Alessandro Galtieri looks at how Brexit could impact data protection if the UK leaves without a deal - and there is little good news.
With the current uncertainty as to the fate of the proposed withdrawal agreement from the EU, it is unlikely that there will be much more clarity between now and the fateful date of 29 March (at 11pm). So it’s worth having a quick look at how Brexit will impact data protection in case there is no transition period.
The current status
At the moment, the regulatory regime of the UK is perfectly aligned with that of the EU – the GDPR entered into force automatically on 25 May 2018 (in case you hadn’t noticed…) and the Data Protection Act 2018 integrated it with additional provisions. This does not change on Brexit day. The government has indicated that the GDPR will be incorporated into UK law by the EU Withdrawal Act.
However, after Brexit, the UK becomes a ‘third country’ – and the EU has very specific provisions related to EU-third country cross-border personal data flows (‘data exports’). It is worth mentioning the practical impact of such provisions with an example. If personal data cannot be freely transferred between the UK and the EU, any organisation with an HQ in the UK may not be able to transfer information on its EU-based employees to its UK-based head of HR (and vice versa).
Of course, if your organisation bases its business activity on data transfer (it needs not be Facebook or Google, any organisation working in healthcare or insurance would be affected), the impact would be much greater.
UK to EU transfers: the good news
Let me mention the only good news that I can give, related to personal data transfers from the UK to the EU.
If your organisation currently transfers personal data to any EU member state, you do not need to amend your existing processes and workflows. The Department for Digital, Culture, Media and Sport (DCMS) has issued technical guidance here: the UK will continue to support the adequacy of the EU for personal data transfers, so UK to EU personal data transfers will remain valid without the need for further safeguards. DCMS says in the event of no deal, ’[in] recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU. The UK would keep this under review’.
EU to UK transfers: the bad news
This is where the good news ends. Under the GDPR, any country outside the EEA to which the personal data of EU data subjects is transferred must have in place a data protection regime deemed to be equivalent to EU legislation. To prove this, the European Commission (EC) can issue an ‘adequacy decision’.
There has been much talk about the possibility of the EC granting an adequacy decision, as part of a quick ‘side deal’. Those who believe this is possible are clearly not familiar with the adequacy decision process. It is nevertheless quite easy to find out how these decisions are taken, as the EC clearly explains.
In a nutshell, the adoption of an adequacy decision involves:
- a proposal from the EC
- an opinion of the of the European Data Protection Board
- an approval from representatives of EU countries
- the adoption of the decision by the European Commissioners.
To date, the EC has so far granted adequacy decisions only to Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the USA (limited to the Privacy Shield framework). Adequacy talks are ongoing with South Korea and Japan.
Anyone who expects to be able to rely on a ‘quick’ decision should therefore not hold their breath – in short, this is not a viable option.
Other possible solutions
There are other potential legal mechanisms to export data between the EU and the UK.
Binding corporate rules (BCR)
BCRs can be used by multinational organisations when transferring personal information outside the EEA within their group of entities. Organisations must get approval for their BCRs from an EU data protection authority (DPA), with one authority acting as the lead. The process begins with an application to the relevant DPA, and it can take months, depending on the complexity of processing etc.
The EC has approved model data protection clauses called ‘standard contractual clauses’, which can be used within a contract and enable the free flow of personal data. The clauses contain contractual obligations on the data exporter and importer and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights.
Codes of conducts
I discuss these, even if they may not be available to UK organisations post-Brexit, as it may be that some sort of transitional deal may still allow them for a limited period.
A code of conduct must be approved by a DPA and include appropriate safeguards to protect the rights of individuals whose personal data is transferred, and which can be directly enforced. Codes are supposed to be issued by trade associations or bodies representing a sector, in consultation with relevant stakeholders, including the public where feasible. Approved bodies will monitor compliance with the code and help ensure that the code is appropriately robust and trustworthy. For this to happen, the DPA needs to:
- check that codes include appropriate safeguards
- set out the monitoring body accreditation criteria
- accredit monitoring bodies
- approve and publish codes.
As there are no examples of approved codes of conduct in the UK, I fear that this is a theoretical rather than pragmatic solution.
These must be approved by a DPA and include appropriate safeguards to protect the rights of individuals whose personal data is being transferred, and which can be directly enforced. In the UK, the certification framework would involve:
- the Information Commisioner’s Office (ICO) publishing accreditation requirements for certification bodies to meet
- the UK’s national accreditation body accrediting certification bodies and maintaining a public register
- the ICO approving and publishing certification criteria for certification schemes
- accredited certification bodies (third party assessors) issuing certification
- controllers and processors applying for certification and using certifications.
The ICO has currently no plans to accredit certification bodies or carry out certification. Currently, there are therefore no approved certification schemes or accredited certification bodies for issuing GDPR certificates.
If there is a transition period after 29 March, the only guidance we have is in the ‘political declaration’ on the future relationship. The text says that, in view of the importance of data flows and exchanges across the future relationship, the EU will ‘endeavour’ to adopt an adequacy decision in relation to the UK by the end of 2020. Regardless of the political aspects, all data protection practitioners should hope that those endeavours are successful.
Alessandro Galtieri is Deputy General Counsel and Group Data Protection Officer, Colt Group.