Brexit: taking a closer look at data transfers
Between one day and the next, it's a hard call to predict the outcome of the Brexit negotiations. However, irrespective of that outcome, European parties doing business with the United Kingdom should take a critical look at their personal data transfers with the UK. Such transfers may for example take place when sharing personal data with IT-suppliers, clients or affiliated companies.
This is relevant because the General Data Protection Regulation (‘GDPR’) prohibits the transfer of personal data from within the European Economic Area (‘EEA’) to a country outside the EEA, in absence of an applicable exception under the GDPR.
Assuming that the UK will not be a part of the EEA any time soon, the question is therefore which exception for transfer under the GDPR can be invoked to continue the transfers.
Will the UK get an adequacy decision?
One of the exceptions allowing for transfer to a country outside the EEA, is if the European Commission has determined there is an adequate level of data protection in such country. Adequacy decisions have been given for several countries, such as New Zealand, Japan and in the United States - for parties that are certified under Privacy Shield.
It would not seem a far stretch for the UK to obtain an adequacy decision, as it has already implemented the GDPR as an EU member. However, in February 2019 the European Data Protection Supervisor, Giovanni Buttarelli, was sceptical about this happening any time soon because the adequacy procedure simply takes a long time. European parties therefore should presently not wait to rely on this option.
What other options are there?
There are several other exceptions in the GDPR that allow for transfer of personal data to outside the EEA.
Binding Corporate Rules
Multinational companies that have implemented Binding Corporate Rules (‘BCRs’) may transfer personal data to their UK group companies. BCRs are a binding set of data protection rules that apply within a group of companies, wherever these companies are located. Personal data may be transferred freely between the group companies. Multinationals that have BCRs can therefore continue to transfer personal data to the UK. Those transfers are not affected by Brexit.
Consent?
One of the other exceptions is where the data subject gives his or her consent for the transfer to outside the UK. Generally speaking though, this is not a practical exception because under the GDPR, firstly, the data subject can refuse to given consent in view of the requirement that consent must be freely given and secondly, the data subject must always be allowed to revoke the consent. If, say, a small group of data subjects were to refuse or revoke consent, another exception would have to be invoked for just that small group of data subjects. Therefore, consent is not an appropriate exception where quantities of personal data are transferred on a regular basis.
For the performance of a contract
Transfers to outside the EEA are also permitted when this is necessary in relation to the performance of a contract with the data subject or to which the data subject is a party. This may be the case for example where someone books a hotel room in the UK through a German website. The booker’s details must be transferred to the hotel so that it can handle the booking.
However, this exception cannot be invoked for transfers occurring on a regular basis. It only applies where the recipient in the UK occasionally receives the personal data because this is required for a specific agreement in relation to the data subject. The exception may for example not be used for transferring HR employee data files to the UK.
Other exceptions
The GDPR provides for several other exceptions that may also be invoked, however only in specific and non-repetitive situations. Examples of these exceptions are that the transfer is required in relation to legal proceedings, for important reasons of public interest, in case of life threatening situations, for public registers or, subject to several conditions or for compelling legitimate interests.
Standard Contract Clauses (SCC)
The best available alternative for situations where personal data are transferred to the UK on a structural and regular basis, is concluding ‘Standard Contractual Clauses’ or ‘SCC’.
The SCC are standard agreements that were drafted by the European Commission, pursuant to which a controller in the EEA can transfer personal data to a party outside the EEA. A side note must be made that processors (parties processing personal data on behalf of controllers) in the EEA cannot use the SCC to transfer personal data to other processors, as there are no SCC for transfers by processors to other (sub)processors. These must therefore be concluded 'through' their customers, which are the controllers.
At present, the SCC are being scrutinized by the European Court of Justice. But until the CJEU has decided the SCC are not a suitable transfer mechanism, they can officially continue to be used. If the CJEU were to decide the SCC are not a valid transfer mechanism, this would cause substantial problems for the many parties using the SCC as a transfer mechanism. For the UK, an adequacy decision by the European Commission would be the most efficient way to solve that problem.
Other compliance measures in relation to Brexit
Arranging for valid data transfers using an exception under the GDPR is an essential part of exporting data to outside the EEA. In addition to that, there are a few other compliance issues to flag:
- Transfers to outside the EEA must be notified to data subjects in the privacy policy (articles 13 and 14 GDPR). The European data protection authorities have indicated in their guidelines that, generally, the countries to which the personal data are transferred, must be mentioned. Also, an explanation must be given in the privacy policy about the transfer mechanism used, amongst others about the SCC. Brexit will therefore trigger changes to the privacy policy.
- Transfers to outside the EEA must also be included in the records of processing activities (article 30 GDPR), the country to which the personal data are sent must be mentioned as well as, in one specific situation allowing for transfer, information about the documents used to ensure suitable safeguards. Brexit will therefore require an update to the records of processing activities.