International Data Transfers in the Limbo of Brexit
By Francesca Petronio, Massimo Ugo Maria Contesso
In the final days of the countdown to Brexit the possibility of an agreement with the European Union is still uncertain, and doubts still remain on the future of personal data flows from and towards the United Kingdom. In fact, despite the political arrangement reached on 14 November 2018 (the “Withdrawal Agreement”), to date, this agreement has not yet been ratified and the ratification or non-ratification will have significant consequences for international data transfers between the United Kingdom and Italy. As explained by the U.K. Government
On 12 February 2019 the European Data Protection Board (EDPB) published (as the Italian Data Protection Authority (the “Garante”) also reported
At the moment, as all options regarding Brexit are still on the table, both scenarios, ratification or not, must be taken into consideration.
I. Withdrawal Agreement ratified before the Exit Date
As provided by the Withdrawal Agreement
the United Kingdom must continue applying the EU data protection rules to the personal data exchanged between the United Kingdom and the Members States of the European Economic Area, until the European Union has established, by way of a formal, so-called “adequacy decision” pursuant to Article 45 of the General Data Protection Regulation, that the personal data protection regime of the United Kingdom provides data protection safeguards which are “essentially equivalent” to those in the European Union.
II. Withdrawal Agreement not ratified by the Exit Date – Implications on Data flows from the EEA to the U.K.
If no deal is agreed upon on the exit date and unless the European Council, in agreement with the Member State concerned, unanimously decide to extend the two years’ period—as provided by Article 50 of the Treaty on European Union—starting at 00.00 CET on the day after the Exit Date the European Union Law will cease to apply in the United Kingdom and the U.K. will become effectively a third country under the GDPR. As a consequence, it will be necessary for every enterprise to review internal policies in compliance with the five steps recommended by the EDPB.
In particular, any organization should:
Identify what processing activities will imply a personal data transfer to the U.K.,
Determine the appropriate data transfer instrument based on the specific situation of each organization (see below),
Implement the chosen data transfer instrument to be ready for the Exit Date,
Indicate in the internal documentation of the organization that transfers will be made to the U.K., and
Update the privacy notice of the organization accordingly to inform individuals.
The U.K. would need to seek adequacy decisions
Therefore, the EDPB No-Deal Note enlists the following available data transfer instruments (point 2 above), which represent (pursuant to article 46 of the GDPR, thus on condition that enforceable data subject rights and effective legal remedies for data subjects are available) the appropriate safeguards that must be provided by the controller or processor in order to permit a controller or processor to transfer personal data to a third country or an international organization:
A. Standard or ad hoc Data Protection Clauses
The European organization and the U.K. counterpart may agree on the use of Standard Data Protection Clauses
However parties’ autonomy is not limited since it is possible to shape the content of the clauses in order to create appropriate safeguards that take into account a particular situation; this will imply that they are considered as ad hoc contractual clauses and therefore must be approved by the competent national supervisory authority in accordance with the positive opinion of the EDPB.
B. Binding Corporate Rules (BCR)
Personal data protection policies adhered to by a group of undertakings (i.e., multinationals) and which provide appropriate safeguards for transfers of personal data within the group, including outside of the EEA, are referred to as Binding Corporate Rules under article 47 of the GDPR. If not already in place, the BCRs must to be approved by the competent national supervisory authority after the opinion issued by EDPB.
C. Codes of Conduct and Certification Mechanisms
Appropriate safeguards for transfers of personal data may also be offered by a code of conduct or a certification mechanism, provided that these instruments contain binding and enforceable commitments by the organization in the third country for the benefit of the individuals. Given that this option was introduced for the first time by the GDPR, specific guidelines for using these tools will be issued by the EDPB.
In the absence of an adequacy decision or of one of the appropriate safeguards mentioned above, transfers of personal data to the United Kingdom may take place only under certain conditions, which have to be regarded as exceptions and must therefore be interpreted restrictively.
As mentioned by the EDPB No-Deal Note, these derogations, provided by article 49 GDPR, include amongst others: (i) if the data subject has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks for the data subject associated with the transfer; (ii) if the data transfer is necessary for the performance or the conclusion of a contract between the data subject and the controller or the contract is concluded in the interest of the data subject; (iii) if the transfer is necessary for important reasons of public interest; (iv) if the transfer is necessary for the establishment, exercise, or defence of legal claims; (v) if the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; and (vi) if the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. Lastly, only if the data transfer is occasional, not repetitive, and concerns only a limited number of data subjects, said transfer to the U.K. may take place only if the transfer is necessary for the purposes of compelling legitimate interests pursued by the organization (under further additional conditions enunciated in article 49 of the GDPR, which include also that the legitimate interests of the controller are not overridden by the interests or rights and freedoms of the data subject).
The EDPB Guidelines on Article 49 of GDPR
III. Data transfers from the U.K. to EEA Members in case of a No-deal Brexit
Our analysis has focused on the transfer of personal data from the EEA to the U.K., but the opposite process is not in a legal vacuum.
The EDPB No-Deal Note explains that, as regards data flows from the U.K. to any EU/EEA country, this type of transfer will be regulated in compliance with the current rules. According to the U.K. Government,
The political uncertainties given the different scenarios imply that businesses must prepare for a “No Deal” Brexit in relation to the processing and transfer of personal data.
As underlined by the U.K. Government,
Entities concerned must assess the “appropriate safeguards” referred to in Article 46 of the GDPR in order to determine which one would be most suitable for their situation and ensure that it is in place at the Exit Date.