Cross-Border Data Transfer: Post-Brexit
On 9 January 2018, the European Commission issued a “notice to stakeholders” on the United Kingdom’s withdrawal from the European Union. The notice stated that, beginning on 30 March 2019 (the “withdrawal date,”) EU law will cease to apply to the UK, and the UK will be considered a “third-country” for cross-border data transfer purposes. Thus, “subject to any transitional arrangement that may be contained in a possible withdrawal agreement,” rules for the transfer of personal data to third countries will apply to transfers from the EU to the UK as of the withdrawal date.
Under the upcoming GDPR, transfers of personal data to third countries are allowed only if one of the following three conditions are met. (The notice outlined these.)
- First and foremost, an “adequacy decision” could be made by the European Commission, which would “allow[ ] the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions …”
- Second, if no adequacy decision is made, “appropriate safeguards” under the new General Data Protection Regulation (GDPR) could be relied on by UK-based organisations. These safeguards include standard data protection clauses (or “model clauses,”) binding corporate rules (BCRs,) or approved codes of conduct or certification mechanisms.
- Third, if there is no “adequacy decision,” and “appropriate safeguards” are not an option for a particular organisation, “a transfer or set of transfers may take place on the basis of so-called ‘derogations,'” which “allow transfers in specific cases, such as based on consent, for the performance of a contract, for the existence of legal claims or for important reasons of public interest.”
Under Article 45(2) of the GDPR, the European Commission must take into account the following factors concerning the third-country when making its adequacy decision:
- the rule of law;
- respect for human rights and fundamental freedoms’
- relevant legislation;
- the implementation of relevant legislation, data protection rules, professional rules and security measures;
- effective and enforceable data subject rights;
- effective administrative and judicial redress for data subjects whose personal data are being transferred;
- the existence and effective functioning of one or more independent supervisory authorities in the third-country;
- international commitments the third-country has entered in to;
- other obligations arising from legally binding conventions or instruments; and
- participation in multilateral or regional systems.
UK Government Support
The House of Lords European Union Committee, the House of Lords Library, and the Information Commissioner’s Office (ICO) have all recommended that the UK government should seek an adequacy decision of the European Commission, pursuant to Article 45 of the GDPR. However, UK officials have also stated that they are “looking at an enhanced mechanism that is not just the normal adequacy deal that other third countries have, but one that enables continued technical engagement between the Information Commissioner and European bodies to ensure that our technical capabilities can continue to inform the future development of data protection standards inside the EU.” Moreover, such an “adequacy deal” would be one that “not only reflects a normal third-country adequacy deal, but goes further and ensures that we have a stronger technical relationship between our regulator, the Information Commissioner, and the European regulators.”
In August 2017, the UK Government issued a paper titled The exchange and protection of personal data—a future partnership paper, in which the Government states the following:
After the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK–EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal.
However, despite the support for seeking and adequacy decision and the UK’s efforts to align with the GDPR in its latest draft Data Protection Bill, there are concerns that an adequacy decision could actually be difficult to obtain due to the existence of the Investigatory Powers Act (IPA), which provides UK law enforcement and intelligence agencies with surveillance powers and has been widely criticised and challenged.
Other Routes to Adequacy
In the event that an adequacy decision cannot be obtained, other avenues could be pursued, such as for the UK to seek European Economic Area (EEA) membership, or to negotiate some other agreement supporting the free flow of personal data.
For example, while Norway is not a member of the EU, they are a member of the EEA. EEA membership allows them to retain access to the European single market, contribute to the EU budget, and makes them subject to EU standards and regulation (e.g., the GDPR.) If EEA membership were negotiated into the UK’s withdrawal agreement, the UK would not be considered a third-country under GDPR and adequacy would not be a question.
Another option could be an international agreement akin to the EU-US Privacy Shield. The Privacy Shield is a framework that enables lawful transfer of personal data out of the EEA to a company in the US that has self-certified under the framework, as an alternative to seeking one of the three conditions above, thus creating a kind of partial adequacy for the U.S. If EEA membership is not an option, or not desired by the UK, the UK government could negotiate an agreement that could serve to create an easier transition for UK-based companies.
The GDPR would allow for such an agreement under Article 46(2)(a), which states that “a legally binding and enforceable instrument between public authorities or bodies” may serve as an appropriate safeguard.
UK to US Transfers
Further complicating the UK’s adequacy issues is the question of how Brexit will impact transfers of personal data from the UK to the US. Currently, the US has not been deemed adequate by the European Commission, which means US organisations must rely on other options, such as the Privacy Shield, model clauses, BCRs, and derogations.
After Brexit, however, one of these options – the Privacy Shield – will no longer be available for purposes of transfers of personal data from the UK to the US (that is, unless the UK joins the EEA or gets grandfathered into the Privacy Shield agreement). This is because the UK will no longer be a member of the EU (and therefore no longer a party to the Privacy Shield), and because the UK’s draft Data Protection Bill (assuming it is enacted) will adopt the GDPR’s provisions (including on transfers of personal data to third countries).
This means that US and UK organizations who currently rely on the Privacy Shield for transfers of personal data to one another may need another mechanism for legitimising that transfer as of 30 March 2019. This also could mean that the UK may need its own mechanism for judging the adequacy of third-countries, just like the EU; or, they could simply adopt the adequacy decisions made by the EU.
UK Secretary of State for Digital, Culture, Media and Sport, Matt Hancock, has stated that he is “confident that we can come to a successful agreement to make sure that we have the same unhindered flow of data with the United States as we have now.” According to Hancock, “considering all the options for the most beneficial way of ensuring that the UK data protection regime supports UK business in the global economy. . . . Making sure that US-UK business can take place post Brexit is a very important consideration for the Government at the moment.”
While it is evident that the UK Government views a free flow of data with the US as a priority, we will have to wait and see how potential barriers to that flow will be addressed.