A brief overview of possible implications for companies both in and outside of the United Kingdom relating to cross-border data transfers after Brexit.
On 09 January 2018 the European Commission Directorate-General Justice and Consumers published a notice to stakeholders regarding the withdrawal of the United Kingdom from the Union and EU rules in the field of data protection. Herein, the Commission informs the stakeholders that pursuant to the withdrawal of the United Kingdom from the EU in accordance with Art. 50 of the EU Treaty, the United Kingdom will become a “third country” after the withdrawal date. It is against this background that the Commission reminded all stakeholders processing personal data of legal repercussions which need to be considered when the United Kingdom becomes a third country, as there would be significant uncertainties concerning the content of a possible withdrawal agreement. Subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date, the EU rules for transfer of personal data to third countries would apply.
In the following the Commission points out that aside from an “adequacy decision”, the EU’s data protection rules (both under the current Directive 95/46 and under the new General Data Protection Regulation 2016/679, “GDPR”, which will apply as of 25 May 2018) allow a cross-border data transfer into a third country if the controller or processor has provided “appropriate safeguards”. These safeguards may be provided for by standard data protection clauses; binding corporate rules; approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country or approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country. Moreover, the Commission suggests that in the absence of an adequacy decision or of appropriate safeguards a transfer or a set of transfers may take place on the basis of so-called “derogations”, which allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest. In the following the Commission highlights that the GDPR has simplified the use of these tools by cutting red tape compared to the current Directive 95/46.
The fact that the Commission lists and explains in detail all other possibilities which may allow cross-border data transfers to third countries aside from an adequacy decision leaves a big question mark as to whether or not the Commission will declare the United Kingdom to be an adequate jurisdiction. As a matter of principle the passing of an adequacy decision ought to be logically straightforward - the United Kingdom has laws that comply with the current directive and is implementing GDPR. However, passing an adequacy decision not only has its legal aspects, but it also requires a political decision and process.
Generally, cross-border data transfers to third countries would be significantly easier if there was an adequacy decision for the United Kingdom. However, if it was likely that the United Kingdom received an adequacy decision from the Commission, there would be no need to explain the other tools in detail while highlighting that the GDPR has simplified the use of those tools.
In the absence of an adequacy decision, which seems to be highly probable considering the above, personal data may in principle only be transferred to third countries (i) if the controller or processor exporting the data has himself provided for appropriate safeguards, and (ii) on the condition that enforceable data subject rights and effective legal remedies are available in the given country.
As a consequence, companies both in- and outside of the United Kingdom should identify and map all cross-border data flows to the United Kingdom, examine and assess for each of these flows whether any appropriate safeguards have been put in place, and/or if not, whether any specific derogations apply. Preparing for the GDPR should not hinder companies from preparing for Brexit.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.