International Data Transfers Post-Brexit - Latest Guidance
With a new prime minister stepping into negotiations and UK MPs on holiday until 3 September, the Brexit situation remains starkly unclear. Guidance has been issued by the European Data Protection Supervisor (EDPS) for UK private companies transferring or receiving personal data internationally, or EU companies transferring or receiving data from UK companies after Brexit. Here, we explore the available mechanisms for international data transfers after Brexit- deal, or no-deal!
(Temporary) Certainty Provided by the Withdrawal Agreement
An array of EU institutions interact with UK private companies, such as when outsourcing mission trips management, IT services and training. The UK enjoys the benefits of being a member state protected by the General Data Protection Regulation (Reg (EU) 2016/679) (GDPR), which means that companies can freely transfer data between companies in the European Economic Area (EEA) as and when they please, so long as they afford the data with the required protections.
The much-debated Withdrawal Agreement which was negotiated at the end of 2018 set out that data protection laws (including the GDPR) would apply until 30 December 2020 to allow for a transition period, which could also be extended by up to two years if necessary. This would mean that companies could continue to transfer data between the UK and the EU until 2020 when hopefully something more definitive would be in place.
However, in the case of a no-deal Brexit- which is seeming increasingly likely with the new prime minister promising to deliver Brexit “do or die”- the situation is extremely unpredictable. If the UK “crashes out” of the EU, EU primary and secondary law which includes all data protection laws will no longer apply, and personal data transfers to the UK will be subject to new conditions.
Some EU bodies might already be familiar with some of the alternative measures it is suggested they will need to take, if they already transfer data outside of the European Economic Area.
In the case of a no-deal Brexit, the UK will cease to be a member of the EU (the date set for this is currently 1 November 2019). It will mean that it is treated as a third country, like any other country not a member of the EU, and the rules found in Chapter V of the Data Protection Regulation (Regulation (EU) 2018/1725) (DPR) will apply to it. It sets out that if data is to be transferred to a third country, it must not undermine the level of protection which is already guaranteed by the EU, and for this it offers several mechanisms to ensure data is kept safe.
The European Commission can declare a third country as offering an adequate level of protection to personal data, which in effect means it is treated as a member of the EU for data transfer purposes. Data could flow from and to the UK and if it was within the EEA.
Standard Data Protection Clauses
Three sets of standard data protection clauses (SCCs) are currently available. These SCCs offer the adequate safeguards with respect to data protection which are needed when transferring data to a third country. They cannot be modified but can be included as part of a larger contract, so long as the contract does not contradict the SCCs. Currently, there are two options for EU controllers to third country controller contracts (available here and here), and one option for EU controller to third country processor contracts (available here).
Binding Corporate Rules
Multinational companies can undertake to follow Binding Corporate Rules (BCRs) to ensure that the appropriate safeguards are provided when transferring between groups of companies, including to third country locations. BCRs are a framework which companies themselves suggest, setting out the different legal elements- internal legal agreements, policies, training, audits, etc.- to ensure compliance.
They do not automatically authorise transfers; they must be approved by the data protection authority in each member state (such as the ICO in the UK or the CNIL in France). A process of mutual recognition has been developed whereby approval from 3 different member states (one principal and to co-leads) will be enough to constitute approval for the whole of the EU (although all member states can still ask for amendments to be made if they choose to). The process usually takes between 6 and 9 months.
BCRs were authorised under the former Data Protection Directive (Directive 95/46/EC 1995), which has now been replaced by the Data Protection Regulation. They remain valid under the GDPR (Article 46(5)) and are considered to provide adequate protection under the Data Protection Regulation (Article 48(2)(d)).
Codes of Conduct and Certification Mechanisms
If a processor is based in the UK, codes of conduct or certification mechanisms can be used to ensure that the appropriate safeguards for transfers to a third country are provided. These codes of conduct are to be drawn up by Member States, supervisory authorities and the European Commission, then to be undertaken by third countries, and aim to ensure that all of the rights and obligations contained in the GDPR are upheld.
Ad Hoc Contractual Clauses
When EU institutions look to transfer data to private entities in the UK after Brexit, it will be possible for them to create ad-hoc contractual clauses that they negotiate with their UK counterparts in order to provide the best safeguards for their own particular situation. Prior to any transfers taking place, they must be approved by the European Data Protection Board (EDPB).
There are some derogations under the Data Protection Regulation (Article 50) for situations where third country companies do not need to find alternative protections for data transfers, as the transfers are exempt from the rules.
But, be careful! These derogations are to be interpreted extremely restrictively. They do not require prior authorisation from the EDPB which leads to an increased risk for the rights and freedoms of data subjects concerned. They mainly relate to processing activities that are occasional and non-repetitive, such as where it is necessary for the implementation of pre-contractual measures or where it is necessary for important reasons of public interest. It is highly unlikely that a UK company could constantly rely on derogations from the Data Protection Regulation in order to justify international transfers of data.
Warnings from the EDPS
Building on guidance from the European Commission and the EDPB, the EDPS has issued its own guidance. It has raised specific issues with some of the alternative measures that are currently available to third countries and which may be considered by UK companies after a no-deal Brexit.
Since, when the UK leaves the EU it will have no relevant UK data protection legislation for the European Commission to review immediately, the EDPS does not consider it useful to hope to rely on an adequacy decision. These decisions take time and a strict review of legal frameworks- which the UK will not yet have- is required. It has therefore advised that the other transfer mechanisms should be considered.
Binding Corporate Rules
Whilst BCRs remain valid under the GDPR and the Data Protection Regulation, the EDPS has advised that they need to be updated in order to be fully in line with all of the GDPR provisions. Future BCRs must be approved by competent national supervisory authorities and must take into account any opinions that the EDPB has published, prior to any transfers taking place. The European Commission may also specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities.
Codes of Conduct and Certification Mechanisms
The EDPS has pointed out that these tools are new under the GDPR. They are for the EDPB to develop, and it is currently working on guidelines to clarify the content and the use of these tools, which when published, should be closely followed. However, for now, we wait!
Practical Guidance from the EDPS
Firstly, if your company transferred data before the withdrawal date, you may be in luck. The European Commission has published guidance that UK based controllers and processors may continue to process personal data transferred before the withdrawal date so long as the data continues to be protected in the same way that EU law would protect it. Developments on this should be closely followed and the EDPS may provide further guidance.
For data transferred after the withdrawal date, in the absence of a Brexit deal, and in the absence of an adequacy decision (something that would hopefully be obtained in the distant future), the EDPS advises providing adequate safeguards using SCCs, BCRs, Codes of Conduct, or ad-hoc contractual clauses.
In order to be prepared for a no-deal Brexit, it has advised that companies should map out their processing activities and check through the available data transfer mechanisms to choose the mechanism that best suits their situation. It has advised that this mechanism should be implemented between 1 June and 1 November 2019, and internal documentation and the company’s’ data protection notice should be updated to reflect this.
If it seems that this is a process you will need to consider, or if you have any other legal queries about data protection, please don’t hesitate to get in touch!
Article by Lily Morrison, Legal Consultant @ Gerrish Legal, August 2019