No, this is not a political statement, though I couldn’t resist a play on words that also takes a poke at nationalist imbeciles on both sides of the Atlantic.
Instead, this is about the UK’s pending/potential/who-the-hell-knows-when/if exit from the EU and its effects on international transfers of personal data to/from the UK to/from the EU. Amazingly this is still confusing to a significant portion of the population, if they have even looked into it at all. You must understand that unless you have absolutely no intention of doing business whatsoever with your soon-to-be-ex EU counterparts, it’s the UK businesses that will need to be pro-active. Well, pro-active was three years ago, but you simply must make it easy for EU-based businesses to work with you regardless of the Brexit result.
The bottom line is that the way we in the UK send personal data to the EU post-Brexit will be unchanged. The UK government has already accepted not only the remaining 27 member states as being ‘adequate’ (similar to GDPR Article 45), but has also accepted all of the existing Commission adequacy decisions (i.e. the EEA member states not in the EU, Argentina, Uruguay, Canada etc.).
However, the way we accept personal data transfers from the EU will change significantly, and a lot will depend on whether it’s as deal or no-deal Brexit:
- Brexit with a signed ‘Withdrawal Agreement’ (‘deal’) in place – If the UK was to leave the EU on Nov. 1st 2019 we would have, at a minimum, until 31st Dec. 2020 for the Commission to agree to an adequacy decision for the UK. If that’s not enough time, there is a possibility of a 2-year extension. The UK would become a third country at that point, but nothing additional is required for international transfers in either direction from what is required now;
- Brexit WITHOUT a signed ‘Withdrawal Agreement’ in place (‘no deal’) – The UK would become a ‘third country’ on Nov. 1st with no recourse. There would be no adequacy decision (Art. 45), no ‘transition period’, and any transfers not ‘legitimised’ under Arts. 46 (‘appropriate safeguards’), 47 (binding corporate rules), or 49 (derogations) will be considered illegal and subject to administrative fines (under Art. 83(5)(c)).
So for those thinking that the GDPR won’t apply post-Brexit you are either choosing to remain ignorant or you don’t care because it actually doesn’t apply to you. But the only way GDPR won’t apply is if you process absolutely NO personal data from ‘data subjects in the EU’. Everyone else needs to do something, and the more you are supposed to be doing, the worse things will be for you if you don’t comply.
Even I, a sole trader in my consultancy practice; who is neither a lawyer or a data protection expert; and do not currently have any business outside of the UK, have managed to produce the documents I need to process personal data from the EU post-Brexit should I ever have the need. Literally everything you need is spelled out for you on the ICO’s website.
The good news is that if you are compliant with the GDPR there is surprisingly little for you to do, deal or no deal. You should already have your ‘paperwork’ pretty much sewn up. If you’re not compliant yet, you are ALREADY breaking the law in both the UK (with the DPA 2018 and the pending UK GDPR) and the EU (with the GDPR) so you are way behind the curve.
For small to medium organisations who wish to process personal data from EU-based controllers, it’s likely that Standard Contractual Clauses (SCCs) will suffice. The ICO even have a ‘Controller to processor contract builder‘ and a ‘Controller to controller contract builder’ where you fill out the relevant fields and it writes the contract language for you! Add the relevant one as an addendum to your original contracts and you’re pretty much good to. Assuming you are actually doing the things you say you’re doing of course.
For larger multinationals you are probably best served by Binding Corporate Rules (BCR), but you most likely already have a legal team that can take care of this for you. I am spectacularly unqualified to comment any further on the legal stuff.
The other options to legalise international transfers are either not available or will be unlikely to apply in the majority of cases:
- Codes of Conduct (per GDPR Art. 41) – Not available yet;
- Certification (per GDPR Art. 42) – Not available yet;
- Derogations (per GDPR Art. 49) – very limited applicability, but concerned with:
- data subject consent;
- performance of a contract directly with data subject;
- performance of a contract concluded in the interest of the data subject;
- public interest;
- establishment, exercise or defence of legal claims;
- vital interests of the data subject;
- public registers.
Either way, if you have branches in EU countries you will also need to appoint a representative per Article 27 and the ICO has provided some guidance on that too. Not much to be fair, and what there is still makes no sense. I’ve really not looked into it too deeply as it does not apply to me, but a little homework should clear up the confusion.
Data related to ‘data subjects in the UK’ can be transferred unrestricted to all countries in the EEA and those with an EU approved adequacy decision; and
Data related to ‘EU subjects in the EU’ to the UK will require an ‘appropriate safeguard’ (i.e. SSCs, BCRs, certification, codes of conduct, or derogations).
The help you need is out there, and regardless of ANY of the above if you haven’t mapped your data flows and business processes you’re wasting your time anyway. None of this is requires expensive lawyers, it just requires you to get moving.
[If you liked this article, please share! Want more like it, subscribe!]