“Hard Brexit”: rules for transferring data from the EEA to the UK
After the last prorogation granted by the European Union to the United Kingdom in order to allow the British Parliament to approve the exit plan negotiated between the government and the EU, in the absence of the approval of this agreement (“no-deal Brexit” ) the United Kingdom will become a third country from 12 April 2019 for the purposes of the GDPR.
The status of third country implies the exclusion of the United Kingdom from the area of free flow of personal data established by the GDPR in art. 1 (3) between EU Member States and mandates data controllers and processor to identify and implement a legal basis for the transfer of personal data to the third country, among those established in Chapter V of the GDPR.
In view of a no-deal Brexit, the European Data Protection Committee – the collective body of EU supervisory authorities – has adopted an information note aimed at clarifying these aspects for data controllers and processors who transfer personal data to the UK.
Discover all answers in this article by ICT Legal Consulting, an international law firm with offices in Milan, Bologna, Rome and Amsterdam and presence in nineteen other countries specialized in the fields of ICT, Privacy, Data Protection/Security and Intellectual Property Law.
The European Data Protection Board (“EDPB”) has adopted an information note for public and private subject on transfers of personal data to the United Kingdom in case of “Brexit” without an agreement (“no-deal Brexit” or “hard Brexit”), which will imply for the UK to become a “third country” in the meaning of data protection rules.
Recital 108 of Regulation (UE) 2016/679 (hereinafter “Regulation”) establishes that in “the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of Data Protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of Binding Corporate Rules, standard Data Protection Clauses adopted by the Commission, standard Data Protection Clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority”.
Indeed, the UK may become a third country on March 30th, 2019.
This means that after that date, the transfer of personal data between the EEA to the UK has to be based on one of the following instruments:
- Standard or ad hoc Data Protection Clauses
- Binding Corporate Rules (“BCRs”)
- Codes of Conduct and Certification Mechanisms
- Derogations pursuant to Article 49 of the Regulation.
For transfers of data from the UK to the EEA, as in any other case of transfer towards the latter, “hard Brexit” will not cause any issues in the free circulation of personal data.
I. Standard Clauses
Article 46.2.c) of the Regulation states that, in the absence of an adequacy decision, the transfer of data can take place by adopting “standard data protection clauses” adopted by the European Commission.
Reference is still to the standard contractual clauses in their version Controller to Controller – decision 2001/497/EC and decision 2004/915/EC – and Controller to Processor – decision 2010/87/EU, adopted by the Commission under Article 26.4 of Directive 95/46, pursuant to Article 26.4.
Furthermore, pursuant to Article 46.3.a) and Recital 108 of the Regulation, the data controller and the data processor may draft specific contractual clauses to arrange the transfer of personal data to the third country, which shall be approved by the competent supervisory authority.
II. Binding Corporate Rules
BCRs are defined by Article 4, no. 20 of the Regulation as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.
To be used by company or public authority does not have a BCR, these will have to be approved by the competent national supervisory authority on the basis of an European Data Protection Committee’s opinion.
III. Codes of Conduct and Certification Mechanisms
Code of conducts and the certification mechanisms are among the legal instruments introduced by the Regulation, respectively under Article 40 and Article 42, which may serve as appropriate safeguards for transfer of personal data to third countries, where they include binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards, including as regards data subjects’ rights.
It should be noted that the exceptions (to the obligations referred to in Article 45 and in Article 46) provided for by Article 49 of the Regulation allow personal data to be transferred to third countries only under certain conditions. The derogations listed in Article 49.1 of the Regulation include, among others, the following conditions:
- the explicit consent to the intended transfer by the data subject, provided that he has received information regarding the risks associated with such transfer;
- the transfer is necessary for the purposes of the performance of a contract concluded between the data subject and the data controller (or the implementation of pre-contractual measures), or of a contract stipulated in the interest of the data subject;
- the transfer is necessary for important reasons of public interest.
If there are no circumstances for applying Article 45 or Article 46, and no derogation under Article 49.1 may be successfully applied as well mainly, the transfer may be legitimate if, among others, the personal data transferred is related to processing activities that are occasional and non-repetitive, or is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject (Article 49.1.§2).
Continue reading here.
In collaboration with
ICT Legal Consulting is an international law firm with offices in Milan, Bologna, Rome and Amsterdam and presence in nineteen other countries specialized in the fields of ICT, Privacy, Data Protection/Security and Intellectual Property Law.