Notwithstanding the current political turmoil surrounding Brexit (deal or no deal?) the UK are still scheduled to exit the European Union (EU) on 29 March 2019 (only 6 weeks away!) and as the politicians grapple with the complexities of hard/soft Brexit options with the clock ticking down to B(rexit) Day, we are looking at how data will be transferred outside of the UK (and EU) post-Brexit.
What does the GDPR say?
Article 44 of the GDPR prohibits “international transfers” to “third countries” or to an “international organisation” unless the personal data being transferred is subject to the safeguards laid down in the GDPR. This is to ensure that EU citizens’ data is given the same level of protection internationally as it would be given within the EU. Under the Data Protection Directive, such a prohibition also existed and the EU developed mechanisms which would allow the transfer of data where certain conditions were met. The same is true under the GDPR.
First thing is first – when is data transferred “internationally”?
The GDPR does not provide definitions of “third country” or “international organisation” however, the UK’s Supervisory Authority, the ICO, has issued guidance which suggests that it means transfers outside of the European Union. We submitted an enquiry to the ICO requesting clarification on this particular point in December 2017 and we received a response clarifying that the reference is intended to apply instead to the wider EEA (which includes all Member States of the EU + Iceland, Liechtenstein and Norway).
Therefore if your data is being transferred to the US (for example where you use a US company to manage a mailing list) or to India (for example where you use an Indian programmer to run your backend software and/or database), the data controller has an obligation to ensure that it has “adequate measures” in place to protect your data in these “third countries.”
When can you transfer data outside the EEA?
(i) Adequacy Decision from EU
Under the GDPR, a transfer of personal data to a “third country” or an “international organisation” may take place where the European Commission has decided that the third country, a territory or one or more specific sectors in the third country or the international organisation in question ensures an adequate level of protection. Adequacy decisions under the GDPR are not indefinite and are subject to periodic review by the European Commission (at least every four years).
Currently, the EU has issued adequacy decisions in respect of the following countries:
- Canada (commercial organisations);
- Faroe Islands
- Isle of Man
- New Zealand
- USA (limited to the Privacy Shield framework)
- The latest – Japan in January 2019
(ii) Binding Corporate Rules (BCR’s)
The BCRs only apply to multinational organisations transferring personal data outside the EEA but within their group of entities and subsidiaries. These rules create rights for individuals which they can exercise before the courts or data protection authorities, and obligations for the company. These BCRs are legally binding on all companies in the multinational group and are usually made by unilateral declarations, group agreements or corporate governance within the group.
To use the BCRs to transfer data freely within a group, they must be assessed and approved by all the relevant EU data protection authorities who will cooperate to assess the standard of the rules. This means that often implementing BCRs are time, resource and cost heavy.
(iii) Standard Contractual Clauses (SCC’s)
The European Commission has approved four sets of SCC’s (also known as the model clauses) as providing adequate protection for international data transfers. If these model clauses are used in contracts for data transfers / processing then this will be adequate. If you are relying on a European Commission adequacy decision, whilst you need not have to work with or seek the approval of your national supervisory authority, you cannot change the clauses in any way – they must be used in their entirety.
(iv) Code of Conduct
This will be an approved code of conduct and/or certification mechanism, together with binding and enforceable commitments of the controller or processor in the third country to apply the safeguards, including data subject rights. Codes and certifications are only being discussed at present. There is nothing formal to follow at present (a situation similar to that under the previous rules).
(v) EU-US Privacy Shield
For transfer to the US, the European Commission has approved the EU-US Privacy Shield framework, and accordingly, if an organisation is certified under this framework it shall be deemed adequate. A similar framework is in place between Switzerland and the US.
