European Data Protection Supervisor issues update on UK post-Brexit

The UK is currently scheduled to leave the European Union at 00.00am on 1 November 2019, when it will then become a third country for the purposes of data transfers and data protection. The European Data Protection Supervisor (EDPS) has issued updated guidance on international data transfers following the UK’s exit from the UK.

What if the UK signs the Withdrawal Agreement?

If the EU and UK sign the Withdrawal Agreement that is currently on the table, data transfers to and from the UK will not be effected on 1 November 2019 as the Agreement contains provisions for the application of EU data protection law, including the General Data Protection Regulation (GDPR), the law enforcement Directive (EU) 2016/680 and the ePrivacy Directive, until 31 December 2019. This period may be extended for a further two years until 2021.

What if the UK leaves without a deal?

If the UK leaves the EU without a deal, which appears to be the most likely outcome as time progresses, there will be repercussions for data protection as EU data protection law will no longer apply in the UK. Consequently, personal data transfers to the UK will have specific conditions that European Union institutions, bodies and offices (EUIs) must comply with. Although most will already be familiar with the provisions as they will be transferring data outwith the EEA at the moment, it is something that all EUIs must be aware of. The options available to EUIs when the UK becomes a third country are outlined below.

International Data Transfer Requirements

If the UK leaves with no deal, the flow of personal data from the EUIs to the UK will then be subject to international data transfer requirements, as set out in EU Regulation 2018/1725 (protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data) (“the Regulation”). The Regulation provides that data transfers to a third country, which the UK will be in the event of a no-deal Brexit, must meet the level of protection set out within the Regulation. This level of protection must be maintained when the data is transferred from the UK to another third country. The Regulation provides for a series of mechanisms and it is up to data controllers and processors to ascertain which option is the most appropriate for the circumstances. Some of the options available are outlined below.

Adequacy Decision

The European Commission can issue an adequacy decision, meaning that the Commission recognises the UK, as a third country, has an appropriate level of protection for personal data, thereby allowing the data to transfer to the UK as if it was being transferred within the EU. However, an adequacy decision based on the UK’s legal framework will not be issued before the UK leaves the EU as negotiations will be necessary, meaning that other transfer mechanisms must be considered in the meantime.

Appropriate Safeguards

Article 48 of the Regulation lists all appropriate safeguards for data transfer mechanisms. All of the safeguards “must provide for enforceable and effective data subjects rights.”

EUIs, as public authorities, could use a legally binding and enforceable agreement to implement data transfer mechanisms that meet the Regulations requirements. The EUIs may also use an administrative document such as a Memorandum of Understanding which could provide for effective data subjects rights. However, administrative agreements are not legally binding and would require prior approval by the European Data Protection Supervisor.

If the EUIs are interacting with private companies, standard data protection clauses, as adopted by the European Commission, may be implemented by the parties. The clauses would offer additional safeguards that are required if data is to be transferred to the UK. The clauses cannot be amended.

Binding Corporate Rules are another option that can provide appropriate safeguards for personal data transfers. The Rules are followed by a group of companies to ensure there are adequate personal data protection mechanisms in place when data is transferred within the companies, including transfers outside of the EU. New Binding Corporate Rules must now be approved by a national supervisory authority, prior to any personal data transfers taking place.

If the processor is not an EUI, certification mechanisms and codes of conduct may be used, as provided for by GDPR, to ensure the data transfer has the required safeguards. The codes of conduct and certification mechanisms are new following the introduction of GDPR, and guidelines should be released shortly to assist companies in utilising the tools.

Derogations

If there is no adequacy decision, the EUIs should put in place the adequate safeguards mentioned above. However, there are derogations for data transfers that do not require prior approval from the EDPS. The derogations are mentioned in Article 50(1) of the Regulation and include data transfers where:

  • the individual has provided explicitly consent to the proposed transfer after being informed about the potential risks associated with the data transfer;
  • it is necessary for the performance of a contract to which a data subject is a part or for the implementation of pre-contractual measures;
  • it is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • it is necessary for important reasons of public interest;
  • it is necessary for the establishment, exercise or defence of legal claims;
  • it is necessary for the protection of the vital interests of the data subject or of other persons and the data subject is physically or legally incapable of giving consent; or
  • the transfer is made from a public register.

The derogations are interpreted strictly and are usually applied to occasional processing.

How can EUIs prepare?

EUIs can take the following steps to ensure they are better prepared for Brexit in relation to their processing of personal data:

  • map the institution’s processing activities and create a Record of Processing Activity, to show what data the company holds and where it is held;
  • ascertain what data transfer mechanism is the most appropriate;
  • implement the mechanism before 1 November 2019;
  • update internal policies and documentation in relation to data protection; and
  • update the institution’s privacy notice.

If you would like advice and assistance, please contact a member of our Data Protection & Cyber Security Team.

Latest updates from @MacRoberts