GDPR & Brexit: Is there a need for an adequacy decision?
What are the consequences of Brexit in relation to data transfers?
Brexit potentially affects all personal data exchanges between the EEA and the UK. This has also been stipulated by the European Commission consumer directorate in a Notice to Stakeholders issued on 9 January 2018. In this notice the European Commission advised stakeholders that cross-border data flows between the EU and the UK will not automatically have adequate safeguards anymore. What does this mean for the GDPR?
By Pieter Lamens (Deloitte NL) & Evelyn Caesar (Deloitte UK)
- Privacy email alert
- Everyone on track?
- What about Brexit?
- Adequacy decision
- UK level of data protection?
Countdown has started
The General Data Protection Regulation (GDPR) will come into effect on the 25th May 2018, updating the European privacy landscape. One of the major GDPR topics is the international transfer of personal data. It is relatively simple to transfer personal data outside the EEA (European Economic Area) to “adequate” third countries; these transfers are permitted and legal under GDPR and do not require prior approval from a Supervisory Authority. But only a handful of countries outside the EU have been deemed “adequate” by the EU. Previously in our GDPR article series our colleagues further elaborated on how international data transfers will be impacted by the GDPR.
While the UK is currently part of the EU, it is considered adequate and data can be freely transferred in both directions (between the UK and other EEA Member States). Due to Brexit, the UK may soon be considered non-adequate, i.e. a ‘third country’ (by 23:00 UK time on 29 March 2019, unless a withdrawal agreement between the EU and the UK establishes another date). This will impact transfers of personal data between the UK and the remaining EEA Member States; as the UK will be subject to Article 45 of the GDPR, data transfers will only be permissible if the UK, as a country outside the EEA, complies with one of the following:
- Transfers will be permissible if the UK is approved by the European Commission to hold an adequate level of data protection and formally accepted as an ‘adequate’ third country (discussed below);
- Transfers can be made if the UK makes use of model contractual clauses (approved by the European Commission and/or the relevant Supervisory Authority);
- Transfers can be made if the UK makes use of ad-hoc contractual clauses (approved by the relevant Supervisory Authority);
- Transfers may be made on the basis of approved codes of conduct/approved certification mechanisms; or
- Supervisory Authority agreed binding corporate rules (BCRs) may be used to transfer data to/from the UK, when dealing with transfers between organization within a corporate group.
Privacy email alert
Receive the latest Privacy insights.
Is everyone on track? Is the UK on track?
Regarding the implementation of GDPR at Member State level, the EU Justice Commissioner Vera Jourova recently said that member states are lagging behind, and in particular have not yet amended their local legislation; thus far only Austria and Germany have implemented local laws incorporating GDPR. This might cause some application issues for the overall functioning of GDPR across Europe.
The UK has produced draft legislation to revise the Data Protection Act (1998) in line with GDPR. The Data Protection Bill (2017) is currently going through the process within the UK Parliament to be legislated as an Act. This may assist the UK with an adequacy decision, as it demonstrates to a degree that the UK is on par with the GDPR.
What about Brexit?
In this blog we will elaborate on the UK’s situation, and in particular how it can become an adequate country. If an adequacy decision is not established, the other main options are:
- Governmental level: to have a bilateral agreement similar to the EU-US Privacy Shield in place
- For organisations to implement standard contract clauses (model clauses) or binding corporate rules for intragroup data transfers
These two options require substantial additional effort; especially the second option which would add complexity and costs to data transfers for organisations. In this blog we will only focus on the adequacy decision.
When the UK becomes a ‘third country’ after Brexit, for purposes of legal certainty and as the strongest guarantee of the free flow of personal data, an adequacy decision may be considered the preferred approach.
If the European Commission adopts an adequacy decision in respect of the UK, this would ensure an all-encompassing and clear agreement permitting transfers of personal data from the EU to the UK. The European Commission has already adopted an adequacy decision for several countries under the 1995 Directive, and adequacy talks are ongoing with Japan and South Korea. Keep in mind that the adequacy decision procedure can only be initiated officially once the UK becomes a third country and the procedure on average takes 28 months and can be revoked at any time.
