Should we be afraid about Data Flow between EU and UK?
August 30, 2019
BREXIT HAS BEEN POSTPONED TO 31 OCTOBER 2019, LEAVING EVERYONE PERPLEX ABOUT HOW THINGS WILL TAKE PLACE.
MyData-TRUST analyzed the Topic…
23 June 2016, the British chose to leave the European Union (EU) via a popular referendum. Almost three years have passed since, during which Brexit and his twists and turns has been at the heart of debates. Brexit has been postponed to 31 October 2019, leaving everyone perplex about how it will unfold.
However, it seems that -at this time- we’re approaching the fateful date of the divorce. If it’s a deal Brexit, a transitory period will begin but, in case of “no-deal” Brexit, the United Kingdom (UK) will, on the day of leaving instantly become a third country regarding the EU General Data Protection Regulation (GDPR)*.
Data transfer from the UK to the EU is not a problem* but, as third country, UK data protection regime “will no longer be considered to be safe for the automatic transfer and storage of personal data of European citizens to the UK”*.
Fortunately, mechanisms as adequacy decision and other alternative safeguards allow for a safe transfer of personal data from EU to UK.
Data flow from the EU to third countries may be based on an adequacy decision. It’s a mechanism by which the European Commission ascertain, by decision, that a third country provides an adequate level of data protection.
If the UK is considered adequate, EU countries will be allowed to transfer personal data to the UK without further safeguards.
But the real question is whether the UK is likely to achieve adequacy, or if there are adverse elements against the country.
On the positive side, we can underline that the UK has the Data Protection Act, amended in 2018 to implement GDPR in his legal system, and have an active Data Protection Authority (ICO).
The UK’s application of GDPR is not a guarantee of adequacy because, as a third country, the EU will have to assess level of data protection in the UK legislation. And for example, ECJ* and ECHR* have previously decided in judgments that the UK’s handling of personal data is not in line with EU law and European Convention of Human Rights (including about controversy approach of citizen surveillance). Additionally, the UK Protection Act in itself has been questioned about the level of protection offered by the Joint Committee on Human Rights (UK institution). Another potential problem may be that the European Union Withdrawal Act (section 5(4)), which expresses intention to withdraw from the EU Charter of Fundamental Rights, may not apply to the UK anymore once they leave the EU…
adoption of an adequacy decision by the European Commission involves several steps which can be time-consuming. Indeed, the institute for Governments notes that the fastest adequacy decision up to now was for Argentina and took 18 months, while other assessments took up to five years. Time may be lacking to achieve the procedure before the UK becomes, in the short or medium term, third country since up to now discussions on this point* have not begun.
MYDATA-TRUST DRAWS YOUR ATTENTION ON ALTERNATIVE APPROPRIATE SAFEGUARDS
BINDING CORPORATE RULES
A first alternative is to use Binding Corporates Rules (BCR) by which the head company sets ups internal rules for their and their subsidiaries’ use via personal data protection policies. The BCR aim to put in place appropriate guaranties to allow data flow between companies of a group, even if one of them is outside the EEA. BCRs in place before the GDPR are still valid to allow data flow to third countries, but they have to be reviewed to conform with the GDPR*.
STANDARD DATA CONTRACTUAL CLAUSES
Another option is the use of Standard Data Contractual Clauses , approved by the European Commission. Currently, three decisions from the European Commission incorporate an annex which contains this kind of clauses. They can be kept unchanged to be the basis of data flow between the EU and the UK.
If they are amended, they become “Ad Hoc” clauses which aren’t forbidden but need to be approved by the competent National Authority.
These clauses haven’t been updated since the entry into force of the GDPR… Better to be careful with these.
CODE OF CONDUCT or CERTIFICATION
Code of conduct or Certification are two other mechanisms which, if they contain binding and enforceable commitments by the organization in the third country for the benefit of the individual, offer appropriate safeguards. These instruments are implemented by associations and other bodies representing categories of controllers or processors, and by certification bodies.
A last possibility to allow data flow is by Derogation, a subsidiary mechanism. A Derogation may be invoked only if there is no adequacy decision, and if none of the mechanisms above can be used. In addition, derogation can only be used if processing activities are occasional and non-repetitive.
Recital 80 also clarifies that the Data Protection Representative should be subject to enforcement proceedings in the event of noncompliance by the controller or processor. Actually, behind the notion of “Data Protection Representative”, the idea is to ensure enforcement of the GDPR against non-EUbased controllers or processors. Then, it is possible for enforcers to initiate enforcement action against a Data Protection Representative essentially identical to those against controllers or processors. Similarly, the DPR could be fined administratively, be subject to penalties or be held liable.
Given the possible conflict of obligation and interests in cases of enforcement proceedings, the European Data Protection Board (EDPB) does not consider the function of a data controller representative in the Union as compatible with the role of data processor for that same data controller.
We can’t today be sure that the UK will achieve adequacy decision, because of problems in its internal law. And even if it does, achieving adequacy may be a long process. Fortunately, other mechanisms exist and, even if they imply more formalities, they allow data flow from EU to UK in a GDPR compliant way.
*EDPB , “Information note on data transfers under the GDPR in the event of a no-deal brexit”,12 February 2019, p.5.
*P.J. Dittrich, “To be or not to be adequate. A guide to Brexit and data flows », Jacques Delors Institute Berlin, 20 September 2018, p.4.
*ECJ, ECLI:EU:C:2016:970; 21 december 2016
*European Court of Human Rights, ECRH 299 (2018), 13 September 2018.
*EDPB, “Information note on data transfers under the GDPR in the event of a no-deal brexit”,12 February 2019, p.2.
*EDPB, “Information note on data transfers under the GDPR in the event of a no-deal brexit”,12 February 2019, p.3.