Mrs May, at the last Prime Minister’s Questions before the Xmas recess, said in response to a question from a Conservative MP: “We are very clear that we (the UK) will be leaving the EU on 29 March 2019 at 11 pm”. As Government policy is for the UK to become a Third Country on this date, what does this imply?
First, any assessment of UK adequacy by the European Commission (if one is to be made) has to be undertaken before 29 March 2019, and that the form of any transitional deal is irrelevant. A transitional deal on Norwegian EEA membership model was rejected by the Prime Minister in her Florence Speech last September (see references) and any transitional deal that has the UK temporarily remaining in the EU will not pass muster with hard-line Brexiteers.
Transfers from the EU to the UK
Transfers of personal data from the EU to a UK based controller (from 11pm, 29 March 2019) will become subject to the Third Country transfer rules (details in Articles 44-49), unless an exemption from the need to assess adequacy applies. (It is possible that transfers are necessary for a contract with each data subject residing in the EU).
In general, it is difficult to see how the UK will be deemed to offer an adequate level of protection because, before 29 March 2019, the UK is not a Third Country. There is a technical problem of having a prior adequacy determination for the “UK as Third Country" when the UK is still a Member State of the European Union.
The real question therefore is “will the UK be adequate after 11pm, 29 March 2019?”, and I think not for the following reasons:
First, I can find no mechanism in the GDPR for a “provisional, presumed or temporary assessment of adequacy”; the UK is either adequate or it’s not. I am fairly confident that 30 March 2019 (day one of the UK being a Third Country and less than one year before the UK’s implementation of the GDPR came into effect) is far too early to make any reliable determination of the UK’s adequacy.
Second, the mechanism for deciding adequacy involves Article 45(c) which requires the European Commission to consider “the international commitments the third country or international organisation concerned has entered into”. This includes any future Trade Deals which the UK intends to make after leaving the EU. It follows that an adequacy determination made before any Trade Deal is made by the UK is premature.
As evidence for this assertion, consider the failed TTIP deal with the USA (Obama administration) which contained provisions that could have negated the GDPR (see references). Giving Mrs May a free hand with respect to a Trade Deal with the Trump (America First) administration can be seen as high risk.
Concerns over future UK Trade Deals can be defused if the UK guarantees that such Deals contain no provision concerning data protection or privacy. This is because a Trade Deal that excludes privacy or data protection will ensure that the GDPR will apply to any relevant transfer of personal data from the EU to Third Country UK and thence to any Third Country as a result of UK Trade Deal. (This step would guarantee the primacy of Article 44 of the GDPR).
Third, it is currently the policy of Government not to incorporate the Charter of Fundamental Rights of the European Union; attempts to incorporate Article 8 into the DPBill have failed in the House of Lords. In addition, the Prime Minister has often stated that she wants the UK to withdraw from the European Charter of Human Rights. As the foundations of the GDPR rests on both these Charters, will the Commission willingly provide an adequacy determination when there is no guarantee that the UK will not undermine these foundations? I suspect not.
Fourthly, Article 70(1)(s) requires the European Data Protection Board to “provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation” (my emphasis to show that the “for” implies the Board’s view of UK’s adequacy should be part of the Commission’s determination of adequacy and that option has to be obtained prior to that determination). The view of the European Data Protection Board will take some time to organise, I suspect.
If the “for” had been an “of”, then the Board’s opinion of a UK adequacy determination could be given after the Commission had made it.
Note that these problems arise before we get to some of the serious issues I have raised in this blog (and in future blogs) about the content of the DPBill which, increasingly in my view, is causing concern.
Representative also needed
If a controller, established in Third Country UK, is offering services into the European Union, that controller needs to appoint a Representative in a Member State of the European Union in time for the March 2019 deadline. Note that the need to appoint a Representative (i.e. someone in the EU to act on behalf of the UK based controller) is completely different to any adequacy determination (which deals with transfers from the EU to the UK).
That Representative will be judged by the data protection standards established by the GDPR as implemented in the Member State where the Representative is located, and not the standards contained in the DPBill currently before the British Parliament.