(vi) Derogations (the “Article 49 Derogations”)
There are derogations from the general prohibition against transferring data outside the EEA, where personal data can be transferred even if there is no adequate protection. However, it is good practice to ensure that there is adequate protection if it is possible to do so, and only to rely on a derogation if it is not. The derogations are as follows:
(a) Contract - the transfer is necessary for the performance of, or for the taking of steps at the request of the data subject with a view to entering into, a contract between the data subject and the data controller and/or the transfer is necessary for the performance of, or entering into, a contract between the data controller and a third party entering into the contract at the request, or in the interests, of the data subject.
(b) Consent - the data subject has given their explicit consent to the transfer – such consent will not be valid if the individual has no choice but to give their consent.
(c) Public interest - the transfer is necessary for reasons of substantial public interest – this is a high threshold to meet and would be relevant for preventing and detecting crime, national security or collecting tax.
(d) Legal claims – the transfer is necessary for the establishment, exercise or defence of legal claims.
(e) Vital interests - the transfer is necessary to protect the vital interests of the data subject – this relates to life and death matters
What impact will Brexit have on international transfers?
(i) Adequacy Decision
If you are transferring data to any of the countries which are currently subject to an adequacy decision from the EU, you may be able to continue to do so post Brexit, so long as the UK adopts the EU adequacy decisions and recognise these countries from a UK perspective as providing adequate protection for UK data.
The UK government have confirmed that post-Brexit, the UK will recognise all EEA Member States as providing adequate standards of protection and therefore the free flow of data from the UK to the EEA will not be impacted by Brexit.
But what about data from the EEA to the UK?
It is hoped that, in time, the UK will be the subject of an adequacy decision from the EU (which would recognise that the UK has the same standards of protection for data subjects as the EU) and therefore data transfers between the EEA and UK could happen without the need for contractual agreements between parties.
However, adequacy decisions take time to be granted and therefore, once the UK leaves the UK, there will be a period of time where the UK is not deemed an adequate country for data transfers and we will need to look at alternative transfer mechanisms to cover transfers during this period. In the event of a no Brexit deal the UK Government does not expect the EU to issue an adequacy decision in time.
(ii) Standard Contractual Clauses
These are likely to be the most common and appropriate adequacy measure used by organisations to effect international transfers post-Brexit. However, where organisations choose to rely on SCC’s as an adequacy measure, there will be a limbo period post-Brexit where SCC’s cannot be used to transfer data from the UK to a “third country” as there will be a period of time before such SCC’s for the UK are released and approved for use.
As this is likely to cause substantial disruption to UK business and operations, although the UK government have not addressed this, they have assured that “alternative mechanisms for those who rely on data transfers from the EU will be available.”
If you are likely to be impacted by this, you should consider (i) if you can rely on any of the derogations; and (ii) if not, you should put in place the current SCC’s anyway to ensure that you have obligations with parties to protect data subjects (even if these are not technically compliant post-Brexit).
(iii) EU-US Privacy Shield
The ICO recently issued guidance which confirmed that in the event of a “no-deal” Brexit, organisations in the UK can still rely on Privacy Shield certification as an adequate measure to transfer data from the UK to the US provided such organisations have updated their public Privacy Shield communications to state that these also apply to the UK as well as the EU.
So, how can your business prepare?
Due to the uncertainty, many businesses are struggling to understand what they need to do to prepare for Brexit in relation to the transfer of personal data outside of the UK (and the EU). There may be some comfort if we leave the UK with a deal (and a transitional period!) however this cannot be relied on and businesses should be preparing now to implement new measures with service providers and data processors to ensure that your business can continue to operate in compliance with the GDPR post-Brexit:
- Make sure you understand who you share data with and where data is being sent (including to countries outside of the EU);
- Review the measures that you currently rely on to share data with those parties (i.e. do you have SCC’s in place or do you rely on the EU-US Privacy Shield or could you rely on the Article 49 Derogations ?);
- Understand how Brexit may impact upon the adequacy measure that you are currently relying on; and
- Implement any additional adequacy measures that may be required in the interim period before formal adequacy decisions and/or arrangements with the US are finalised.