Today we discuss the effects of BREXIT for EU businesses post 31st October 2019.
EU businesses that intend to transfer personal data to the UK after Brexit’s latest deadline 31st October 2019 should document their decisions to do so and notify data subjects of those arrangements, a European data protection watchdog has said.
This article helps a five-step plan for organisations to ensure compliance with EU data protection laws when accounting for a potential ‘no deal’ Brexit.
When transferring data to the UK, you should: identify what processing activities will imply a personal data transfer to the UK; determine the appropriate data transfer instrument for your situation; implement the chosen data transfer instrument to be ready for 31 October 2019; indicate in your internal documentation that transfers will be made to the UK; update your privacy notice accordingly to inform individuals.
Currently, data can flow freely to the UK as it is a member of the EU and subject to the General Data Protection Regulation (GDPR).
The GDPR places firm restrictions on the transfer of personal data outside the EEA. Businesses are prohibited from transferring personal data to non-EEA countries unless they can evidence one of a number of safeguards to ensure EU data is adequately protected when processed in those ‘third’ countries. In a ‘no deal’ Brexit, this will include where personal data is transferred to the UK.
Standard Contract Clauses (SCCs)
Standard Contract Clauses (SCCs) are “a ready-to-use instrument” for businesses planning data transfers to implement. SCCs were “likely to be relevant to most Irish businesses that transfer personal data to the UK” in a ‘no deal’ Brexit scenario.
SCCs, also known as model clauses, were developed by the European Commission for use in cross-border contracts. They create a contractual framework for how personal data should be handled when transferred outside of the EU to ‘third countries’.
The Commission has previously issued decisions that endorse model clauses as tools providing for adequate protection of personal data when used for data transfers, as is required by EU data protection law. The use of model clauses has therefore become widespread among international businesses which many companies have come to rely on for demonstrating compliance.
Other legal mechanisms for underpinning EU-UK data transfers post-Brexit may be more difficult to put in place given the time left before Brexit is scheduled to take effect.
While businesses planning data transfers can modify or add to SCCs to “provide appropriate safeguards” particular to their own situation, the “tailored” clauses must be authorised for use by organisations’ local data protection authority.
Binding corporate rules’ (BCRs)
Similarly, ‘binding corporate rules’ (BCRs), which businesses can commit to facilitate intra-group data transfers outside of the EEA, need approval by the relevant national DPA.
Some of the other tools for underpinning data transfers, provided for in the GDPR, are not available to use yet.
Under the GDPR it is open to industry bodies to develop codes of conduct or establish certification schemes that set “binding and enforceable” standards on data transfers and allow organisations that sign-up to the code or certify against the scheme to demonstrate their compliance with the requirements around data transfers set out in the Regulation. However, to-date, no such codes or certification mechanisms have been developed for data transfers.
Derogation’s apply to the GDPR’s main rules on data transfers. EU businesses may be able to turn to the derogations as a basis for transferring personal data to the UK in the event of a ‘no deal’ Brexit. However, the derogation’s “must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive
One of the listed derogations is where businesses obtain the explicit consent of data subjects to carry out the transfer of their data, having explained the possible risks of the arrangement. Others include where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, and where the transfer is necessary for important reasons of public interest, where it is necessary to protect the vital interests of individuals where the data subject is physically or legally incapable of giving consent, or where it is necessary for the establishment, exercise or defence of legal claims.
Where none of the derogations listed apply, data transfers that are not repetitive and limited in volume may still be permitted where it is necessary “for the purposes of compelling legitimate interests” the business is pursuing, so long as those interests are not overridden by the interests or rights and freedoms of the data subject and “suitable safeguards” are provided for, and the data controller will be required to inform the ICO, or other relevant local supervisory authority.
The issue remains for processor transfers – the requirements of the GDPR in relation to external transfers are not limited to those made by a controller,” data protection law expert processors also are subject to the strict international transfer requirements.”
EU / US Privacy Shield
The UK government has said that, in a ‘no deal’ Brexit scenario, data flows from the UK to the EU will not be disrupted. And for data transferred to the USA the UK government will respect EU/US privacy shield.