In case of a ‘hard’ Brexit, organisations will, as of March 29 2019, no longer be allowed to transfer personal data to parties within the United Kingdom unless they deploy specific instruments providing appropriate safeguards for the protection of these data. In the absence of an adequacy decision for the UK, the quickest solution is in the use of standard contract clauses specified by the European Commission. All other instruments will first have to be approved by the national supervisory authority and it remains to be seen whether this can be taken care of before the actual Brexit date. This blog discusses the options for continuing to exchange personal data with partners in the UK in the event of a hard Brexit.
Situation and context
If no agreement is reached on the relation between EU and UK, the United Kingdom will
become a third country from 00.00 am CET on 30 March 2019. What this means is that personal data can no longer be transferred to parties in the UK as a matter of course. So, what if your organisation’s servers happen to be located in London or if you have a branch office in Manchester? This is why, on February 12 2019, the European Data Protection Board (EDPB) published an information note on data transfers under the GDPR in the event of a no-deal Brexit.
The simplest solution would be for the European Commission to issue a so-called adequacy decision for the UK, putting it on the list of countries providing an appropriate level of protection, which would then mean that personal data can still legally be transferred to parties in the UK. Which is probably what will happen at some point in time, but it is unlikely to happen before the time of the actual Brexit. In other words, organisations will have to start looking for other instruments provided by the GDPR.
Standard Data Protection Clauses
The fastest way of providing a legal basis for data transfers to the UK, is adopting Standard Data Protection Clauses approved by the European Commission. These are model contracts offering additional adequate safeguards with respect to data protection. These standard clauses may not be modified. However, the contracts may be included in a wider contract and additional clauses may be added provided that they do not contradict the Standard Clauses.
Ad hoc data protection clauses
If parties want to modify the Standard Clauses provided by the European Commission or want to draw up their own provisions, these will first have to be approved by the national supervisory authority, after consultation with the EDPB. Obtaining such approval is likely to rake a certain amount of time, making it a less viable instrument for organisations still in an early stage of the process.
Binding Corporate Rules
International organisations or multinationals transferring personal data to offices in the UK, have the option of drawing up ‘binding corporate rules’ in order to provide appropriate safeguards for the protection of these data, thus making it legal for transfers of personal data to take place within the group of companies. Binding corporate rules have to be approved by the supervisory authority, after consultation with the EDPB, and as a result, as is the case with ad hoc contract clauses, do not provide a quick solution to the problem.
Codes of conduct and certification mechanisms
A code of conduct or a certification mechanism can offer appropriate safeguards for transfers of personal data. These tools, however, are new under the GDPR and the EDPB is working on guidelines in order to give more explanation on conditions and procedures.
Derogations for specific situations
Under certain conditions transfers of personal data to a third country are also allowed in the absence of appropriate safeguards, for instance in case of explicit consent by the data subjects or if the transfer is necessary for the performance or conclusion of a contract. For other derogations, see Article 49 of the GDPR.
Transitional arrangement?The Dutch ICT industry has asked the Data Protection Authority to come up with a transitional arrangement, giving organisations additional time to adapt to the new situation. As of yet, no reaction from the Data Protection Authority has been forthcoming …
Loes van Zuijdam, Coach at The Privacy Factory