As time goes by, the prospect of the United Kingdom leaving the European Union on 29th March 2019 with no deal seems more and more realistic. While the UK government strives for a better deal that can get adopted by the UK Parliament, the European institutions on the other hand have started planning and preparing for the UK's departure of the EU without any deal. Following its seventh plenary session that was held in Brussels on 12th February 2019, the European Data Protection Board ("EDBP") adopted two information notes: a general note dealing with data transfers under the GDPR in the event of a "no-deal" Brexit; and a specific note dealing with companies which have the Information Commissioner's Office ("ICO") acting as the lead Data Protection Authority ("DPA") for their Binding Corporate Rules ("BCR").
- What will happen to companies who are transferring personal data to the UK in case of a no-deal Brexit?
On the 30th March at 00:00 CET time, if the UK Parliament has not adopted the Withdrawal Agreement that has been negotiated between the EU and UK representatives, effectively the UK will leave the EU without a deal and will become a third country (see our infographic for a visual summary of the situation). That is a fact which most likely would be irreversible. What does this mean from a GDPR standpoint and what are the consequences of a "no-deal" Brexit on transfers of personal data between the EU and the UK?
From the moment the UK becomes a third country, this will trigger article 44 of the GDPR whereby "any transfer of personal which are undergoing processing or are intended for processing after transfer to a third country (…) shall take place only if (…) the conditions laid down in this Chapter [Chapter 5 – Transfers of personal data to third countries or international organisations] are complied with by the controller and processor".
What this means is that companies in the EU (including the EEA) that are currently freely sending their personal data to the UK will have to implement appropriate safeguards in accordance with article 46 before transferring any personal data to the UK. These appropriate safeguards include:
- Standard Data Protection Clauses adopted by the European Commission of a DPA
- Ad Hoc Data Protection Clauses adopted the EU based company (data exporter) and the UK based recipient of this data (data importer)
- Binding Corporate Rules
- Codes of Conduct
- Certification Mechanism
In the absence of an adequacy decision having been pronounced by the European Commission, or of appropriate safeguards, such companies may only transfer personal data to the UK if one of the legal derogations listed under article 49 applies. The EDPB highlights the fact that these legal derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive. Needless to say that companies which have been transferring personal data massively and regularly to the UK for years will not be able to rely on these legal derogations, or may only do so on a case-by-case basis. The risk is therefore that if the UK crashes out of the UK, this will leave hundreds of companies in a limbo and without any suitable legal basis for transferring personal data to the UK.
Does this look like dejà vu? Indeed, US companies will remember the turmoil that followed the invalidation of Safe Harbour by the Court of Justice of the EU in 2016. But unlike Safe Harbour which was finally renegotiated into a new legal framework renamed the "EU-US Privacy Shield", there is currently no plan for of a similar framework between the EU and the UK.
Furthermore, there has been no official announcement that the UK has opened discussions with the European Commission to obtain an adequate status, even though this is considered by many as a logical next step. Given the fact that the GDPR is the law today in the UK, one would hope that the UK could easily obtain the adequacy status. Unfortunately, things are not so simple. First, the UK needs to leave the EU before it can apply (as a third country) for adequate status. Second, the European Commission will need to assess the adequate level of protection that is offered by the UK in light of the GDPR's new requirements, which includes assessing the rule of law and the protection of human rights in the field of public security, defence, national security and criminal and the access of public authorities to personal data. Lastly, very few countries have acquired the adequate status and this is usually a very long process (as illustrated by Japan's recent accession to the magic circle of third countries after roughly ten years of negotiation). One can only hope that the process would be accelerated with the UK, but we're still talking a minimum of two years before an adequacy decision is pronounced. In the meantime, where does that leave companies?
It is not difficult to see why a "no-deal" Brexit will put companies in a very, very difficult position. They will be required to implement appropriate measures as quickly as possible if they do not want to find themselves in violation of the GDPR. One can only see how painful an exercise this will be. Unfortunately, the EPDB does not mention anything about a grace period in its information note. Therefore, unlike US companies who benefited from a grace period for several months to give them time to re-certify under the Privacy Shield, with Brexit one should assume that there will be no grace period, and therefore, companies will be expected to have put in place such measures by March 30th.
