18 Mar “Hard Brexit”: rules for transferring data from the EEA to the UK

Introduction

The European Data Protection Board (“EDPB”) has adopted an information note[1] for public and private subject on transfers of personal data to the United Kingdom in case of “Brexit” without an agreement (“no-deal Brexit” or “hard Brexit”), which will imply for the UK to become a “third country” in the meaning of data protection rules.

Recital 108 of Regulation (UE) 2016/679 (hereinafter “Regulation”) establishes that in “the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of Data Protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of Binding Corporate Rules, standard Data Protection Clauses adopted by the Commission, standard Data Protection Clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority”.

Indeed, the UK may become a third country on March 30^th, 2019.

This means that after that date, the transfer of personal data between the EEA to the UK has to be based on one of the following instruments:

1. Standard or ad hoc Data Protection Clauses
2. Binding Corporate Rules (“BCRs”)
3. Codes of Conduct and Certification Mechanisms
4. Derogations pursuant to Article 49 of the Regulation.

For transfers of data from the UK to the EEA, as in any other case of transfer towards the latter, “hard Brexit” will not cause any issues in the free circulation of personal data.

Main issues

I. Standard Clauses

Article 46.2.c) of the Regulation states that, in the absence of an adequacy decision, the transfer of data can take place by adopting “standard data protection clauses” adopted by the European Commission.

Reference is still to the standard contractual clauses in their version Controller to Controller – decision 2001/497/EC and decision 2004/915/EC – and Controller to Processor – decision 2010/87/EU, adopted by the Commission under Article 26.4 of Directive 95/46, pursuant to Article 26.4.

Furthermore, pursuant to Article 46.3.a) and Recital 108 of the Regulation, the data controller and the data processor may draft specific contractual clauses to arrange the transfer of personal data to the third country, which shall be approved by the competent supervisory authority.

II. Binding Corporate Rules

BCRs are defined by Article 4, no. 20 of the Regulation  as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.

To be used by company or public authority does not have a BCR, these will have to be approved by the competent national supervisory authority on the basis of an European Data Protection Committee’s opinion.

III. Codes of Conduct and Certification Mechanisms

Code of conducts and the certification mechanisms are among the legal instruments introduced by the Regulation, respectively under Article 40 and Article 42, which may serve as appropriate safeguards for transfer of personal data to third countries, where they include binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards, including as regards data subjects’ rights.

IV. Exceptions

It should be noted that the exceptions (to the obligations referred to in Article 45 and in Article 46) provided for by Article 49 of the Regulation allow personal data to be transferred to third countries only under certain conditions. The derogations listed in Article 49.1 of the Regulation include, among others, the following conditions:

• The explicit consent to the intended transfer by the data subject, provided that he has received information regarding the risks associated with such transfer;
• The transfer is necessary for the purposes of the performance of a contract concluded between the data subject and the data controller (or the implementation of pre-contractual measures), or of a contract stipulated in the interest of the data subject;
• The transfer is necessary for important reasons of public interest.

If there are no circumstances for applying Article 45 or Article 46, and no derogation under Article 49.1 may be successfully applied as well mainly, the transfer may be legitimate if, among others, the personal data transferred is related to processing activities that are occasional and non-repetitive, or is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject (Article 49.1.§2).

Practical implications

All the above considered, the EDPB, in case of transfer of data from EEA to UK, suggest that the organizations should:

1. Identify what processing activities will imply a personal data transfer to the UK
2. Determine the appropriate data transfer instrument according to the specific situation
3. Implement the chosen data transfer instrument to be ready for 30 March 2019
4. Indicate in internal documentation that transfers will be made to the UK
5. Update privacy notice accordingly to inform data subjects

[1] EDPB,  Information note on BCRs for companies which have ICO as BCR Lead Supervisory Authority – 12 February 2019