What UK organizations need to know about the General Data Protection Regulation (GDPR) after the exit from the EU and about the UK Data Protection Bill – for now.
Despite leaving the EU, the UK decided to implement most elements of the GDPR (in its Data Protection Bill) as personal data flows will continue to exist after the departure of the UK from the EU and UK organizations are obviously also bound to the GDPR despite Brexit, just as is the case for all organizations which process personal data of EU citizens, regardless of the country where processing is done.
Moreover, the UK’s Data Protection Bill also has its own rules on general data protection which should be known by UK companies of course.
It does sound complicated and so it is, just as Brexit overall is. Brexit negotiations as they stand now, in January 2018, haven’t led to outcomes that enable organizations in the UK and organizations in the EU alike, to be comfortable regarding the ways they can conduct business in a near future, also in the scope of international personal data transfers between UK and EU data controllers and/or processors.
Unless a ratified withdrawal agreement is reached with a new date, on 30 March 2019 the UK is out of the EU and becomes what is known as a ‘third country’ from the perspective of the EU (simply meaning: not a EU country). As politicians keep doing what they are best at and focus on what they find most important first on both sides of the Channel, companies which essentially enable countries to exist and citizens to work, still remain in the dark on several fronts.
The uncertainty becomes even higher in the scope of the free flow of personal data and GDPR compliance (further stalling and disagreeing makes that withdrawal date ever more unlikely; just reaching agreements is not enough, it does take time).
Yet, there are initiatives and some updates UK organizations should know about regarding GDPR after Brexit is a done fact. And there is some progress on the UK’s Data Protection Bill too. Let’s start with the GDPR as that is the piece of personal data protection legislation which most organizations focus on right now for all the obvious reasons.
Third country data transfers when the UK is a third country
In a ‘notice to stakeholders’, published in January 2018, the Directorate-General Justice and Consumers of the European Commission points out the consequences, again in case there is no ratified withdrawal agreement with a new withdrawal date and the UK thus becomes a third country on March 30, 2019.
Large organizations might already know all this, especially those working with so-called binding corporate rules but for many UK businesses GDPR personal data transfer rules regarding third country data transfers might be less known. So, this is for them.
What the notice essentially does is reminding the UK and UK organizations of those GDPR rules with regards to third countries. It’s probably not a coincidence that “considerable uncertainties, in particular concerning the content of a possible withdrawal agreement” are mentioned as a rationale for that reminder. Yet, there is more and we cover it below.
Let’s leave any views on political issues aside and stick to the essence, the work that is been done for organizations in the scope of discussions and negotiations regarding the free flow of personal data between the EU and UK in light of that ‘third country’ status of the UK.
The essence of third country personal data transfers under the GDPR
From the EU and thus GDPR perspective the stipulations regarding personal data transfers to third countries are pretty simple, at least, so it seems.
Let’s look under which conditions personal data transfers to third countries (or international organizations) can happen and how is this related to the UK and the GDPR. Do already note that these personal data transfer mechanisms are in the UK Data Protection Bill as well, as part of the GDPR stipulations in it.
Adequacy decisions: UK status unknown – the possibilities
The first element to understand is the adequacy decision. In this scenario, the European Commission has taken an adequacy decision regarding a third country, territory or specific sectors (e.g. the travel sector) in third countries.
In this case there is no need for additional authorizations of personal data transfers (with the usual exceptions), for instance from the data protection authority. In the scope of this article this means that, when the UK is a third country essentially an adequacy decision should be taken, enabling personal data flows in general. So, that depends on the package of negotiations in the scope of the UK’s withdrawal from the EU when an adequacy decision is taken on the level of the country and/or potential territories (if a special agreement in general regarding the status of the UK would be negotiated and that status makes it part of a territory where the GDPR might be directly applicable) and/or sector negotiations which already exist and are ongoing overall.
Obviously such an adequacy decision takes time, to say the least, and so it might be good to check for your sector. The EU also has reserved itself the right to monitor and, possibly amend or suspend an adequacy decision (regardless of the third country, territory or sector).