This in turn means some UK data protection officers will need to familiarise themselves with the data protection law of that Member State in order to assess the risks to the controller that arise from the appointment of a Representative (as some Member States might have different enforcement arrangements or data protection rules).
To demonstrate this point, suppose on 30 March 2019, an UK controller is processing personal data relating to the sale of goods and services to data subjects residing in France; then:
- Article 3 of the GDPR states that it applies to the UK (Third Country) controller as it is offering goods and services to data subjects in France. This raises the question of which national implementation of the GDPR applies? The French or British?
- Article 27(1) states that such a controller “shall designate in writing a representative in the Union” (in our example, this Representative is going to be located in France as the UK is a Third Country outside the EU).
- Recital 80 states that “The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority” (and of course data subjects residing in the Union).
- Article 4(21), defines a ‘supervisory authority’ means an independent public authority which is established by a Member State”. After 29 March 2019, the ICO becomes a data protection authority for a Third Country, so the supervisory authority that does the addressing to the Representative, located in France, has to be the French one.
- Finally, Recital 80 also states the Representative can be “subject to enforcement proceedings in the event of non-compliance by the controller or processor”. It is clear that any such enforcement against the Representative will be by the French data protection authority based on French data protection law (i.e. enforcement by the CNIL and NOT the ICO).
The problem gets more complex if the UK controller is selling services to data subjects residing in several Member States in the EU. It will certainly have to plan to deal with the “competent” supervisory authority (i.e. the State where the Representative is located) and possibly a host of “concerned” supervisory authorities (i.e. one per each Member State where data subjects reside). Familiarity with these national laws will therefore become a requirement.
In this regard, the number of data subjects residing in each Member State might be a guide as to where the Representative should be located. For instance, suppose a UK based controller has 10,000 customers residing in France and 10 customers residing in Malta; choosing a Representative in Malta is likely to be contested by the French data protection authority (the CNIL) if there were to be a serious infringement of its implementation of the GDPR.
In summary, that is why you have your three new year resolutions. They are:
- “I will collect details of transfers from the UK into the EEA” (This allows you to assess the Representative position if your organisation offers goods and services into European Union).
- “I will collect details of transfers from the EEA into the UK”. (This allows you to identify the transfers that might be be at risk if the UK becomes a Third Country without an adequacy determination).
- “I will use this information to prepare a contingency plan that does not depend on the UK obtaining an adequacy determination from the European Commission”.
Of course, if you think the Government is wholly competent about Brexit, then you do not need to do any of the above.
Happy New Year.
New GDPR/Data Protection Bill Courses
Data Protection Bill all day Workshop: London (5 February) https://www.amberhawk.com/bookevents3.asp
We have dates, brochures and fees for courses based on Practitioner and Foundation Certificates relating to the new UK DP law (as it is at the moment) based on the GDPR. The courses are:
- A DP Foundation course (3 days; London)
- A DP Practitioner course (6 days, mock exam and real exam; London)
- A DP Practitioner Conversion course for those who already have the BCS Practitioner Certificate (2 days; London)
If anyone wants these, email email@example.com . The information will be on the website early in the new year; however, the BCS DPBill/GDPR syllabi for all courses is down-loadable from the link on Amberhawk website home page (www.amberhawk.com)
We intend to timetable courses in Leeds and Edinburgh during the summer months.
If a hard Brexit a-gonna fall what then happens to overseas transfers of personal data? https://amberhawk.typepad.com/amberhawk/2017/01/if-a-hard-brexit-a-gonna-fall-what-then-happens-to-overseas-transfers-of-personal-data.html
TTIP and Privacy: see for example https://www.opendemocracy.net/can-europe-make-it/keno-franke/ttip-and-right-to-protect-personal-data
Mrs May’s Florence Speech where she rejects EEA membership on the Norway model: https://www.gov.uk/government/speeches/pms-florence-speech-a-new-era-of-cooperation-and-partnership-between-the-uk-and-the-eu