From 1 January 2021 onwards, the United Kingdom of Great Britain and Northern Ireland (“the UK”) will no longer be party to the European Union legislation, rules and agreements (“Brexit”). The associated issues that arise with Brexit are various and also concern the EU data protection regime (the General Data Protection Regulation or “GDPR”). We asked Eva Kasprowicz, an IT and Privacy lawyer at Fieldfisher (Germany) LLP, about the potential impacts from an EU privacy perspective and how affected businesses should prepare for it.
What impact does Brexit have from a GDPR perspective?
The GDPR assumes an appropriate level of data protection for the processing of personal data of data subjects (“EU personal data”) throughout the EU Member States and the European Economic Area. Therefore, if an organisation is engaging with another for the processing of EU personal data in EU countries such as Netherlands, Spain or Germany, no further safeguards for this transfer are required from a contractual or security perspective.
Should it come to a “hard Brexit” on 31 December 2020 and, in this context, if no agreement on data protection aspects is reached between the UK and the EU, the UK will be regarded as a ‘third country’ from a GDPR perspective. The GDPR defines a ‘third country’ as any country outside the EEA which does not have similar rules and obligations to the GDPR.
As a result, the transfer of EU personal data to the UK following a hard Brexit would be subject to a stricter legal framework of data transfer rules under the GDPR. These rules already apply when engaging with service providers or affiliates in a third country, such as the USA or China. Organisations that are affected by Brexit therefore need to be aware of the privacy-related impacts that flow from it, particularly in terms of their accountability obligations under the GDPR.
In what situation might Brexit have an impact on an organisation?
There are various scenarios where Brexit might have an impact on an organisation from a privacy perspective. Still, they all have one thing in common: the processing of EU personal data in the UK.
Typical scenarios include, but are not limited to, the outsourcing of services to a UK-based company that includes the processing of EU personal data (i.e. server hosting; payroll processing), the engagement of UK-based service providers (i.e. online advertising), or instances where an organisation’s UK affiliate is granted access to EU personal data (i.e. due to a global structure of the organisation).
Similar to the action items resulting from the so-called “Schrems II judgement” of the European Court of Justice (case C 311/18), it is therefore advisable for any organisation to assess whether they are affected by Brexit from a privacy perspective and to identify which action items result from this.
The first step to approach this assessment is by way of carrying out a data mapping exercise to identify the organisation’s existing data flows of EU personal data to the UK.
If an organisation is impacted by any of those scenarios described above, what steps need to be considered in case of a ‘hard Brexit’ at the end of the year?
Organisations that have identified EU personal data transfer scenarios to the UK will be able to continue to operate in the same manner in 2021. But it is associated with additional legal assessments, paperwork and operational effort.
For instance, existing contracts with UK organisations or affiliates need to be assessed and adapted to ensure that any transfer of EU personal data from the EU to the UK is in compliance with the GDPR. The GDPR provides a number of mechanisms to safeguard such transfers.
For instance, transfers of EU personal data to an organisation in a third country (e.g., the UK following a no-deal Brexit) can be safeguarded by execution of a set of model contracts issued by the European Commission (“standard contractual clauses”). Standard contractual clauses continue to be the most common approach, and this has not changed since Schrems II. However, it is clear that, in certain contexts, supplementary measures are necessary.
Which supplementary measures?
Unfortunately, the regulation and court rulings have not come up with an easy way to respond to this question.
In the Schrems II decision, the European Court of Justice ruled that organisations that transfer EU personal data to a third country based on standard contractual clauses must ensure that the recipient in the third country is able to comply with the rules laid down in these model contracts.
Compliance with these rules may be challenged in the event that the recipient in a third country may be forced to disclose EU personal data to local authorities subject to its surveillance laws. Where this is the case, it may be necessary to agree with the recipient on supplementary measures to mitigate the (potential) risk of unauthorised access.
Can you illustrate some examples of these supplementary measures?
Supplementary measures may include, but are not limited to, additional contractual terms (e.g., the restriction of recipient’s access rights), technical measures (e.g., end-to-end encryption during transfer), or policies and processes (e.g., stricter data deletion applicable to third country recipients). It is still worth taking a look at the specific transfer and personal data concerned to match corresponding supplementary measures, if needs be.
Transferring this to the Brexit scenario, this means that organisations that transfer EU personal data to the UK following a hard Brexit should enter into standard contractual clauses, along with an assessment on whether the conclusion of supplementary measures is necessary. This might change if and when the EU Commission acknowledges an adequate level of data protection in the UK, but for the time being, most organisations will be expected to go down this road.
It sounds like there is a lot of work to do for EU organisations and privacy lawyers. Is there any additional homework for organisations in preparing for Brexit?
Yes, indeed. Organisations that continue to process EU personal data in the UK following Brexit will be required by the GDPR to inform individuals about this third country transfer in an appropriate manner. This would generally be done by updating the organisations’ privacy notices accordingly – the notices for both customers and employees.
In addition, organisations’ internal compliance documentation would need to be updated appropriately. The record of processing activities should specify the further third country (UK) and the appropriate safeguards for transferring EU personal data to the UK (i.e. standard contractual clauses).
In a very limited number of cases, an organisation may need to consider whether it is legally required to conduct a data protection impact assessment (“DPIA”) for further transferring EU personal data to the UK. However, this is a rather unusual scenario, so there is no need to put it on the must-do list.
How about the other way round, are there any action items for UK organisations to consider from a privacy perspective in case of a ‘no-deal Brexit” at the end of this year?
The UK government has come up with local data protection exit regulations for the UK organisation’s processing practices – but without material changes to the current scheme and rules applicable to the UK under the GDPR.
UK organisations will be able to transfer personal data to the EEA with no additional safeguards needed. In case of any transfer scenario to other third countries such as China or India, UK organisations should follow the requirements laid down in Schrems II and execute standard contractual clauses along with supplementary measures, as appropriate.