Although one cannot guarantee which of the current exit alternatives will materialize (our note: Britain to accept deal agreed by Theresa May, being “the only way” for Britain to leave the community bloc in an orderly way, or the worst case scenario (no-deal), or a long delay of the UK’s leaving date), what would a no-deal scenario mean in terms of consequences for your organization’s data protection obligations?
As long as UK businesses are selling goods and services to citizens of the other 27 member states in the EU and they are actively collecting, processing and storing personal data of those citizens, they will still be affected by GDPR, even once they leave the EU because the Regulation states that “no matter what location your business is based in, if you are involved in the handling of the personal data of EU citizens, you need to abide by the laws governed by the GDPR directive.”
So what exactly should you look at in anticipation of a no-deal Brexit*?
– Review your data flows into the UK from the EEA and consider the GDPR safeguards you will need to put in place.
– Review your data flows from the UK so that you can document the new basis for these transfers under UK transfer rules.
– Review the privacy information and internal documentation that you hold to identify any details that will need updating.
– Make sure that key people in your organisation are aware of these issues and will apply them in the no-deal scenario.
We took a closer look at these items, our comments being summarized below:
I. Data flows & Data transfer safeguard instruments
In recognition of the unprecedented degree of alignment between the UK and EEA’s data protection regimes, UK businesses or organisations will continue to be able to send personal data from the UK to the EEA and third countries deemed adequate by the EU at point of exit.
There will be, however, a change to the way data is shared from the EEA to the UK.
A. Data transfers from the UK to the EU/EEA
All UK personal data will continue to be allowed to flow freely to all European Union (“EU”) and the European Economic Area (“EEA”) states. UK businesses or will need to ensure they continue to be compliant with data protection law.
B. Data transfers from the EU/EEA to the UK
In the absence of an EU adequacy decision in favour of the UK, some form of safeguard will need to be put in place under the GDPR/UK Data Protection Act 2018 (“DPA”) to protect international transfers from the EU/EEA to the UK.
The EU Standard Contractual Clauses (“SCCs”)
Currently, the EDPB has acknowledged model clauses or SCCs for controller-to-controller, or controller-to- processor transfers. The EU/EEA data exporter, when a controller of EU personal data, should be able to safely rely on the SCCs when transferring EU personal data to a UK organization which can be either a controller or a processor.
However, when acting as a processor (rather than a controller) of EU personal data, EU entities may not use the SCCs as the EU Commission has not produced approved processor to processor SCCs. A different mechanism will need to be used in this scenario.
Binding Corporate Rules (“BCRs”)
Binding corporate rules are internal rules for data transfers within multinational companies. Binding corporate rules are like a code of conduct, allowing multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection (such as the case with the non-EU/EEA countries).
Binding corporate rules ensure that all data transfers within a corporate group are safe. Thus, EU personal data may be transferred freely to an organisation which has secured the approval of its BCRs of the relevant data protection regulator(s). However, there is a limited number of companies (around 50 – the list of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data- protection/binding-corporate-rules-bcr_en) which have obtained approval by EU data protection regulators.
EU Adequacy Decision
The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection. If the European Commission were to issue a formal adequacy decision concluding that the UK data protection regime offers a level of protection that is “essentially equivalent” to that provided in the EU, this would mean that EU personal data could flow freely between the EU/EEA and the UK. However, the European Commission has previously stated that an adequacy decision cannot be made until the UK exits the EU.
According to UK Government’s intentions, the General Data Protection Regulation (GDPR) would be brought into UK law and the Information Commissioner would remain the UK’s independent supervisory authority on data protection. If this happens, there will be no significant concerns and an adequacy decision will likely be adopted, although the process will not be a quick one.
If none of the above can be used, then a number of derogations may potentially be relied on, subject to various conditions and limitations as provided in the GDPR, including: data subject’s explicit consent; transfer is necessary for the performance of a contract between the data subject and the controller; transfer is necessary for important reasons of public interest; transfer is necessary for the establishment, exercise or defence of legal claims; transfer is necessary to protect the vital interests of the data subject, or if it is a one- off restricted transfer and you have a compelling legitimate interest.
II. Appointing a Data Protection representative in the EU
If your organization is a controller or processor in the UK with no establishments in the EEA and you offer goods or services to EU data subjects or your organisation monitors the behaviour of EU data subjects, under Art. 27 GDPR you must appoint an EU representative as your point of contact for clients, customers and authorities regarding privacy matters.
– The EDPB has clarified that this EU representative cannot be a DPO or one of your processors.
– The EU representative’s contact details must be included in your privacy notice(s).
– The EU representative’s contact details must be notified to the national data protection authority.
Voicu Filipescu can act as a representative in the Union of organizations not based in the EU, according to art. 27 GDPR, and can provide, on the basis of a written power of attorney, representation services in data protection matters.
III. Updating the privacy notices
You should review and update your privacy information documents to better understand your data flows and flag areas with EU references to prepare for changes.
Our Data Protection & Privacy practice group will be ready and available in case assistance is needed with any of the actions that have been mentioned in this article. Please, in this case, contact our data protection team at Voicu Filipescu.