Tag: Brexit

UK intents to deliver own Adequacy Decisions for Data Transfers to Third Countries

30. August 2021

On August 26, 2021, the UK Department of Culture, Media and Sport (DCMS) published a document in which it indicated the intent to begin making adequacy decisions for UK data transfers to third countries.

As the UK has left the EU, it has the power under Chapter V of the UK General Data Protection Regulation (UK GDPR) to independently assess the standard of data protection in other jurisdictions, and recognize certain jurisdictions as adequate for the purpose of foreign UK data transfers. This was announced by the DCMS in a Mission Statement including reference to international data transfers, “International data transfers: building trust, delivering growth and firing up innovation“.

“In doing so we want to shape global thinking and promote the benefits of secure international exchange of data. This will be integral to global recovery and future growth and prosperity,” writes the UK Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden and Minister for Media and Data John Whittingdale.

The UK has developed and implemented policies and processes for reaching adequacy agreements with its partners. So far it has identified 10 countries as “priority destinations” for these deals. The countries include Australia, Brazil, Columbia, The Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore and the USA.

The adequacy of a third country will be determined on the basis of whether the level of protection under the UK GDPR is undermined when UK data is transferred to the respective third country, which requires an assessment of the importing jurisdiction’s data protection laws as well as their implementation, enforcement and supervision. Particularly important for the consideration will be the third country’s respect for rule of law and the fundamental human rights and freedoms.

The Mission Statement specifies four phases in assessing the adequacy of a jurisdiction. In the first phase, the UK Adequacy Assessment team will evaluate if an adequacy assessment will take place. The second phase involves an analysis of the third country’s level of data protection laws, the result of which will influence the third phase, in which the UK Adequacy Assessment team will make a recommendation to the UK Secretary of State. In the fourth and last phase, the relevant regulations will be presented to Parliament to give legal effect to the Secretary of State’s determination.

Adequacy decisions are planned to be reviewed at least once every four years, and may be subject to judicial review.

European Commission Adopts UK Adequacy Decisions

5. July 2021

On June 28, 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive.

This means that organizations in the EU can continue to transfer personal data to organizations in the UK without restriction and fear of repercussions. Thus, there is no need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection while transferring personal data, which represents a relief as the bridging mechanism of the interim period decided on after Brexit set out to expire by the end of June 2021.

The European Commission found the U.K.’s data protection system has continued to incorporate to the same rules that were applicable when it was an EU member state, as it had “fully incorporated” the principles, rights and obligations of the GDPR and Law Enforcement Directive into its post-Brexit legal system.

The Commission also noted the U.K. system provides strong safeguards in regards to how it handles personal data access by public authorities, particularly for issues of national security.

In regards to criticism of potential changes in the UK’s legal system concerning personal data, Věra Jourová, Vice-President for Values and Transparency stated that: „We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.“

The Commission highlighted that the collection of data by UK intelligence authorities is legally subject to prior authorization by an independent judicial body and that any access to data needs to be necessary and proportionate to the purpose pursued. Individuals also have the ability to seek redress in the UK Investigatory Powers Tribunal.

EPRS publishes report on post-Brexit EU-UK Data Transfer Mechanisms

20. April 2021

On April 9th, 2021, the European Parliamentary Research Service (EPRS) published a report on data transfers in the private sector between the EU and the U.K. following Brexit.

The report reviews and assesses trade dealings, adequacy challenges and transfer instruments under the General Data Protection Regulation (GDPR). The report is intended to help take regulatory and business decisions, and in the Press Release the European Parliament stated that “a clear understanding of the state of play and future prospects for EU-UK transfers of personal data is indispensable”.

The report provides in-depth analysis of an adequacy decision for the UK as a viable long-term solution for data flows between the U.K. and the EU, also considering possible mechanisms for data transfer in the potential absence of an adequacy decision, such as Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, and certification mechanism.

In this analysis the EPRS also sheds light on adequacy concerns such as U.K. surveillance laws and practices, shortcomings of the implementation of the GDPR, weak enforcement of data protection laws, and wavering commitment to EU data protection standards.

As part of its conclusion, the EPRS stated that the European Data Protection Board’s (‘EDPB’) opinion on the draft decision, which has just been published (please see our blogpost here), will likely scrutinise the Commission’s approach and provide recommendations on next steps.

EU-UK Trade Deal in light of Data Protection

4. January 2021

Almost fit to be called a Christmas miracle, the European Union (EU) and the United Kingdom (UK) came to an agreement on December 24th, 2020. The Trade Agreement, called in full length “EU-UK Trade and Cooperation Agreement“, is set out to define new rules from the date of the UK Exit from the EU, January 1st, 2021.

