Delphotostock - Fotolia
The UK will be considered a “third country” as soon as it leaves the European Union (EU), which will potentially affect personal data exchanges with the UK, the EC’s consumer directorate has said in a Notice to Stakeholders.
In view of the “considerable uncertainties”, particularly concerning the content of a possible withdrawal agreement, the notice said that all stakeholders processing personal data are reminded of the legal repercussions that need to be considered when the UK leaves the EU.
This is the first time the EU has made a statement on the adequacy decision and what the alternatives might be for the UK, and is a statement of “certain political significance,” said Eduardo Ustaran, partner and European head of data protection at law firm Hogan Lovells.
“Reading between the lines, the EC’s notice basically says that the UK should not count on ‘adequacy by default’ and that all is subject to a wider political agreement,” he told Computer Weekly.
Ustaran also believes the note is essentially a warning to the UK government and businesses of the obvious consequences of not reaching a Brexit deal that covers data protection.
“As inevitable as the consequences are, it is slightly chilling that the European Commission is pointing out that if no adequacy decision is made, the UK will join the countries not regarded as safe for EU data,” he said.
The EC notice confirms that, as a third country, the UK’s “adequacy” for EU data protection law purposes is a matter for decision by the EC, rather than a status that occurs automatically.
Stewart Room, data protection lead partner at PwC, said UK organisations can rest assured that even if that adequacy decision is not given, there will be plenty of other opportunities open to them.
“However, it does provide considerable comfort around the fact that data exports need not be unnecessarily interrupted if an adequacy decision is not granted, because the law contains a series of other mechanisms for organisations to rely upon to keep data flowing,” said Room.
Although these other options may not be as frictionless as an adequacy decision, Room said many organisations in the UK will be very familiar with how they work, because they already use them to transfer personal data from the UK to other third countries.
These include: consent, contractual necessity, using European model clauses, binding corporate rules (BCRs), approved codes of conduct with binding and enforceable commitments of the controller or processor, and approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country.
“The EC’s Notice also stresses that the General Data Protection Regulation (GDPR) has been designed to reduce the legal and administrative burden of using these other mechanisms, which UK data importers and exporters alike will welcome,” said Room.
Read more about the GDPR
- Max Schrems champions NGO to fight for GDPR rights.
- Computer Weekly looks at options for tools to help organisations comply with the EU’s General Data Protection Regulation.
- The full impact of the EU’s General Data Protection Regulation (GDPR) is complex, warns the head of ICT at T-Systems Belgium.
- The General Data Protection Regulation (GDPR) comes into force in May 2018. We explore common myths surrounding GDPR.
Ustaran believes that not meeting the adequacy standard would not only be embarrassing for the UK, but it would complicate life for UK businesses significantly because all of those alternative solutions take time and effort to be put in place.
“I think the UK government is well aware of the need to secure an adequacy decision as part of the Brexit deal,” he said.
Room pointed out that the UK government has already confirmed it will seek an adequacy decision, and there are “substantial reasons to be optimistic” that one will be granted.
“This is because the totality of the data protection legal framework needs to be considered by the decision-takers in the UK, and in this sense the UK already exceeds the quality of data protection in some areas, in comparison with other EU member states,” said Room.
Key considerations in the UK’s favour include the fact that by the time the country is currently scheduled to leave the EU on 30 March 2019, its legislative framework will be on a par with Europe’s because the UK is committed to continue the GDPR’s principles after Brexit through the Data Protection Bill, which is currently progressing through Parliament.
The UK also has one of the world’s best-resourced and most influential national data protection regulators in the Information Commissioner’s Office (ICO), said Room. “The volume of the ICO’s activities over the past 10 years, in both the advisory and enforcement fields, far surpasses those of many other EU regulators,” he said.
According to Room, there is already a healthy data protection litigation culture in the UK, which the courts have supported in a series of landmark cases, demonstrating that the judicial system provides effective recourse to those who feel their rights have been infringed.
Fundamental rights and freedoms
The wider sectoral and professional rules on data protection and in related areas, such as cyber security, also knit together to provide another comprehensive layer of protection for fundamental rights and freedoms.
“So, on a compare-and-contrast basis, the UK appears to perform as well as, or better than, other EU member states,” said Room. “The UK also compares favourably with third countries that have already obtained adequacy decisions, such as Canada and the US, which has a de facto, bespoke adequacy decision in its favour, within the Privacy Shield.”
Although there are areas of complexity, such as national security, Room said that in an operational sense, the differences between the UK and the rest of Europe may not be as great as is perceived.
“It is important to remember that the GDPR excluded the activities of the intelligence services from regulation, whereas the UK Data Protection Bill brings them into scope,” he said. “However, if this area remains contentious, it will be open to the European Commission to make a partial adequacy decision in the UK’s favour, to cover all other areas and commercial and social activities in particular.”
For multinational companies and well-resourced organisations, Room believes the absence of an adequacy decision should not present any insurmountable barriers to continued international data flows. However, he said that SMEs, not-for-profits and smaller public authorities may require more support to adjust to a world without an adequacy decision in the UK’s favour.
“But the publication of free guidance and template documentation by the regulator, professional and membership organisations and the data protection community itself will go a long way towards mitigating their challenges,” he said.
According to Room, all organisations should consider their strategy for ensuring that international data flows can continue, whether the adequacy decision is granted or not. “It’s important to understand the extent to which data is transferred around the world, and how that may be impacted by Brexit changes,” he said.