It’s been clear for some time that the recently introduced General Data Protection Regulation 2016 (“GDPR”) will continue to form the basis of UK data protection law even after the UK leaves the EU. The Data Protection Act 2018 already enmeshes the GDPR in UK law. In addition, the European Union (Withdrawal) Act 2018 will take the further step of making the GDPR part of the UK statute book. So, for the foreseeable future at least, additional changes to UK data protection law are not on the horizon.
Unfortunately, this doesn’t mean that Brexit will be problem free from a data protection perspective. One particular issue that has been causing a headache for the Government and the ICO is the fact that, upon leaving the EU, the UK will become a “third country” under EU data protection law.
Becoming a third country is an issue for the UK since it will mean that personal data will no longer be able to flow freely between EU and UK businesses (though, if there is a transitional period, the immediate effects of this won’t be felt). Instead, transfers of personal data between the EU and UK will only be able to take place if one of the conditions set out in Chapter V of the GDPR are met.
Transfers to third countries
In relation to transfers of personal data from country to country, the EU data protection regime distinguishes between countries which are part of the EEA and the rest of the world.
In relation to EEA countries (which currently includes the UK), because their data protection regimes are aligned (particularly since the GDPR became law), personal data can be transferred between one member state and another without restriction (other, of course, than the need to comply with the general requirements of the GDPR).
On the other hand, personal data can only be transferred from an EEA country to a country which is outside the EEA (known as a “third country”), if one of the conditions set out in Chapter V of the GDPR is satisfied.
The Chapter V conditions include:
- That the transfer of personal data is to a country in relation to which the European Commission has made an adequacy decision. An adequacy decision is effectively a pronouncement by the European Commission that the laws of a particular country offer an appropriate level of protection to personal data.
A list of the countries in respect of which adequacy decisions currently exist can be found on the Commission’s website - https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries. The list includes New Zealand and Switzerland and Japan is about to be added to it. Under the GDPR, adequacy decisions must be reviewed periodically and can be withdrawn at any time.
Adequacy decisions are not easy to obtain and the process for applying for one is usually lengthy. However, once an adequacy decision is made, personal data can be freely transferred to the country in question without the need for additional compliance measures.
The Government had hoped that, as part of the Brexit negotiations, the UK would be awarded some kind of special adequacy status (i.e. in view of its continued alignment with the GDPR). However, the EU negotiators have rejected this idea, stating that the UK will have to apply for adequacy status in the usual way once it becomes a third country (i.e. post Brexit).
- That an appropriate safeguard has been put in place prior to the transfer taking place. The GDPR sets out a variety of appropriate safeguards that can be used by businesses or organisations wishing to transfer personal data out of the EEA. These include (i) the use of regulator-approved arrangements between group companies known as “binding corporate rules”; (ii) special legally binding arrangements between public bodies and (iii) the use in contracts of standard contractual clauses approved by the European Commission (see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries).
Many EEA businesses currently rely on the standard contractual clauses to facilitate the transfer of personal data outside the EEA. The clauses impose various rights and obligations on the parties to the contract, with the aim of ensuring that personal data is adequately protected. The existing clauses were approved by the European Commission pre-GDPR, but remain valid under the new regime (though they may be changed in the future).
The validity of the standard contractual clauses is currently the subject of a court challenge, so their use needs to be kept under review.
- That the transfer can take place because it falls within one of the exemptions set out in the GDPR. These include that (i) the data subject explicitly consented to the transfer (having been advised of the risks involved in transfer to a third country) (ii) the transfer is necessary for the performance of a contract with the data subject and (iii) the transfer is necessary for the establishment, exercise or defence of legal claims.
Unfortunately, because the exemptions only apply in specific situations, many transfers of personal data will fall outside their scope. In addition, the exemptions relating to the performance of a contract and establishment, exercise or defence of legal claims are limited to occasional transfers and as such cannot be used for regularly transferring personal data outside the EEA. However, it is always worth considering whether an exemption applies.
A call to action
With all this in mind, what, if anything, does your business need to do to prepare for the UK’s new status as a third country? There are a few important points to consider:
- The Government has recently confirmed that, in view of the degree of alignment between UK and EU data protection law, outbound transfers of personal data (i.e. transfers from the UK to an EEA country) will be able to continue unaffected post Brexit. This means that if the running of your business only involves the transfer of personal data from the UK to an EEA country, you won’t need to do anything (though this will need to be kept under review in case the position changes in the future).
Unfortunately, few data transfer arrangements are one way – usually, the personal data will be transferred back to you at some point – so this concession won’t offer a complete solution for many businesses.
- If your business is reliant on the transfer of personal data from within the EEA (e.g. if your business uses a cloud service provider which hosts your personal data in France), the Government’s latest advice (see https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal) is that you need to consider taking steps to ensure that such personal data flows can continue if there is a no-deal Brexit (i.e. no transitional period - which would have the effect of postponing the UK’s treatment as a third country until December 2020 - and/or no immediate recognition of adequacy status for the UK).
For many businesses, the best way to ensure that such transfers of personal data can continue to take place will be to vary contracts to incorporate one of the versions of the standard contractual clauses. It is also worth checking whether any of the exemptions set out in the GDPR apply. The starting point, however, (if you have not already done so as part of your preparations for the GDPR), is to identify what transfers of personal data between your business and the EEA (and vice versa) currently take place.
Help is available
This is a complicated area of law and deciding whether, and if so what, steps your business needs to take may not be straightforward. If you’d like to discuss your position with one of our data protection law experts, please don’t hesitate to get in touch with a member of our Information Law Team.
RELATED: INFORMATION LAW - EXPERTISE