As part of the UK Governments series of technical notices which sets out information to allow businesses and citizens to understand what they would need to do in a ‘no deal’ scenario, so they can make informed plans and preparations. The UK Government recently published guidance on what to do about data protection in the event of a ‘no deal’ Brexit scenario.[1]
Whilst the headlines have tended to focus on the potential impact of ‘no deal’ on physical transport, Irish border, the free movement of goods and potential tariffs the movement of personal data has so far remained under the radar.
Rules governing the collection and use of personal data are currently set at an EU-level by the General Data Protection Regulation (GDPR). In the UK, the Data Protection Act 2018 and the GDPR provide a comprehensive data protection framework. Most other EU countries have their own supplementary legislation.
Once the UK leaves the EU, under GDPR, it will be considered a 3rd Country. A recent communication from the European Commission confirms this.
Currently, personal data can flow freely between the Member States of the EU, when the GDPR (General Data Protection Regulation 2016/679) is respected. Once EU law ceases to apply to the United Kingdom, the transfer of personal data from the EU to the United Kingdom will still be possible, but it will be subject to specific conditions set in EU law.
Companies and Member States’ authorities that are currently transmitting personal data to the United Kingdom should therefore be aware that this will become a “transfer” of personal data to a third country, and explore if it could be permitted under relevant provisions of EU legislation. If the United Kingdom’s level of personal data protection is essentially equivalent to that of the EU, the Commission would adopt an adequacy decision which allows for transfer of personal data to the United Kingdom without restrictions. However, this decision could only be taken once the United Kingdom becomes a third country.
Companies should therefore assess whether, in the absence of an adequacy decision, measures are necessary to ensure that these transfers remain possible.[2]
When the UK becomes a ‘third country’ after Brexit, an adequacy decision may be considered the preferred approach. As noted above the process of deciding on adequacy can only begin once the UK has left and this process has taken on average 28 months to complete.
It could be that the UK Gov will try to secure an agreement similar to that of the US Privacy Shield however, considering the issues surrounding this arrangement it is unlikely that this would prove either more expedient or less convoluted than seeking an adequacy decision.
The GDPR does make provision for the sharing of data with countries outside of the EU where and adequacy decision is not in place.
The two best known safeguards for 3rd Country organisations operating with EU partners are:
Binding Corporate Rules
Binding Corporate Rules (BCRs) is a mechanism whereby an organization can set out its global policy on the international transfer of personal data within that corporate group.
The initial investment of gaining approval is however particularly costly (both in monetary terms as well as in time) but there may be great benefits for larger organizations.
It is important to note that BCRs only cover transfers within a group of companies and should not be considered as an adequate safeguard for international transfers outside the corporate group.
Standard Model Clauses
Standard Model Clauses are essentially contracts approved by the European Commission that can be adopted for the transfer of personal data outside the EEA. The GDPR also introduces the possibility for local DPAs to draft Model Clauses. Model Clauses are considered to provide appropriate safeguards and hence have been widely used.
Model Clauses simply require a signature from the organization sending the data (data exporter) and the organization receiving it (data importer) under the condition that the data importer can comply with the stipulated provisions in the agreement.
Recently, however, concerns have been raised as to whether the Model Clauses sufficiently protect personal data transferred outside Europe. Consequently, a number of questions concerning the validity of the Model Clauses have been referred to the Court of Justice of the European Union.
Other safeguarding solutions include:
• An approved certification mechanism whereby GDPR compliance is demonstrated through certification, data protection seals and marks together with binding and enforceable commitments;
• An approved code of conduct that stipulates the international transfer of personal data together with binding and enforceable commitments on how to apply the code of conduct.
• “Ad-hoc contracts” approved by a competent Supervisory Authority;
• Derogations such as explicit consent, transfers on the basis of performance of a contract, necessary for legal claims or defences etc. The derogations should be used narrowly and only in exceptional cases. Consent is a complicated legal basis (individuals can withdraw their consent at any time!) and should not be used for international data transfers that take place on a large and/or structural basis.
The UK Governments technical note helpfully states that in the absence of an adequacy decision they recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners although they do not give specific guidance as to what this action may be.
So in a nutshell – if the UK leaves the EU on March 29th 2019 without and agreement (‘no deal’) then from 30th March 2019 organisations within the EU will not be able to share personal data with organisation within the UK, unless one of the other safeguards mentioned above is in place.
Jersey & Guernsey
The impact in Jersey and Guernsey may be even more profound, bearing in mind our close relationship with the UK, with both local laws having very similar restrictions (to GDPR) on transferring data to 3rd coun
tries. However, the Guernsey Data Protection Law does allow transfer of personal data to an ‘Authorised Jurisdiction’ defined as:
a) the Bailiwick,
(b) a Member State of the European Union,
(c) any country, any sector within a country, or any international organisation that the Commission has determined ensures an adequate level of protection within the meaning of Article 45(2) of the GDPR (or the equivalent article of the former Directive), and for which the determination is still in force, or
(d) a designated jurisdiction,
The key point is that Guernsey have already assigned the UK as a ‘designated jurisdiction’
“designated jurisdiction” means any of the following, where designated by an ordinance made by the States of Deliberation –
(a) the United Kingdom,
(b) a country within the United Kingdom,
(c) any other country within the British Islands, or
(d) any sector within a country mentioned in paragraph (a), (b) or (c)
On the face of it this seems to negate the need for further safeguards when transferring personal data to the UK from Guernsey, however it remains to be seen if this will pass scrutiny by the EU Commission when Guernsey’s adequacy decision is reviewed.
Furthermore, there is currently no guidance from either the Jersey Office of the Information Commissioner or the Office of the Data Protection Commissioner in Guernsey as to what organisations should be doing to prepare for the event of the UK becoming a 3rd country without an adequacy decision.
Brexit is potentially less than six months away and as the UK Gov has suggested organisation need to proactively consider what actions they need to take to ensure the continued free flow of personal data with partners in EU and UK.
