On 23 June 2016, the United Kingdom (UK) voted to leave the European Union (EU) through a referendum. Nearly three years later, Brexit remains a central topic of debate, with its implementation postponed to 31 October 2019. This delay has left stakeholders uncertain about the process and its outcomes. MyData-TRUST has analysed the implications of Brexit for data protection, particularly under the EU General Data Protection Regulation (GDPR).
Brexit and Data Protection
As the Brexit date approaches, the nature of the UK’s departure, whether with a deal or a “no-deal” Brexit, will significantly impact data protection. In a deal scenario, a transitional period will apply. However, in a “no-deal” Brexit, the UK will immediately become a third country under the GDPR upon exit. While data transfers from the UK to the EU are not problematic, the UK’s status as a third country means its data protection regime will no longer be automatically considered safe for the transfer and storage of EU citizens’ personal data. Fortunately, mechanisms such as adequacy decisions and alternative safeguards exist to facilitate compliant data transfers from the EU to the UK.
Adequacy Decision
Data transfers from the EU to third countries can be based on an adequacy decision, through which the European Commission determines that a third country provides an adequate level of data protection. If the UK secures an adequacy decision, EU countries can transfer personal data to the UK without additional safeguards.
The UK has implemented the GDPR through the Data Protection Act 2018 and maintains an active Data Protection Authority, the Information Commissioner’s Office (ICO). These factors support its case for adequacy. However, achieving adequacy is not guaranteed. The European Court of Justice (ECJ) and the European Court of Human Rights (ECHR) have previously ruled that the UK’s handling of personal data, particularly regarding citizen surveillance, does not fully align with EU law or the European Convention on Human Rights. Additionally, the UK’s Data Protection Act has been criticized by the Joint Committee on Human Rights for its level of protection. The European Union Withdrawal Act (section 5(4)), which expresses the intention to withdraw from the EU Charter of Fundamental Rights, may further complicate the UK’s adequacy prospects post-Brexit.
Moreover, the process for obtaining an adequacy decision is time-consuming. The Institute for Government notes that the fastest adequacy decision, for Argentina, took 18 months, while others have taken up to five years. Given that discussions on this matter have not yet started, time constraints may hinder the UK’s ability to secure adequacy before or soon after becoming a third country.
Alternative Appropriate Safeguards
In the absence of an adequacy decision, alternative mechanisms can ensure GDPR-compliant data transfers from the EU to the UK. MyData-TRUST highlights the following options:
Binding Corporate Rules (BCRs)
Binding Corporate Rules allow multinational companies to establish internal data protection policies for secure data transfers within their group, including to entities outside the European Economic Area (EEA). BCRs established before the GDPR remain valid but must be updated to comply with GDPR requirements.
Standard Contractual Clauses (SCCs)
Standard Contractual Clauses (SCCs), approved by the European Commission, provide another mechanism for data transfers. Three existing Commission decisions include annexes with these clauses, which can be used unchanged for EU-UK data flows. If modified, these become “ad hoc” clauses, requiring approval from the relevant National Data Protection Authority. However, these clauses have not been updated since the GDPR’s implementation, necessitating caution in their application.
Codes of Conduct or Certification
Codes of Conduct or Certification mechanisms, when accompanied by binding and enforceable commitments from organizations in the third country, offer additional safeguards. These are implemented by associations, other representative bodies, or certification entities.
Derogations
Derogations serve as a subsidiary mechanism for data transfers, applicable only when no adequacy decision or other safeguards are available. Derogations are limited to occasional and non-repetitive processing activities.
Role of the Data Protection Representative
Recital 80 of the GDPR clarifies that a Data Protection Representative is subject to enforcement proceedings in cases of non-compliance by a controller or processor. The representative ensures GDPR enforcement against non-EU-based controllers or processors, facing potential administrative fines, penalties, or liability. The European Data Protection Board (EDPB) has stated that the role of a Data Protection Representative is incompatible with that of a data processor for the same controller, due to potential conflicts of interest during enforcement proceedings.
Conclusion
It remains uncertain whether the UK will secure an adequacy decision, given challenges in its domestic legal framework and the lengthy process involved. However, alternative safeguards such as BCRs, Standard Contractual Clauses, Codes of Conduct, Certifications, and Derogations provide viable options for GDPR-compliant data transfers from the EU to the UK. While these mechanisms require additional formalities, they ensure continued data flow in the absence of an adequacy decision.
