This blog tries to answer a simple question: “what can a data controller do if there are transfers between the UK and the European Union(EU) if the Article 50 button is pressed and there is a no subsequent agreement between the UK and the European Commission within the two-year timeframe?”.
In other words, what happens if there is a very Hard Brexit? The assumptions I am therefore making are as follows:
- there is no deal re Brexit and the UK is completely outside the EU;
- the UK has implemented a form of the GDPR;
- the European Commission has not made an assessment of adequacy for the UK; and
- there is a requirement to transfer personal data between European Union (EU) and the UK (and/or vice-versa).
Given yesterday’s speech, there is now a considerable risk of the above; matters could get very acrimonious and messy.
Indeed, Mrs May’s speech can be interpreted as blaming the EU in advance of the actual negotiations (e.g. the EU failed to give the UK a “good deal” thus forcing the UK to accept a “no deal” over a “bad deal” and become a tax-haven to attract more foreigners with lots of money – ironic isn’t it?).
In short, those controllers who transfer personal data between UK and EU should do some contingency planning.
No need to worry about Brexit
Data controllers who do not fall within Article 3(2) of the GDPR do not have to worry about Brexit (e.g. a controller that is based in the UK but is not offering services to data subjects residing in the EU).
Examples of such controllers include many UK public bodies that do not share personal data with European counterparts and many UK based SMEs that have a customer database only of those who are resident in the UK.
All such controllers need to do is comply with the new UK data protection law based on the GDPR when it comes into force (e.g. adopt new fair processing notices as per the ICO Code of Practice; follow UK version of GDPR rules re onward transfers of personal data to other Third Countries).
One assumes the Government will maintain its commitment to implement the GDPR, but if it starts throwing the toys out of the pram, one does not know what will happen.
Post-Brexit UK is not automatically adequate
The fact that the UK has implemented the GDPR does not mean the UK offers an adequate level of protection in accordance with Article 45. The UK does not qualify for adequacy if it has implemented the GDPR; the European Commission assesses the UK’s data protection law to see if it is adequate (or if a sector in the UK offers an adequate level of data protection).
Such an assessment is likely to take some time especially if there is an acrimonious Brexit divorce. In addition, I am not confident that the UK will obtain an assessment of adequacy (for reasons explained in previous blogs; see references).
Controllers that need to worry about hard Brexit
Assume that a controller or processor in the European Union is transferring personal data to UK based controller/processor. Following a hard Brexit, the controller in the EU has to consider the GDPR rules associated with a transfer of personal data to a Third Country (as a Brexit UK is a Third Country).
The controller or processor in the EU will look at the provisions in Articles 44-49 and chose one options for transfer to the UK controller or processor.
These options (in the assumed absence of a UK adequacy determination) are:
- Use European Commission’s standard contract terms or on contract terms (or other terms) approved by supervisory authority (Article 46(2)(c) & Article 46(2)(d))
- Have a legally binding & enforceable contract if the transfer is between public bodies (Article 46(2)(a))
- Implement Binding Corporate Rules (Article 46(2)(a) & Article 47).
- The particular transfer qualifies for an exemption from the need to assess adequacy (via something like the current Schedule 4; Article 49), but this is more likely to be case-by-case data transfers for a very few data subjects.
- Follow a Code of Practice approved by the relevant European supervisory authority associated with transfers (Article 40)
- Approved Certification Scheme for transfers (Article 42)
If there are joint data controllers (e.g. one in the UK and one in the EU), I would raise the issue with any business-related controller in Europe who is transferring to the UK to select what options are appropriate to the business.
I would also ensure that the responsibilities relating to such joint data controllers (in Article 26) are identified in any transparency processing notice is in place (Articles 13&14).
If an organisation in the UK is a data processor who has a client controller in the EU, the processor should raise the transfer options issue with their clients in the EU. In addition, the European based controller will also need to be sure of the Processor provisions in the GDPR are satisfied (e.g. Articles 28-30).
If such UK data processors do not raise this issue, their controller clients on the European mainland certainly will have to do so at some time before May 2018. I think it is better for the UK processor to show that it is “on the ball” rather than risk fallout with its clients following a highly publicised hissy-fit from a British politician (i.e. something worse than Boris Johnson joke comments about President Hollande and Nazi prison guards).
