Data transfers are a staple to the global ecosystem of the digital services economy, despite this, the future of cross-border data transfers between Member States within the European Union ("EU") and the United Kingdom ("UK") is still uncertain due to the possible scenario of a no deal BREXIT.
Such uncertainty will have an overall effect on the EU's economy, not simply because of the considerable amount of data transfers occurring between the EU and UK, but because EU based entities may possibly end up in a situation for which they are not sufficiently prepared: that is BREXIT.
Effectively once BREXIT takes place the UK will be treated as a third country and unless a BREXIT deal is put on the table, inclusive of a proper agreement on how data protection and consequently data transfers are to be treated, certain EU based entities may end up in a situation where it will not be feasible for them to carry out trade with the UK.
In accordance with the General Data Protection Regulation (2016/679) ("GDPR") and in preparation for what had to be the final BREXIT date, the European Data Protection Board ("EDP Board") issued an information note1 for the purpose of laying out the available legal instruments on the basis of which data may be transferred from the EU to the UK. In the absence of such legal instruments, data transfers may be deemed to be in breach of national data protection laws and effectively the GDPR, disrupting multiple organisations, increasing legal and compliance costs, undermining innovation and effectively impacting the end-consumer.
European Data Protection Board's Information Note
The information note ("Note") issued by the EDP Board outlines four main types of legal instruments on the basis of which data may be transferred from the EU to the UK in the absence of an adequacy decision: Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct, Certification Mechanisms and Derogations.
- Standard or ad hoc Data Protection Clauses
There are three sets of Standard Data Protection Clauses currently available, two sets of standard clauses for EU controllers to third country processors and standard clauses for EU controllers. When standard clauses are modified these would then fall within the category of ad-hoc contractual clauses and approval would need to be acquired prior to their use. Such approval must be granted by the competent national supervisory authority, in the case of Malta, the office of the Information and Data Protection Commissioner.
- Binding Corporate Rules
Another option would be for EU based entities to make use of Binding Corporate Rules. These Rules are personal data protection policies intended to be used by a group of undertakings (i.e. multinationals) for the purpose of providing appropriate safeguards when transferring data. Through its Note, the EDP Board provided that an organisation may still rely on Rules formerly authorised under Directive 95/46/EC (the former Data Protection Directive) in so far that they are revised to be put in line with the GDPR.
- Codes of conduct and certification mechanisms
The EDP Board is currently working on guidelines for the purpose of creating a harmonized code of conduct and certification mechanisms.
- Derogations
The Note provides that "derogations allow the data transfers under certain conditions and are exceptions to the rule of having put in place appropriate safeguards". Accordingly, derogations are an exception to the rule and not the norm and should thus be interpreted in a strict manner.
Article 49 of the GDPR provides that such derogations may apply in cases where: "an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer", and in cases where it is "necessary for the performance or the conclusion of a contract between the individual and the controller or the contract is concluded in the interest of the individual".
Moreover, the Note offers guidance to entities on necessary preparatory action to be taken by EU entities to prepare for a no deal BREXIT. Entities should undergo an identification process to determine which activities will imply the transferring of data to the UK and which legal instrument is to be applicable. Moreover, privacy notices should be updated and effectively concerned individuals, that is the data subjects, should be informed of such EU to UK data transfer.
Adequacy Decisions
In an ideal situation, the EU grants an adequacy decision in favour of the UK, deeming the UK's data protection laws sufficiently robust to meet GDPR standards.
Unfortunately, there are several issues that could obstruct the EU from granting an adequacy decision in favour of the UK, such as the possibility that the UK won't be retaining the EU Charter of Fundamental Rights, effectively meaning that the UK will not treat privacy as a fundamental human right.
Moreover, the UK's Investigatory Powers Act of 2016 could be deemed incompatible with the GDPR, even more so when the European Court of Justice deemed UK surveillance laws to lack the necessary protections to be afforded to the right to privacy.
Other concerns that the EU may raise include the possibility that the UK, once it is a non-EU Member State, will transfer data to other third countries deemed inadequate to receive EU citizen's data. This predicament is especially true since the UK is a member of the Five Eyes alliance, an intelligence sharing arrangement between Australia, Canada, New Zealand, the UK and the US. It may also be worrisome that the UK acts as a backdoor for the US to access EU citizen data, especially if the UK has a less rigorous agreement with the US than the one currently present between the EU and the US, that is the Privacy Shield.2
In the case of a non-adequacy decision being given, which decision might take years, the aforementioned legal instruments will play an essential role in enabling EU to UK data flows.
Considering the great challenge that the coming into force of the GDPR presented itself to be to undertakings who sought to be in adherence with the same GDPR, BREXIT should not be taken lightly, even if its actual happening may seem improbable after so many turnabouts.
Undertakings, especially local based entities with UK ties, should take stock of all of their data flows and the impact that BREXIT, especially a no deal BREXIT, could have on their business.
Footnotes
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