President of the European Commission, Ursula von der Leyen, claimed it was a deal worth fighting for, “because we now have a fair and balanced agreement with the UK, which will protect our European interests, ensure fair competition, and provide much needed predictability for our fishing communities. Finally, we can leave Brexit behind us and look to the future. Europe is now moving on.

In light of Data Protection however, the new Trade Deal has not given much certainty of what is to come next.

Both sides are aware that an adequacy decision by the EU Commission is very important with regard to data protection and cross-border data flows. Accordingly, the EU has agreed to allow a period of four months, extendable by a further two months, during which data can be transferred between EU Member States and the UK without additional safeguards. This period was granted to give the Commission enough time to make an adequacy decision. Accordingly, data transfers can continue as before until possibly mid-2021. However, this arrangement is only valid if the UK does not change its data protection laws in the meantime.

With regard to direct marketing, the situation has not changed either: for individuals, active consent must be given unless there was a prior contractual relationship and the advertising relates to similar products as the prior contract. Furthermore, the advertising must also be precisely recognisable as such, and the possibility of revoking consent must be given in every advertising mail.

However, much else has yet to be clarified. Questions such as the competence of the UK Data Protection Authority, the Information Commissioner’s Office (ICO), as well as the fate of its ongoing investigations, have not yet been answered. As of now, companies with their original EU Headquarters in the UK will have to designate a new Lead Supervisory Authority (Art. 56 GDPR) for their business in the EU.

The upcoming months will determine if questions with high relevance to businesses’ day to day practice will be able to be answered reassuringly.

EU Commission highlights necessary preparations for end of Brexit transitioning period

14. July 2020

The European Commission has published a communication on July 9th, 2020, in order to highlight the main areas of change in view of the upcoming end of the transitional Brexit period before January 1st, 2021.

The communication aims to facilitate readiness and preparations for citizens, businesses and stockholders once the UK leaves the European Union. The European Commission states that readiness for these broad and far reaching changes is key, especially since they will take place regardless of the outcome of the negotiations between the UK and the EU.

The communication breaches subjects such as trade in goods, trade in services, energy, travelling and tourism, mobility and social security coordination, company law and civil law, intellectual property, data transfers and protection and international agreements of the EU.

The communication also includes advice in each of those areas and subjects for businesses to be able to start preparations in order to cope with the changes ahead.

With a view on data protection, the European Commission’s communication states that data transfers can continue after January 1st, 2021, however they will have to comply with EU rules and regulations for Third Country Transfers as put forth by the General Data Protection Regulation (GDPR). The Commission specifies the tools set out in Chapter V of the GDPR, which include Binding Corporate Rules, Standard Contractual Clauses, as well as an Adequacy Decision by the European Commission. The communication states that the EU will try its best to conclude the assessment of the UK regime by the end of 2020, in order to give at least some form of security for data transfers after the transitional period ends. On sides of the United Kingdom, the Adequacy of the European union is guaranteed until 2024.

The advice of the European Commission emphasizes compliancy with the GDPR as the best preparation for the Brexit, but lacks security as to what will happen on January 1st, 2021, especially with regards to the future applicable laws.

EDPB shares concerns over UK-US data deal in light of future UK adequacy decision

18. June 2020

On June 17th, 2020, the European Data Protection Board (EDPB) has written an open letter to the Members of the European Parliament over its concerns regarding the Agreement between the United Kingdom (UK) and the USA on Access to Electronic Data for the Purpose of Countering Serious Crime in relation to a future UK adequacy decision after the country’s exit out of the European Union.

In its letter, the EDPB states that it is concerned with the applicability of the safeguards in the Brexit withdrawal agreement with the EU once the UK leaves the Union at the beginning of 2021. The Agreement between the UK and the US allows for easy data access in the case of the prosecution of serious crimes, and facilitates an access request to be made to UK authorities and businesses under the US Cloud Act, for which it is unsure if the safeguards agreed upon between the EU and the UK apply.

The EDPB also stresses that, in the light of a potential data sharing agreement between the EU and the US, it is mandatory that the European safeguards in such an agreement “must prevail over US domestic laws” in order to be “fully compatible with European laws”.

Furthermore, the letter also states that “it is also essential that the safeguards include a mandatory prior judicial authorisation as an essential guarantee for access to metadata and content data”. In its preliminary assessment, the EDPB could not distinguish such a provision in the UK-US Agreement.

