Is your data protection policy ready for Brexit?
Here is how you must make sure that you can still transfer data to the UK. Read the Brexit tips and advice from Lexing Belgium.
On 31 January 2020, the United Kingdom officially left the European Union. However, the Withdrawal Agreement, which came into force on 1st February 2020, also marked the beginning of a transition period during which all EU laws, including the GDPR, continue to apply in the UK. This transition period will end on 31st December 2020. For this reason, it is high time to prepare for this fast-approaching deadline.
What are the consequences for companies established in EU Member States?
To avoid data being subject to a foreign legal framework that is less protective than the GDPR, the transfer of personal data outside the EU is prohibited in principle.
From 1st January 2021, the United Kingdom will be considered as a “third country” to the European Union. This means that any data transfer from a EU Member State to the UK will constitute a “cross-border flow” whose lawfulness will have to be assessed in the light of Articles 44 to 49 of the GDPR.
According to Article 45 of the GDPR, data transfers to third countries can take place when the European Commission adopts a so-called “adequacy decision” by which it establishes that the data recipient country provides data protection safeguards which are “essentially equivalent” to those of the GDPR.
At the moment, no such adequacy decision has been adopted by the European Commission for the UK.
In the absence of an adequacy decision, as confirmed by the EDPB, the data transfer may take place only if it ensures a sufficient and appropriate level of protection.
What should you do?
There are four other ways of ensuring the required level of protection.
- 1. Contractual clauses
In 2010, the European Commission adopted two decisions to which was annexed standard contractual clauses (“SCCs”) for the transfer of personal data.
In a judgment of 16 July 2020 (“Schrems II judgment”), the Court of Justice of the European Union (“CJEU”) confirmed that SCCs are valid and can be used to transfer data to a third country. However, the CJEU added that SCCs are no longer sufficient on their own.
Why? SCCs are only contractual obligations imposed on the parties by the parties themselves and they alone cannot ensure a sufficient level of data protection against possible state interference.
It is therefore necessary for the controller to assess the legal situation prevailing in the third country and, where applicable, to adopt “supplementary measures” in order to ensure the effectiveness of such level of protection. This assessment should be made on a case-by-case basis by the controller, in collaboration with the recipient of the data.
However, the CJEU does not specify which measures these could be, other than they are effective mechanisms that make it possible, in practice, to ensure compliance with a level of protection essentially equivalent to that guaranteed by the GDPR.
To remove uncertainty about the concept of supplementary measures and help controllers assess the third country legislation, the EDPB published two recommendations (Recommendation 01/2020 and 02/2020) on 11 November 2020.
The first recommendation focuses on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. It contains a 6-step roadmap to help controllers assess whether the transfer ensures appropriate safeguards.
The second recommendation deals with the European essential guarantees for surveillance measures. It aims to help controllers assess whether the surveillance measures of the importer’s country allow access to personal data by public authorities. One thing is certain: the United Kingdom has significant means of surveillance and caution is therefore necessary.
Therefore, it is up to the controller to decide what technical, contractual and/or organisational measures must be taken to ensure the protection of the data transferred.
On 12 November 2020, i.e., the day after the adoption of the above-mentioned recommendations, the European Commission published a new version of the SCCs, to update them following the entry into force of the GDPR and the Schrems II judgment. This new version is currently only a draft, which was open to public consultation. Adoption of the final version of the SCCs is expected early 2021. A period of one year will be granted to replace current clauses by the new version.
- 2. Binding Corporate Rules (BCRs)
Where data transfers take place within the same corporate group, companies may put in place “Binding Corporate Rules”. The purpose of these rules is to ensure that data are adequately protected by all group entities. Each group entity must adhere to these rules in order to secure data transfers within the group, regardless of the location of the data.
However, this tool has the same weaknesses as the SCCs in relation to state interference.
In addition, BCRs must be approved in advance by several national supervisory authorities; this is not an option when you need to be ready before 31st December 2020.
- 3. Codes of conduct and certifications
Data transfers can also be based on codes of conduct or certification mechanisms. These tools must be binding and adapted to the concrete specificities of the sector concerned.
To date, no code of conduct or certification has been established yet.
- 4. Derogations under Article 49 of the GDPR
When none of the three tools set out above can justify the transfer of data to a third country, the controller may, as a last resort, try to rely on the derogations provided for in Article 49 of the GDPR. To do so, the transfer of data to the United Kingdom must be occasional and non-repetitive and meet one of the following conditions:
- -the data subject has consented to the proposed transfer, after having been informed of the possible risks of such transfer;
- -the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- -the transfer is necessary for important reasons of public interest.
Conclusion
Controllers who continue to transfer data to the UK after 31st December 2020 without being able to rely on one of the four transfer tools listed above can be sued for breach of the GDPR.
The same is true for controllers who would simply continue to apply the SCCs without assessing the national law and practice applicable in the UK and without adopting supplementary measures where necessary.
Our advice:
In conclusion, we advise you to:
- Identify in your record of processing activities (ROPA) if data are transferred to recipients (service providers, subsidiaries, etc.) located in the United Kingdom;
- Determine whether this transfer can continue with one of the tools listed under Article 46 of the GDPR,
- Implement the chosen tool before 1st January 2021;
- Update your ROPA accordingly,
- Indicate in your data protection policy that data is transferred outside the European Union and more specifically to the United Kingdom, and refer to the appropriate safeguards adopted and the means by which to obtain a copy of them or where they have been made available.