Appropriate safeguards in case there is no adequacy decision (in time) for the UK or for sectors UK organizations are active in
If there is no adequacy decision whatsoever (in time and/or for the country and/or specific sector) and the data controller or data processor can only transfer personal data to a third country, in this case the UK if:
- The controller or processor have provided the appropriate safeguards for the personal data transfer to happen in line with the proper protection of both the personal data and the data subject AND
- Legal remedies as well as mechanisms for data subjects with regards to their data subject rights are available.
The GDPR lists some of these ‘appropriate’ safeguards. Among them: the mentioned binding corporate rules (BCRs), an instrument that offers plenty of benefits and is chosen by an increasing number of large organizations.
Given the costs and intensive nature of BCRs they certainly aren’t in reach for smaller UK businesses though.
On top of those BCRs there are other appropriate safeguards such as:
- standard data protection clauses,
- adherence to an approved code of conduct with binding and enforceable commitments of the controller or processor in the third country on top,
- approved certification mechanisms with those same binding and enforceable commitments.
Scenario 3: when there is no relevant adequacy decision nor appropriate safeguard
A third possibility is that there isn’t an adequacy decision nor an appropriate safeguard in which case personal data transfers are allowed in specific cases that are covered in GDPR Article 49 (Derogations).
Examples: explicit and highly informed consent of the data subject, the performance of a contract, pre-contractual measures the data subject has requested, reasons of public interest which are important and more which you typically also find back under the legal bases for lawful processing of personal data and a few others but even stricter, among others on the level of the information duty and personal data processing principles overall.
What else UK companies need to know in the context of post-Brexit data transfers
In case there is no adequacy decision (and given the state of Brexit negotiations you can bet it will take time) the best path to take is the binding corporate rule (yet, as mentioned, not for everyone) or approved standard data protection clauses as these don’t require more.
However, for the other two mentioned ‘appropriate safeguards’, which come with additional commitments on top (adherence to approved code of conduct and approved certification mechanism), the mentioned ‘notice’, which you can read in full here (PDF opens), states that “the Commission (DG JUST) is working with interested parties and data protection authorities to make the best use of these new instruments. Moreover, the Commission has set up a stakeholder group comprised of industry, civil society and academics, in which this topic will be discussed”.
So: to be checked and followed by UK organizations who already did efforts – or plan to – in the scope of an approved code of conduct or approved certification mechanism, if this effort is done or planned in the context of a possible absence of adequacy decisions and/or an absence of BCRs and other possibilities).
Another question concerns data which were obtained before the EU withdrawal date.
In case you have missed it as a UK organization, in September 2017 a position paper on the use of data and protection of information obtained or processed before the withdrawal date in the scope of Brexit which you can read here.
The Data Protection Bill: what UK organizations should know for now
Last, but not least, a few words on the earlier mentioned UK’s Data Protection Bill. It is NOT a copy and paste of the General Data Protection Regulation.
So, for UK companies it’s of course essential to look at both the GDPR and the Data Protection Bill, which has been published on 14 September 2017.
From the factsheet regarding the UK Data Protection Bill on the differences between the Bill and the GDPR: “The Data Protection Bill is a complete data protection system. As well as governing general data covered by GDPR, it covers all other general data, law enforcement data and national security data”.
The Data Protection Bill also “exercises a number of agreed modifications to the GDPR to make it work for the benefit of the UK in areas such as academic research, financial services and child protection”.
In other words: on top of the provisions which the GDPR enables Member States to make and have been made in the Data Protection Bill, the Data Protection Bill also covers aspects such as the role of the country’s data protection authority (DPA), the processing of personal data in contexts outside of the EU GDPR and special rules in the scope of law enforcement.
The Data Protection Bill has completed the House of Lords stages and was presented to the House of Commons on January 18, 2018.
Just as the GDPR does, the Data Protection Bill allows transfers of personal data outside the UK under specific circumstances. The ICO, the UK’s DPA offers all the necessary, updated information on the Data Protection Bill via this link.
Top image: Shutterstock – Copyright: melis – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.