Period. This means that personal data will continue to flow until the end of 2020 until a longer time solution can be put in place. After the end of the Transition Period, Article 71 of the Withdrawal Agreement specifically provides that, the UK has to continue applying EU data protection rules to this amount of personal data, until the EU has established, by way of an adequacy decision, that the personal data protection regime of the UK provides appropriate safeguards.
UK Parliament however has manifestly expressed its disapproval of such Brexit deal by voting against it twice, on the 15th of January and on the 12th of March 2019 respectively, intensifying discussions and preparations for a possible no – deal Brexit.
What effect would therefore this have on data protection law, what would the practical implications be on data flows from the EU to the UK, and how will businesses be affected in the event the UK exits the EU without a deal whereby the EU would consider the UK “a third country for all purposes” from 00:00 am CET on 30 March 2019?
The European Data Protection Board, has provided relevant guidance in the form of an Information Note as regards data transfers under the GDPR in the event of a no – deal Brexit. Additionally, the Information Commissioner’s Office (ICO) in the UK, has also provided guidance material to organisations and businesses based in the UK.
Unless a ratified Withdrawal Agreement establishes another date of withdrawal, or the European Council, in accordance with Article 50(3) of the Treaty on European Union and in agreement with the United Kingdom, unanimously decides that the Treaties cease to apply at a later date, all Union primary and secondary law will cease to apply to the United Kingdom from 30 March 2019, 00:00h (CET). The United Kingdom will as such be considered as a third country. To this effect, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to render them lawful.
The ultimate measure ensuring a level of protection essentially equivalent to that of the Union, is the adoption of an adequacy decision by the European Commission, pursuant to Article 45 of the GDPR. Businesses and organisations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU (and Norway, Liechtenstein and Iceland i.e. the EEA) to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data. Examples of countries for which an adequacy decision has been issued include countries such as Andorra, Argentina, Faroe Islands, Guernsey, Israel, New Zealand, Switzerland, Uruguay, Isle of Man, Jersey, Canada, and Japan.
However, an assessment of adequacy can only take place once the UK has left the EU and such assessments and negotiations may take at the very least several months. Until an adequacy decision is therefore reached, transfers of personal data from the EEA to the UK must be based on one of the following instruments as of 00:00 am CET on 30 March 2019, which are considered to be appropriate safeguards:
1. Standard Data Protection Clauses
The European Commission has already adopted three (3) sets of Standard Data Protection Clauses which are considered a ready-to-use instrument and which remain valid until they are replaced or amended by new versions matching the more prescriptive framework of the Regulation. Said Clauses comprise of the following:
(a) EEA controller to third country controller
(b) EEA controller to third country processor
Said Clauses may not be modified and must be signed as provided. They may be included however in the context of a wider contract, and additional clauses may be added provided these do not contract directly or indirectly with the Standard Data Protection Clauses.
In the event the Standard Data Protection Clauses are modified, they will be considered to constitute ad hoc contractual clauses which must be authorised first by the competent national supervisory authority following an opinion of the EDPB as appropriate safeguards for the particular situation.
This mechanism in its ad hoc form is likely to play an important role in the development of the contractual route for transfers with some technology companies already pioneering the idea of obtaining the approval of the competent national supervisory authority to draft their own data transfer agreements. The advantage of such approach evidently provides companies with greater flexibility in terms of the manner they contractually commit to personal data protection, permitting them to adopt more pragmatic contractual obligations that they are less likely to breach.
2. Binding Corporate Rules (BCRs)
These are personal data protection policies adhered to by a group of undertakings such as multinationals (controllers or processors), for the purposes of providing appropriate safeguards for transfers of personal data within such group as well as outside of the EEA.
Groups of undertakings which already have in place BCRs or which cooperate with processors that use BCRs that were authorised under the previous Directive 95/46/EC, can continue to rely on them as they remain valid until further notice. For those groups of undertakings which do not have BCRs in place, these must be approved by the competent national supervisory authority following an opinion of the EDPB.
3. Codes of Conduct and Certification Mechanisms
Pursuant to Article 40 of the GDPR, Codes of Conduct and Certification Mechanisms may offer appropriate safeguards for transfers of personal data provided they contain binding and enforceable commitments by the organisation (controller or processor) in the third country for the benefit of the individuals. Guidelines on the specific tool are expected to be issued by the EDPB in due course for the purposes of providing more clarification on the harmonised conditions and procedure concerned.
In the absence of an adequate level of protection or of appropriate safeguards, a transfer(s) of personal data may take place as provided by Article 49 of the GDPR subject to certain conditions. Such derogations include having obtained the explicit consent of the individual after having fully informed them about the risks related to the transfer, or where such transfer is necessary for contract performance, where the data transfer is necessary for important reasons of public interest or for the purposes of compelling legitimate interests of the organisation. Nevertheless, such derogations should be interpreted and applied restrictively as they constitute exceptions to the rule of having put in place appropriate safeguards. As such, derogations shall mainly relate to processing activities that are occasional and non-repetitive.
Apart from the derogations stipulated above and in accordance to Article 46 of the GDPR, there are certain mechanisms which are provided to public authorities to choose from in the context of transfers of personal data to the UK, depending on their applicability to their situation. Specifically public authorities may use legally binding and enforceable for the signatories instruments, such as an administrative agreement, a bilateral or a multilateral international agreement. Additionally they have the option of using administrative arrangements such as a Memorandum of Understanding which although not legally binding, must provide for enforceable and effective data subject rights. Such administrative arrangements are subject to the authorisation by the competent national supervisory authority following an opinion of the EDPB.
In terms of the current UK data protection standards, and in the event of no-deal Brexit, there would be no immediate change. The current Data Protection Act of 2018 which came into force in the UK at the same time as the GDPR took effect, has implemented and tailored certain provisions of the Regulation into national law. Upon the UK’s exit, the EU Withdrawal Act shall incorporate the GDPR into UK national law to sit alongside it. The UK Government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK, since in its current form, numerous references to EU laws and institutions are made and the UK is considered to be an EU member. However, due to the existing degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.
In light therefore of the current uncertainties in the Brexit negotiations, companies urgently need to ensure they have the legal mechanisms in place to allow for continuing data flow that is necessary to support their international trade and business operations. Relevant guidance on the matter is provided both by the EDPB as well as the ICO whose websites should regularly be visited if concerned.
Article provided by: Alexandra Kokkinou (Lawyer, tassos papadopoulos & associates llc)