The adoption of an adequacy decision involves a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from representatives of EU countries and the adoption of the decision by the European Commissioners.
Will the UK have an adequate level of data protection?
In general the Commission assesses whether a country outside the EU offers an adequate level of data protection. The UK’s domestic law (general and sectoral), international commitments, existing and functioning of the Supervisory Authority (the Information Commissioner’s Office, ICO) will all be scrutinized.
The UK government’s view is that an ‘adequacy decision’ should be easy to achieve as the GDPR is being brought into UK local law and the UK has a longstanding tradition of protecting personal data as a former EU Member State. According to the government the UK’s data protection framework will be fully aligned with the GDPR at the date of withdrawal from the EU. However there are some challenges:
- The main potential problem is the UK’s Investigatory Powers Act 2016, which allows for broad interception, interference and communications acquisition powers so as to limit the rights of individuals; essentially this Act may contravene the human rights element which the GDPR is fundamentally based upon and unfairly detriment the freedoms of individuals
- Also the UK has said it will not incorporate the Charter of Fundamental Rights of the EU. Articles 7 and 8 of this Charter constitute fundamental privacy rights and data protection rights and are the basis for the GDPR
Role of the ICO
The role of the ICO regarding regulatory cooperation between the UK and the EU will be of high importance. The UK government wants to ensure the ICO stay involved in future EU regulatory dialogue to allow the ICO to continue to share its resources and expertise. Also it aims to retain the ICO seat on the European Data Protection Board (replacement of the WP29 following the 25th May 2018). On a more positive note, the ICO currently already plays an active and progressive role in the field of EU Data Protection Authorities.
Is GDPR still revenant for UK businesses after Brexit? The answer is easy: Yes. GDPR is relevant.
- The UK will still be a member of the European Union at the point when GDPR comes into force and this means that until Brexit, the UK will be subject to GDPR in its entirety.
- If the UK were to negotiate to join the European Economic Area (EEA), GDPR would continue to apply post-Brexit. This ‘Norway model’ involves the implementation of EU laws in order gain access to the EU market and would mean that the UK would remain bound by implement amongst others the GDPR (and e-Privacy Directive). However, it should be noted that the UK government’s stated objectives for Brexit do not include EEA membership.
- If the UK does not join the EEA, GDPR will in any event continue to apply to all UK entities that do business in the EU. If a UK business wants to conduct business with EU organizations it is likely to be required by GDPR and EU trading partners to have implemented appropriate data protection safeguards that protect the interests of individuals as good as GDPR standards.
- As mentioned above, the UK is working on the implementation of a new Data Protection Act. The UK’s Department for Digital, Culture Media & Sport emphasized that an unhindered flow of (personal) data is essential to the UK forging its own path as an ambitious trading partner. That is why the UK government will be seeking to ensure that data flows between the UK and the EU remain uninterrupted after the UK's exit from the EU. In practice this will mean that the new UK Data Protection Act aims to assist with the full implementation of GDPR.
What do you need to do?
- UK-based firms should review their existing information security and data protection frameworks to ensure they are geared up for the new sharpened local and European data protection regulatory landscape.
- UK-based firms should think about their EU-UK data transfers pragmatically and document them sufficiently, in case the UK is deemed as inadequate.
- It is also advisable for firms to review their contracts, as some contracts (particularly business to business) include a ‘no transferring data outside of the EU’ clause; further to this, privacy notices need to also be assessed and updated where necessary, to ensure they are transparent in informing the data subject that their personal data will be passed out of the EU.
- International organisations, especially UK organisations with an EU presence, need assess whether their current data transfer practices will continue to be justified under the GDPR considering the Brexit implications. To support stakeholders the European Commission launched a dedicated webpage for businesses and citizens and is offering financial support to Member States to develop training materials and projects that support data protection authorities’ work with businesses
Overall, organisations must prepare for Brexit. When it comes to privacy and data protection, organisations should map their personal data flows, review contracts and data protection policies and put in position the appropriate mechanism for transfers of personal data to/from the UK.
Stay tuned for our upcoming blogs where we zoom in on the specifics of the GDPR that affect Consumer and Industrial Products.
For more information about GDPR, please contact Annika Sponselee or Nicole Vreeman via the contact details below.