Finally, include any onward transfers to other Third Countries in your arrangements if they occur.
Representative (Article 27)
A UK controller offering services into the EU is likely to need a “representative” established in the EU. I say “likely” because public bodies processing in the EU do not need to appoint a representative (Article 27) as they are largely examples of controllers that do not offer services into Europe (see Article 3(2)).
The representative has to be appointed in a Member State where the data subjects are located and has to be mandated to deal with issues on behalf of the controller (note: only one representative in one Member State; the Member State where most data subjects reside springs to mind).
However, low risk “occasional processing” that does not involve Sensitive Personal Data (Articles 9&10) does not need a representative (e.g. a UK University attracting foreign students and collecting personal data at an event held in a European city).
So does Amberhawk need to find a representative? After-all we are a data controller and have customers who come from Europe to our courses on the GDPR or for data protection officers want to be qualified in the UK’s Data Protection Act (see references if you want to come; surreptitious marketing alert).
My answer is “No” because we do not offer training services designed to attract Europeans residing in the EU; the fact that such Europeans choose to attend is incidental.
In my view, the fact that Amberhawk has a website in the UK that can be used by data subjects residing in European Union does not trigger Article 3 unless our website has specific services designed to target such data subjects (e.g. Amberhawk were to offer courses in German Data Protection Law).
What about UK citizens residing in Europe (e.g. a UK-based controller promoting services designed for UK ex-pats domiciled in Spain?). The answer is a representative will be needed (in Spain) as the test in Article 3(2) relates to the fact that data subjects reside in the EU, not that the data subjects are EU or UK citizens.
Could another organisation (e.g. in the same group or a processor based in the EU) could be designated your “representative”? The answer is “yes”, but that representative should know it is fully liable for the actions of the controller/processor in the UK and might have to pay any fine (see Recital 80; last sentence).
Finally include any onward transfer to other Third Countries in your arrangements if they occur.
Please ensure you check the above against national implementation or future guidance of the GDPR when they are implemented as Member State variants might arise.
Also, please recognise that some supervisory data protection authorities might consider that the UK does not offer an adequate level of protection and will investigate transfers to the UK in any event.
There is a lot to work through; so do it now. I would not take the risk that the political shambles that is Brexit becomes a complete and very public dog’s Brexit.
Finally, if you liked the above, come to our GDPR workshop or UPDATE (see below).
Forthcoming Amberhawk’s courses in February
- DP Audit 20 February (London)
- Next GDPR Workshop: 23 February (London)
- DP Foundation Course: Starts 7 March (BCS syllabus; London)
- DP Practitioner Course: Starts 28 March (BCS syllabus; London)
Advanced warning: we have devoted the next UPDATE session on 3rd April 2017 to the GDPR. We have an impressive array of speakers lined up including from ICO and DCMS http://www.amberhawk.com/bookevents.asp
UK decision to implement the GDPR does not guarantee an adequacy decision http://amberhawk.typepad.com/amberhawk/2016/11/uk-decision-to-implement-the-gdpr-does-not-guarantee-an-adequacy-decision-post-brexit.html
Why also the UK is unlikely to get an adequacy determination, post Brexit http://amberhawk.typepad.com/amberhawk/2017/01/why-the-uk-is-unlikely-to-get-an-adequacy-determination-post-brexit.html
“A Hard Brexit is a-gonna fall”
Bob D. popped over the pond to watch Barnsley play recently and in a following jamming session with the club’s poet laureate (Ian McMillan), he penned a new verse to his classic “Hard Brexit” protest song of the 1960s. It goes as follows:
Oh, where have you been, my blue-eyed son
And where have you been, my darling young one
I’ve been to a place where politics are poisoning
And watched the results of division and hating
I walked on the land where hospitals are for bombing
And floated on seas where survivors are sinking
I travelled through parts where racism is rising
And garnered a sense that jackboots are stirring
I lived in a system that is known to be failing
Where the sky is filled with clouds that are darkening
And it's a hard, and it's a hard, it's a hard, and it's a hard
It's a hard Brexit a-gonna fall.