[First of November] 2019: (Br)exit data protection law?
On [November first] 2019, the divorce between the United Kingdom and Europe should be officially pronounced. They are many legal implications, at several points. As a resut, European regulations, including the GDPR, will no longer apply to the UK. Nevertehless, the UK supervisory authority encourages UK companies to continue to comply with the GDPR. The Data Protection Act 2018 will take over the principles, rights and obligations enshrined in the European regulation.
But from the point of view of a European company making data transfers to the UK, what will be the impact of Brexit? Article 45 of the GDPR provides that data transfets to third countries may take place when the Commission finds, by decision, that the third country offers an adequate level of protection. However, at present, the Commission has not yet taken any adequacy decision regarding the United Kingdom.
The “no deal” Brexit seems to assert itself. So how should European companies prepare? The European Data Protection Board (EDPB) provides further explanations in an information note of 12 February 2019.
What are the available data transfers instruments ?
From [April 13th], the United Kingdom will be qualified as “third country”, with regard to the GDPR. Transfers of data from Europe to the UK will therefore have to comply with the provisions on data transfers to third countries. Short tour of the various guarantees provided by the GDPR.
Standard and ad hoc Data Protection Clauses
Data transfers may be regulated by standard data protection clauses. These clauses may be adopted by the Commission, by the supervisory authority or by the contracting parties (provided that they are authorized by the supervisory authority).
The Commission has adopted two decisions providing standard contractual clauses for data transfer in attachment:
- Commission decision 2001/497 of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (data controller)
- Commission decision 2010/87 of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC (data processor)
To benefit from these clauses, you should not modify them and sign them as they are. Nevertheless, it is possible to include them in larger contracts, including other clauses.
If standard clauses are modified, they should be considered as “ad hoc” contractual clauses. Such clauses are quite permissible but they must be authorized by the national supervisory authority.
It is worth to note that the standard clauses of the Commission have not been updated since the entry into force of the GDPR. Therefore, at first, it would be more judicious to base your treatment on another instrument. We would nevertheless still mention that, for those who still prefer contractual clauses, the UK supervisory authority (ICO) has set up an interactive tool.
Binding Corporate Rules
Data transfers within the same group of companies may also be based on binding corporate rules. These are kind of personal data protection policie. Groups of companies adhere it in order to secure data transfers within the group, including outside of the EEA.
For those who, on the basis of Directive 95/46/EC, already use such rules, they will remain valid on 30 March. On the contrary, if such rules are put in place after that date, they must first be approved by the national supervisory authority.
Codes of conduct and certification mechanisms
Data transfers can be based on codes of conduct or certification mechanisms. This is a novelty provided by the GDPR. The main advantage of the code of conduct is to take into account the different technical specificities of the sector.
Both instruments should be deemed to offer sufficient guarantees if they contain binding commitments.
Sometimes, data transfers to the United Kingdom occur only on an occasional and non-repetitive basis. Article 49 of the GDPR provides for a “derogations” mechanism. The transfer may, inter alia, take place :
- if the individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer;
- when the transfer is necessary for the performance or the conclusion of a contract between the individual and the controller or the contract is concluded in the interest of the individual;
- if the transfer is necessary for important reasons of public interest.
What about transfers by public authorities or bodies?
Where public authorities or public bodies carry out data transfers with public authorities or public bodies from third countries, transfers must be based on two types of instruments. On the one hand, you can base it on an administrative agreement, a bilateral international agreement or a multilateral international agreement. On the other hand, youcan base it on an administrative arrangement (for example, a memorandum of understanding).
As the administrative arrangements are not legally binding, they must be subject to prior authorization by the competent supervisory authority.
Public bodies may also avail themselves of the exemptions mentioned above.
At present, the EDPS advises companies transferring data to the UK to:
- identify which processing activities involve data transfers to the UK;
- determine the appropriate data transfer instrument;
- implement the chosen instrument by [April 13th];
- indicate in your internal documentation that transfers to the UK will be made;
- update your data protection policy to inform the data subjects.
van Eléonore Colson