Business will continue whether it’s with or without the UK, but companies need certainty as to which actions to take under data protection rules.

The “General Data Protection Regulation” (the “GDPR”) became applicable as of 25 May 2018 in all EU Member States, including the UK. At this stage, the future of the UK is highly unpredictable: will the UK leave the EU with or without an Exit Agreement? What if it stays in the EU after a last-minute change of plans?

Assuming the (rather unlikely) situation where the UK remains in the EU, there would be status quo. Therefore, our focus here is on how to help companies in the event that the UK leaves the EU on 30 March 2019 at 00.00 am CET   – with or without an Exit Agreement –  so that they can anticipate its impact under the GDPR and take appropriate action.

This article explains how data transfer mechanisms could change for companies that want to transfer personal data to and from the UK.

Data transfer mechanisms

The transfer of personal data from the UK to non-EU-based companies will have different consequences depending on whether or not the company is based in a country that holds an adequacy decision from the EU Commission.

This following section is divided into 4 sub-sections: 1) UK companies 2) non-EU-based companies (including US companies that are not certified under the Privacy Shield Framework) 3) Privacy Shield certified companies and 4) the position of Iceland, Lichtenstein and Norway.

Please find below a table which summarizes all possibilities:

 

 

 

 

 

 

 

 

 

1. UK Companies

In the event that there is no Exit Agreement between the EU/EEA and the UK (i.e. no-deal Brexit), the UK will become a third country as from 00.00 am CET on 30 March 2019. This means that, in the absence of an adequacy decision, the transfer of personal data from the EU/EEA to the UK will have to be based on one of the following instruments as of 30 March 2019: Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct and Certification Mechanisms or Derogations.

The UK Government currently allows personal data to flow freely from the UK to the EU/EEA, and this will continue in the event of a no-deal Brexit.

2. Non-EU-based companies (including US companies that are not certified under the Privacy Shield Framework)

A distinction should be made between companies established in countries that benefit from an adequacy decision and those that don’t.

Currently, only a limited number of countries/regions have been granted an adequacy decision by the EU Commission: Andorra, Argentina, Canada (commercial organisations) Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (only for those companies that have their Privacy Shield certification).  

• If there’s an adequacy decision

When a company is based in a country that benefits from an adequacy decision from the EU, two possible situations should be kept in mind:

A. Exit Agreement with the UK

In this case, a Transition Period will be put in place which will allow data flows to continue in the same way as they are happening now.

B. No Exit Agreement (or after Transition Period)

The non-EU-based company will not be able to rely on the adequacy decision to transfer data with the UK. For the transfer to be lawful, the company will need to rely on the other data transfer mechanisms: Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct and Certification Mechanisms or Derogations.

• If there’s no adequacy decision

A company based in a country that does not have an adequacy decision from the EU will not be affected by the UK’s exit. The conditions applicable to data transfers with the UK – whether with or without an Exit Agreement – will not change. Since the UK Data Protection Act (national law) will still apply after the UK’s exit, the following data transfer mechanisms will be applicable: Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct and Certification Mechanisms or Derogations.

3. Privacy Shield and Brexit

This section is specifically aimed at US-based companies that are Privacy Shield Certified. As a way of reminder, the Privacy Shield is the name that was given to the adequacy decision granted by the EU Commission (under article 45 of the GDPR) which ensures that the level of protection provided by a US company with that certification is equivalent to the one existing in the EU. Therefore, the transfer of data from the EU to this US company is much easier and implies less legal restrictions (but this does not mean that the Privacy Shield Certified company is GDPR compliant). Click here to read our article on 4 of the most common mistakes made about the GDPR by Privacy Shield companies

Many Privacy Shield Certified companies are therefore quite concerned about the actions that they should take in the event that the UK leaves the EU – whether or not an Exit Agreement is reached – because data flows from the UK will no longer fall under the Privacy Shield Framework.

The US Government has already published its advice for Privacy Shield companies (See link below in the “References” section). A distinction must be made between a situation in which there’s an Exit Agreement which includes a Transition Period and a situation in which there is No Transition Period (and after the Transition Period is finished).

1. First case scenario: Transition Period

During this Transition Period, which would apply right after 30 March 2019, EU rules (including data protection laws) will remain applicable until 31 December 2020. This means that the Privacy Shield Framework will still remain in place for data transfers with the EU (including with the UK). No additional action from the Privacy Shield company will be required.

2. Second case scenario: No Transition Period

In the event that the UK and the EU do not finalise an Exit Agreement by 30 March 2019, Privacy Shield companies must take the steps below by 30 March 2019 (or by 31 December 2020 after the Transition Period is terminated).

– A Privacy Shield organization will have to update its public commitment to comply with the Privacy Shield to include the UK.  Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield.  If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy.  Model language for these updates is provided below:

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view the certification, please visit https://www.privacyshield.gov/.

– Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.

An organisation that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the UK after 30 March 2019 if there is no Transition Period or 31 December 2020, at the end of the Transition Period.

After such dates, an organization that has publicly committed to comply with the Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.

4. Position of Iceland, Liechtenstein and Norway

As a way of reminder, the GDPR was incorporated into the European Economic Area (EEA) Agreement on 6 July 2018. This means that Iceland, Liechtenstein and Norway apply the GDPR rules.

On 20 December 2018, the UK Government published an Agreement on separation issues with Iceland, Liechtenstein and Norway (‘the EEA EFTA states’). In particular, this includes a deal on citizens’ rights that protects the rights of EEA EFTA nationals in the UK and UK nationals in the EU/EEA, ensuring that they can continue to contribute to their communities and live their lives broadly as they do now.

Title IV of this Agreement concerns “Data and Information processed or obtained before the end of the Transition Period, or on the basis of the Agreement”. Provisions in this title aim at maintaining the same level of protection of data processing that currently exists.

Similar to the situation explained under the Privacy Shield Framework, the EEA countries expect the rules to remain the same. In the event of a Transition Period, the UK will still need to guarantee an adequate level of protection.

References

• Agreement on arrangements between Iceland, the Principality of Liechtenstein, the Kingdom of Norway and the United Kingdom of Great Britain and Northern Ireland following the withdrawal of the United Kingdom from the European Union, the EEA Agreement and other agreements applicable between the United Kingdom and the EEA EFTA States by virtue of the United Kingdom’s membership of the European Union:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/766995/Agreement_on_arrangements_between_Iceland__the_Principality_of_Liechtenstein__the_Kingdom_of_Norway_and_the_United_Kingdom_of_Great_Britain_and_Northern_Ireland_following_the_withdrawal_of_the_United_Kingdom_from_the_European_Union_.pdf

• EDPB’s Information note on BCRs (Binding Corporate Rules) for companies which have ICO as BCR Lead Supervisory Authority:

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-bcrs-brexit_en.pdf

• EDPB’s Information note on data transfers under the GDPR in the event of a no-deal Brexit:

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-nodeal-brexit_en.pdf

• Explainer for the agreement on arrangements between Iceland, the Principality of Liechtenstein and the Kingdom of Norway, and the United Kingdom of Great Britain and Northern Ireland, following the withdrawal of the United Kingdom from the European Union:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/766998/Explainer_-_UK-EEA_EFTA_Separation_Agreement.pdf

• ICO’s Guidance on Data Protection and Brexit:

https://ico.org.uk/for-organisations/data-protection-and-brexit/

• Privacy Shield official Government’s website on Brexit:

https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs

• UK’s Government website on Brexit:

https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal

 

Contact

Contact us via e-mail: info@edpo.brussels

Call us: +32 2 216 19 71