On 12 February 2019 the European Data Protection Board (‘EDPB’) published an information note on data transfers to the United Kingdom in the event of a no-deal Brexit. The EDPB is the body in which all Data Protection Authorities of the Member States of the European Union are united. Below we will discuss what the EDPB has said about this exactly and what the possibilities are when your organisation transfers personal data to parties located in the United Kingdom.
What are the consequences of a no-deal Brexit for the transfer of personal data to the United Kingdom?
All Member States of the European Union are bound by the General Data Protection Regulation (‘GDPR’). The GDPR is a regulation. That means that the rules are directly applicable in all Member States. The GDPR is therefore, other than in the case of a European directive, not implemented in national legislation. Consequently, in the event of a no-deal scenario, the GDPR will no longer be in force in the United Kingdom. In that case, from 30 March 2019 – the day the United Kingdom will (likely) leave the European Union – the United Kingdom will be qualified as a ‘third country’ in the terminology of the GDPR.
Under the GDPR, the transfer of personal data to organisations located in third countries is only possible if the GDPR specifically allows this. For example, when additional measures have been taken to ensure that personal data are sufficiently protected. Please note: transfer or processing already exists in the situation where personal data is only consulted from a third country. Thus, additional measures also must be taken in case of storage, inspection, rectification, destruction etc. of personal data from and to third countries.
What possible solutions are there to legally transfer personal data to the United Kingdom after a no-deal Brexit?
One of the measures that can be taken is to request for unambiguous consent of each data subject of whom personal data are being transferred. However, such consent must be given freely and must relate specifically to the transfer of personal data to the United Kingdom. In practice it will often not be possible to obtain consent from everyone. Moreover, once consent has been given, it can always be withdrawn.
When it comes to the transfer of personal data to an establishment of a company located outside the European Union, Binding Corporate Rules can offer a solution. However, this measure is only intended for data traffic within a group of undertakings or enterprises. Furthermore, Binding Corporate Rules must always be approved by the Data Protection Authorities before they can be legally used, which means that in practice this option is not feasible (anymore).
- Codes of conduct and certification mechanisms
Codes of conduct and certification mechanisms are also mentioned in the GDPR as appropriate safeguards for the transfer of personal data to third countries. The EDPB however indicates that it is still working on guidelines in order to give more explanations on the harmonized conditions and procedure for using these tools. Both guidelines on codes of conduct and guidelines on the review and assessment of certification criteria have been published for public consultation, but have not been finalised yet. Therefore, this option does not seem to be a real option either at this moment.
Last but not least, the European Commission has issued so-called model contracts. These contracts provide additional safeguards necessary in the event of a transfer of personal data to a third country. Given the time remaining until 30 March 2019, this option seems to offer the best outcome for organisations. After all, model contracts are a ready-to-use instrument, although their implementation will also take some time.
It is important to note that the provisions in the model contracts may (in principle) not be changed by the parties. Nevertheless, model contracts may be included as an annex to another contract as long as the other agreements in that contract do not directly or indirectly conflict with the model contracts.
The United Kingdom is not one of the countries with a special status
But does this Brexit regime also apply to all other countries that are not members of the European Union? The answer is no. The transfer of personal data to Iceland, Liechtenstein and Norway is permitted without additional measures being taken. The reason for this is that these countries belong to the European Economic Area and therefore also have an equivalent level of protection of personal data. These countries also participate in the EDPB, but do not have voting rights.
A country with a special status when it comes to the transfer of personal data is the United States, since the European Union has concluded the so-called Privacy Shield with the United States. This is a treaty in which agreements have been made about the protection of personal data. On the basis of that treaty, personal data may be transferred to American organisations that are certified under the Privacy Shield.
Finally, the European Commission has adopted a number of adequacy decisions on the basis of which transfers to third countries are permitted. Examples of countries about which such decisions have been adopted include Switzerland, Israel and Japan. The European Commission adopts an adequacy decision if in their view the country in question offers a level of protection that is equivalent to the level of protection that exists within the European Union. The EDPB emphasises that there is currently no adequacy decision (yet) for the United Kingdom.
Data transfer from the United Kingdom
According to the British Government, the United Kingdom would at the point of exit continue to allow the free flow of personal data from the UK to the EU. Therefore, organisations that only receive personal data from the United Kingdom do not seem to need to take any additional measures.
What happens if a deal is closed?
The Draft Brexit Agreement states that the EU data protection legislation – such as the GDPR and the future ePrivacy Regulation – will continue to apply in the United Kingdom during the transitional period. The transitional period will last until 31 December 2020. In concrete terms, this means that no additional measures will have to be taken for the transfer of personal data to the United Kingdom during this period. The United Kingdom will also try to obtain an adequacy decision before 1 January 2021, so that the transfer of personal data to the United Kingdom can continue uninterrupted after the transitional period. This is in fact some kind of EEA regime, with the important difference that the United Kingdom will not take place in the EDPB.