It is completely unrealistic to think that all companies will have implemented appropriate measures by March 30th (most of them are still in a "wait and see" mode and wishfully thinking that Brexit is just a bad dream) and even more so to think that companies will stop transferring their data to the UK simply because Brexit has removed the legal basis they were previously relying on to do so freely and without any restriction. Hopefully, the EU DPAs will adopt a pragmatic approach and will not investigate or issue sanctions against companies in the months that follow Brexit to give them time to implement the necessary measures.
- What will happen to companies which have the ICO as the lead DPA for their BCR?
The EDPB's second note deals specifically with companies who have BCR or are considering putting BCR in place. In order to understand the consequences of Brexit on BCR, it is important first to understand that, as part of the BCR approval procedure, one DPA must act as the "lead supervisory authority". This Lead DPA reviews the applicant's draft BCR before sharing it with the other DPAs concerned and finally submitting it to the EDPB for final approval. In case of a "no deal" Brexit, the ICO can no longer act as a Lead DPA because it will no longer represent an EU or EEA Member State. In fact, the ICO will lose all its voting and decision-making powers as a member of the EDPB and will no longer be authorized to attend the plenary meetings as a permanent member of the EDPB.
As a result, what will happen to BCR applications for which the ICO is the Lead DPA? Several scenarios must be addressed:
- Your organization already has its BCR approved: If you've already obtained the approval of your BCR and the ICO acted as the Lead DPA, then you must identify a new BCR Lead DPA in accordance with the criteria set out in WP 263. This may require you to update your internal procedure for notifying the lead DPA about any material changes that have been made to your BCR Policy and to the list of group entities within your organization that are bound by the BCR.
- Your organization is considering submitting an application for BCR with the ICO: If you are considering whether to submit your BCR application to the ICO but have not done so yet, then you should submit your BCR application with another DPA. This will concern in particular organizations that have their European headquarters in the UK or that are considering designating a UK-based affiliate as the entity within the group with delegated data protection responsibilities. In such case, organizations should identify a new BCR Lead DPA in another EU Member State in accordance with the criteria set out in WP 263. If you have already submitted your BCR with the ICO but the review process has not yet started, then it is likely that the ICO will tell you that post March 30th it can no longer act as the Lead DPA and that you should identify another DPA.
- Your organization has applied for BCR and is in the process of obtaining the approval: Organizations who will be most impacted by a "no-deal" Brexit are those who have already submitted their BCR to the ICO and are at the review stage by the ICO. Such companies must identify a new BCR Lead Supervisory Authority according to the criteria laid down in WP263.The new BCR Lead Supervisory Authority will take over the application and formally initiate a new procedure at the time of a "no deal" Brexit (presumably starting on 30th March 2019). As a consequence, those companies will see their BCR application being handed over to a new DPA who will start the review process all over again. This change is likely to extend the duration of the BCR approval process and delay the approval of an organisation's BCR. One can only hope that the new Lead DPA who takes over a BCR application will adopt a pragmatic approach and will take into account the review that was previously carried out and the comments that were already provided by the ICO as opposed to starting entirely from scratch.
Companies whose draft BCRs have already been submitted to the EDPB will be less impacted. If a draft ICO decision for approving BCRs is pending before the EDPB at the time of a "no-deal" Brexit, the BCR applicant needs to identify a new BCR Lead Supervisory Authority according to the criteria laid down in WP263. The new BCR Lead will take over and re-submit a draft decision for the approval the BCRs to the EDPB, presumably without starting over the review process.
Organisations that are currently in the BCR review process with the ICO should do everything that is possible to obtain the approval of their BCR before March 30th, bearing in mind that the ICO is one of the DPAs that has the most BCR applications and it is unlikely to get them all approved in time before March 30th.
In summary, a "no-deal" Brexit will open up a period of uncertainty during which companies which transfer personal data to the UK will be required to implement appropriate measures until new permanent measures (such as an adequacy decision) are adopted. Unavoidably, this will put a strain on businesses and so the sooner they get started, the better.