Today marks a historic day. For the first time in the history of the European Union, a member state, i.e. the United Kingdom is leaving the European Union. Effective as of 00:01 am on 1st February 2020, the UK will officially leave the EU and become a "third country". While I watched the British members of the EU Parliament sing goodbye after the Brexit vote in the EU Parliament, I could not stop thinking about my primary school English teacher, Mrs Windridge, without whom I would not be where I am now and to whom I am forever grateful for her teachings. Regardless of its political status, the history, economy and cultures of the United Kingdom are intrinsically linked to those of the European Union and our paths will continue to progress in parallel. Life goes on and we must look ahead to the future and the new relationship that is going to be established between our two regions in the coming months.
The UK is leaving the EU under the terms of the Withdrawal Agreement that was agreed between the British Government and the European Union, which means that starting at 00:01 am on 1st February 2020, the UK and EU will enter a transition period that will last until 31st December 2020. That is, unless this transition period is extended, which is possible under the terms of the Withdrawal Agreement. During this transition period, the UK and EU will negotiate the terms of a future agreement that will establish the foundation of their new relationship.
Status of the UK during the transition period
During this transition period, although the UK is no longer a Member State of the EU (which means it is no longer represented in the EU institutions and has lost all its voting powers) the GDPR will continue to apply in the UK as if the UK were still a Member State. For companies who are established in the UK, this means they must continue to comply with the GDPR and the rulings of the European Court of Justice will be enforceable in the UK.
During this transition period, the European Commission will assess the adequacy of the level of protection for personal data in the United Kingdom under article 45 of the GDPR with a view to adopting a decision that would grant the UK "adequate status" and enable companies in the EU to transfer personal data to the UK without having to implement appropriate safeguards. This decision could be adopted before the end of 2020, which would allow it to come into force once this transition period comes to an end. This will obviously depend on a number of political factors, namely the time it takes for the European Commission to issue this adequacy decision (assuming it does, but who expects it will not?) and whether the transition period is extended. In the absence of such adequacy decision, by the time the transition period comes to an end, companies would have to put it place rapidly some appropriate safeguards in line with article 46 of the GDPR, or rely on the legal derogations set out under article 49, in order to continue transferring personal data to the UK. So while the objectives seem clearer, there still remains quite a lot of uncertainty with respect to the timing and when this will all come into place.
The ICO: to be or not to be?
During the transition period, the ICO will lose its seat at the table of the European Data Protection Board (EDPB) given the fact that only the Member States of the European Union and the European Economic Area are represented at the EDPB. That being said, as a result of GDPR applying, the ICO would be able to attend some of the meetings of the EDPB on an exceptional basis if the issue that is discussed has an impact on data subjects who are in the UK and if the ICO's presence is necessary and in the interest of the EU.
Regarding the future role of the ICO as a Lead Data Protection Authority (Lead DPA), the ICO would remain and continue to act as the Lead DPA during the transition period both with regards to the one-stop shop rule under article 56 of the GDPR and with respect to BCR. Once the transition period comes to an end, the ICO will no longer be able to act as a lead DPA under the GDPR.
What about BCR?
Post-Brexit, can the ICO continue to act as a lead DPA for BCR? Should companies who had their BCR approved by the ICO or who are currently in the process of having their BCR reviewed by the ICO, change Lead DPA? To answer this question, we need to distinguish several scenarios:
Scenario 1: a company already has its BCR approved and the ICO is the Lead DPA
In such case, companies must identify their new lead DPA as the competent supervisory authority for their BCR before the end of the transition period. They're expected to contact the ICO and the "new" Lead DPA to inform them about this change. The ICO will then notify the remaining DPAs of this change.
Companies must also amend and update their BCR Policies, namely to identify the new Lead DPA, the new entity within the group that takes responsibility in case of a breach of the BCR by an entity outside the EU, and the competent courts for legal claims in case a data subject suffers damage as a result of a breach of the BCR.
Scenario 2: a company has already submitted its BCR application to the ICO but the BCR have not yet been approved (approval is in progress).
Given the fact that the ICO will continue to act as lead DPA during the transition period, companies are not required to "change" their Lead DPA immediately. The ICO will remain the lead DPA for BCR that have been submitted to it until the end of the transition phase. However, this does raise the question whether the ICO is able to finalise the review of all the BCR applications it has received before the end of the transition period. This seems unlikely, not to mention that all BCR must also be approved by the EDPB, which will inevitably take time.
Effectively, this leaves companies with two possible outcomes: either the BCR are approved before the end of the transition period, in which case all is fine. Otherwise, companies who do not get their BCR approved before the end of the transition period must transfer their BCR application to another EU DPA who will replace the ICO as the Lead DPA. Needless to say that the ICO is going to be under a huge amount of pressure from companies to get their BCR approved on time. Companies are also likely to start transitioning their BCR to another Lead DPA now and not wait until the end of the transition period to do so.
Scenario 3: a company has not yet submitted its BCR but has identified the ICO as its Lead DPA based on the criteria set out by the WP29.
In such case, companies are advised to submit the BCR to another EU DPA. For some companies, this may be fairly straightforward. For others, namely those that have their EU headquarters or place of central administration in the UK, this may not be such an easy task. Indeed, the designation of a Lead DPA must comply with the criteria that are set out under the WP 108. Namely, companies must submit their BCR application in order of priority to the DPA in:
- the location where the company has its European headquarters; or alternatively
- the location of the company within the group with delegated data protection responsibilities, or
- the location of the company which is best placed (in terms of management function) to deal with the application and to enforce the binding corporate rules in the group, or
- where most decisions in terms of the purposes and the means of the processing are taken, or
- the member state within the EU from which most of the transfers outside the EEA will take place.
Some companies may therefore be required to relocate some of the decision-making stakeholders (e.g., managers, DPO) in one of the EU Member States in order to be able to meet the conditions of WP 108.
Hopefully, the EDPB will provide further clarity on the above issues. In the meantime, I bid my English friends "adieu" from the EU but I also tell them that there's only a small sea that separates them from the continent and they're always welcome to cross over.
By Olivier Proust, Partner at Fieldfisher.