Countdown to Brexit: 41 days – Businesses not prepared for new data security and transfer requirements from 29 March are at risk

The General Data Protection Regulations came into effect on 25 May 2018.  Companies spent a lot of time and effort preparing for GDPR – and consumers across Europe are safer for it.

Not all companies got it right – including Google who became one of its most notable victims.

The rules imposed by GDPR apply to all citizens of the 28 EU nations together with the wider European Economic Area (EEA) member states – Norway, Iceland and Liechtenstein.

Member States are required to introduce changes to their national laws in accordance with the GDPR - altering their existing national legislation in order to avoid conflict with the new supra-European legislation.

GDPR applies not only to the citizens of any one EU member state - rather it applies to all EU citizens' data - and anywhere in the world.

Given the uniform set of regulations, multinational businesses can transfer data between EU and EEA freely – and citizens can be assured that their data is secure.  They cannot transfer or share data outside of the EU and EEA to 'third countries' – unless that 'third country' has been deemed to have adequate data protection laws in place.

At 23:00 GMT on 29 March 2019, the UK becomes a ‘third country’.

UK Government has issued a Technical Notice on the subject of data.  It sets out the actions that UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event of a no-deal Brexit.

Before 29 March 2019: the rules governing the collection and use of personal data are set at an EU-level by the GDPR.  In the UK, the Data Protection Act 2018 and the GDPR provide a comprehensive data protection framework.  Other EU and EEA countries have their own supplementary legislation.

After March 2019:  in a no-deal Brexit – and no agreement in place regarding future arrangements for data protection - there would be no immediate change in the UK’s own data protection standards as the Data Protection Act 2018 would remain in place.

However, the legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK – including subsidiaries – will change.

Action is needed to ensure EU organisations are able to continue to send personal data to the UK.

UK organisations can – according to the latest UK Government Technical Notice – “continue to be able to send personal data from the UK to the EU.”  The UK Government will “keep this under review.”

The EU mechanism to allow the free flow of personal data to countries outside the EU – ‘third countries’ – is called ‘adequacy’.  The European Commission has said that if it “deems the UK’s level of personal data protection essentially equivalent to that of the EU” - it would make an ‘adequacy decision’ - allowing the transfer of personal data to the UK without restrictions.

Note that the European Commission has not yet indicated a timetable for this - and have stated that the decision on adequacy cannot be taken until the UK becomes a ‘third country’.

If the European Commission does not make an adequacy decision regarding the UK on 29 March - the point of exit – and your business needs to receive personal data from organisations established in the EU (including data centres) – ensure your EU partners have identified a legal basis for those transfers.

For the majority of organisations, the most relevant alternative legal basis would be ‘standard contractual clauses’.  These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract.  The clauses contain contractual obligations on you and your EU partner - and rights for the individuals whose personal data is transferred.

With less than 6 weeks to go and no deal in place, Brexit Partners advise all organisations to trigger ‘no-deal Brexit contingency plans’ – and put in place the actions needed to ensure continued free flow of data with EU partners.

The UK Government has stated that it is “committed to the highest standards of data protection and all organisations should continue to comply with their broader obligations under data protection law, including the GDPR (as incorporated into UK law).”

The ‘Information Commissioner’ will remain the UK’s independent supervisory authority on data protection and the UK will continue to aim for close cooperation and joined up enforcement action between the Commissioner’s office and EU data protection authorities.

The Technical Notice highlights a key issue – the uncertainty over the time period after Brexit on 29 March. The UK will be a ‘third country’ – and data cannot be transferred from an EU or EEA state until such time as the European Commission pronounces on ‘adequacy’.

It ignores the fact that the UK will not be subject to jurisdiction and decisions of either: the European Court of Justice; or the European Board of Data Protection.  The UK Information Commissioner's Office will no longer participate in the European Data Protection Board, losing influence on interpretations of law and decisions within the EU.

There is nothing in either the UK Government Technical Notice - nor its European Commission equivalent - that indicates any get out clause for any organisation.  Check and prepare - especially those who need to hold or transfer data for operational or contractual reasons – to manage personal data of EU, EEA or UK citizens going forward for an unspecified interregnum.

Despite pleas from the UK Government, the European Commission’s position is that it cannot and will not begin the process of assessing and declaring adequacy until the UK has left the EU and has become a ‘third country’. 

Article 45 of GDPR sets out what the Commission should take into account when considering whether to grant adequacy.

Whilst there will be no immediate change in the UK’s own data protection standards - the Data Protection Act 2018 the EU Withdrawal Act will incorporate the GDPR into UK law - there are concerns that the Commission will take a more detailed look at the UK’s crime and national security legislation during its assessment – and in particular the Investigatory Powers Act 2016.  This has been criticised by the European Court of Human Rights for giving too much power to security and intelligence services - which they believe could violate individual privacy.

Japan is seeking an ‘adequacy decision’ from the European Data Protection Board.  It has a different data protection regime - and has had to agree to add to their national law in order to get adequacy.  The process for reaching an adequacy decision could last for several months – or even years – with no absolute guarantee it will be granted in the end.

Regarding the scope of Brexit on data.  Organisations that are based outside the EU but that offer goods and services to EU citizens - or monitor the behaviour of EU citizens - fall under the scope of GDPR Article 27.  This includes the requirement for such organisations to nominate a representative in one of the EU member states.  Article 27 will apply to UK-based organisations.

Finally, for organisations presently relying on the “EU-US Privacy Shield”.  The UK exits this arrangement at the moment of Brexit – and all data procedures need to be re-visited and re-aligned.

Acknowledgement

We are grateful to Pal Belenyesi for corrections to the body text and for bringing to our attention the recent EDPB publication “Notes on Brexit, data flow and binding corporate rules” that was adopted on 12 February 2019 - link included in references, below.

References

Data protection if there’s no Brexit deal

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-nodeal-brexit_en.pdf

 
John Shuttleworth3 Comments