While right now the EDPB can only make a preliminary assessment of the situation based on the current elements at its disposal, it states clearly that the Agreement between the UK and the US will have to be considered in any relevant adequacy decision in the future. This is especially important as there is a “requirement to ensure continuity of protection in cases of onwards transfers from the UK to another third country”.

In any case, the EDPB intends to release its own opinion on the matter if the European Commission should release a draft of the adequacy decision for the UK.

EDPS publishes opinion on future EU-UK partnership

3. March 2020

On 24 February 2020, the European Data Protection Supervisor (EDPS) published an opinion on the opening of negotiations for the future partnership between the EU and the UK with regards to personal data protection.

In his opinion, the EDPS points out the importance of commitments to fully respect fundamental rights in the future envisaged comprehensive partnership. Especially with regards to the protection of personal data, the partnership shall uphold the high protection level of the EU’s personal data rules.

With respect to the transfer of personal data, the EDPS further expresses support for the EU Commission’s recommendation to work towards the adoption of adequacy decisions for the UK if the relevant conditions are met. However, the Commission must ensure that the UK is not lowering its data protection standard below the EU standard after the Brexit transition period. Lastly, the EDPS recommends the EU Institutions to also prepare for a potential scenario in which no adequacy decisions exist by the end of the transition period on 31 December 2020.

CNIL updates its FAQs for case of a No-Deal Brexit

24. September 2019

The French data protection authority “CNIL” updated its existing catalogue of questions and answers (“FAQs”) to inform about the impact of a no-deal brexit and how controllers should prepare for the transfer of data from the EU to the UK.

As things stand, the United Kingdom will leave the European Union on 1st of November 2019. The UK will then be considered a third country for the purposes of the European General Data Protection Regulation (“GDPR”). For this reason, after the exit, data transfer mechanisms become necessary to transfer personal data from the EU to the UK.

The FAQs recommend five steps that entities should take when transferring data to a controller or processor in the UK to ensure compliance with GDPR:

1. Identify processing activities that involve the transfer of personal data to the United Kingdom.
2. Determine the most appropriate transfer mechanism to implement for these processing activities.
3. Implement the chosen transfer mechanism so that it is applicable and effective as of November 1, 2019.
4. Update your internal documents to include transfers to the United Kingdom as of November 1, 2019.
5. If necessary, update relevant privacy notices to indicate the existence of transfers of data outside the EU and EEA where the United Kingdom is concerned.

CNIL also discusses the GDPR-compliant data transfer mechanisms (e.g., standard contractual clauses, binding corporate rules, codes of conduct) and points out that, whichever one is chosen, it must take effect on 1st of November. If controllers should choose a derogation admissible according to GDPR, CNIL stresses that this must strictly comply with the requirements of Art. 49 GDPR.

Brexit: Deal or “No-deal”

12. March 2019

Yesterday evening, shortly before the vote of the UK parliament on the circumstances and if necessary a postponement of the Brexit, Theresa May met again with Jean-Claude Juncker in Strasbourg. Both sides could agree on “clarifications and legal guarantees” regarding the fall-back solution for Northern Ireland.

These (slightly) expand the United Kingdom’s (UK) opportunity to appeal to an arbitration court in the event that the EU should “hold the UK hostage” in terms of the membership of the customs union by means of the Backstop-Clause beyond 2020. This “legally binding instrument”, as Juncker said, intends to clarify that the Backstop-Clause on the Irish border is not to be regarded as a permanent solution. This shall also be confirmed in a joint political declaration on the future relations between the two sides. However, the wording of the complementary regulation is legally vague.

May is nevertheless confident that the British Parliament will approve the “new” agreement to be voted on tonight. Meanwhile, Jeremy Corbyn, Labour Party leader, has announced and urged to vote against the agreement. In any case, Juncker has already rejected further negotiations on adjustments to the current version of the withdrawal agreement, emphasizing that there will be no “third chance”. By 23rd May, when the EU elections begin, the Kingdom shall have left the EU.

The vote on “how” and “when” of the Brexit will be taken in the next few days, starting tonight at 8 p.m. CET. If the withdrawal agreement will be rejected again today, the parliament will vote on a no-deal Brexit tomorrow (the UK would then be a third country in the sense of the GDPR as of 30th March). In case this will also be rejected, on 14th March the parliament will eventually vote on a delay of the Brexit date. A postponement could then lead to a new referendum and thus to a renewed decision on the question of “whether” a Brexit will actually take place.

Category: EU · GDPR · General · UK
Tags:

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

Pages: 1 2 Next
1 2