Newsletter #1 – A BREXIT for Halloween
August 30, 2019
23 June 2016, the British chose to leave the European Union (EU) via a popular referendum. Almost three years have passed since, during which Brexit and his twists and turns has been at the heart of debates. Brexit has been postponed to 31 October 2019, leaving everyone perplex about how it will unfold.
However, it seems that -at this time- we’re approaching the fateful date of the divorce. If it’s a deal Brexit, a transitory period will begin but, in case of “no-deal” Brexit, the United Kingdom (UK) will, on the day of leaving instantly become a third country regarding the EU General Data Protection Regulation (GDPR).
Data transfer from the UK to the EU is not a problem but, as third country, UK data protection regime “will no longer be considered to be safe for the automatic transfer and storage of personal data of European citizens to the UK”.
Fortunately, mechanisms as adequacy decision and other alternative safeguards allow for a safe transfer of personal data from EU to UK.
Data flow from the EU to third countries may be based on an adequacy decision. It’s a mechanism by which the European Commission ascertain, by decision, that a third country provides an adequate level of data protection.
If the UK is considered adequate, EU countries will be allowed to transfer personal data to the UK without further safeguards.
But the real question is whether the UK is likely to achieve adequacy, or if there are adverse elements against the country.
However, the UK’s application of GDPR is not a guarantee of adequacy because, as a third country, the EU will have to assess level of data protection in the UK legislation. And for example, ECJ and ECHR have previously decided in judgments that the UK’s handling of personal data is not in line with EU law and European Convention of Human Rights (including about controversy approach of citizen surveillance). Additionally, the UK Protection Act in itself has been questioned about the level of protection offered by the Joint Committee on Human Rights (UK institution). Another potential problem may be that the European Union Withdrawal Act (section 5(4)), which expresses intention to withdraw from the EU Charter of Fundamental Rights, may not apply to the UK anymore once they leave the EU…
Anyway, adoption of an adequacy decision by the European Commission involves several steps which can be time-consuming. Indeed, the institute for Governments notes that the fastest adequacy decision up to now was for Argentina and took 18 months, while other assessments took up to five years. Time may be lacking to achieve the procedure before the UK becomes, in the short or medium term, third country since up to now discussions on this point have not begun.
MyData-TRUST draws your attention on Alternative appropriate safeguards
A first alternative is to use Binding Corporates Rules (BCR) by which the head company sets ups internal rules for their and their subsidiaries’ use via personal data protection policies. The BCR aim to put in place appropriate guaranties to allow data flow between companies of a group, even if one of them is outside the EEA. BCRs in place before the GDPR are still valid to allow data flow to third countries, but they have to be reviewed to conform with the GDPR
Another option is the use of Standard Data Contractual Clauses, approved by the European Commission. Currently, three decisions from the European Commission incorporate an annex which contains this kind of clauses. They can be kept unchanged to be the basis of data flow between the EU and the UK.
If they are amended, they become “Ad Hoc” clauses which aren’t forbidden but need to be approved by the competent National Authority
These clauses haven’t been updated since the entry into force of the GDPR… Better to be careful with these.
Code of conduct or Certification are two other mechanisms which, if they contain binding and enforceable commitments by the organization in the third country for the benefit of the individual, offer appropriate safeguards. These instruments are implemented by associations and other bodies representing categories of controllers or processors, and by certification bodies.
A last possibility to allow data flow is by Derogation, a subsidiary mechanism. A Derogation may be invoked only if there is no adequacy decision, and if none of the mechanisms above can be used. In addition, derogation can only be used if processing activities are occasional and non-repetitive.
We can’t today be sure that the UK will achieve adequacy decision, because of problems in its internal law. And even if it does, achieving adequacy may be a long process. Fortunately, other mechanisms exist and even if they imply more formalities, they allow data flow from EU to UK in a GDPR compliant way.
 EDPB , “Information note on data transfers under the GDPR in the event of a no-deal brexit”,12 February 2019, p.5.  Ibid., p.5  P.J. Dittrich, “To be or not to be adequate. A guide to Brexit and data flows », Jacques Delors Institute Berlin, 20 September 2018, p.4.  GDPR, Art. 45. - http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted  https://ico.org.uk/  https://ico.org.uk/  ECJ, ECLI:EU:C:2016:970; 21 december 2016  European Court of Human Rights, ECRH 299 (2018), 13 September 2018.  Joint Committee on human rights near UK Parliament, Commentary on the Right by Right Analysis, art. 8, 25 January 2018, https://publications.parliament.uk/pa/jt201719/jtselect/jtrights/774/77404.htm  European Union (Withdrawal) Act 2018, section 5(4), http://www.legislation.gov.uk/ukpga/2018/16/section/5
 Institute for Government, « Data Adequacy. Are there any reasons why the UK might not be deemed adequate?”, 24 October 2018, https://www.instituteforgovernment.org.uk/explainers/data-adequacy  EDPB, “Information note on data transfers under the GDPR in the event of a no-deal brexit”,12 February 2019, p.2.  GDPR, Art. 47, for procedure see https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en  EDPB, “Information note on data transfers under the GDPR in the event of a no-deal brexit”,12 February 2019, p.3.  GDPR, Art. 46 §2; see decision 2001/497/EC; 2004/915/EC; 2010/87/EU.  E. Colson, “(13 avril) 2019 : (Br)exit la protection des données personelles ? », available on https://lexing.be/brexit-data-protection/  Ibidem.  GDPR, Art. 40  GDPR, Art. 42  GDPR, Art. 49