Tag: Brexit
14. February 2019
On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.
The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).
The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.
The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.
Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.
18. January 2019
Prime Minister Theresa May’s draft withdrawal agreement to regulate Brexit was rejected by a clear majority of parliamentarians on 15th January. The draft withdrawal agreement has been agreed in November 2018 by the United Kingdom (UK) and the European Union (EU) – we reported: Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future – containing a transition period of 21-months in order to facilitate business sectors in their planning. Because of the recent rejection of the withdrawal agreement by the British Parliament, the scenario of the UK disorderly leaving the EU has now become quite likely. Among various economic and EU law issues, Brexit has also a concrete impact on data protection.
In case of a Brexit without corresponding transitional rules, the UK would be regarded as a third country under the General Data Protection Regulation of the EU (GDPR) as of 29th March 2019. This was also confirmed by Prof. Dr. Dieter Kugelmann, the State Data Protection Officer of Rheinland-Pfalz: “The fact is that the United Kingdom will become a “third country” within the meaning of the GDPR after leaving the EU.” Thus, an adaquacy decision would be required to transfer personal data of EU citizens or from the EU to the UK in the absence of any other mechanisms ensuring an adequate level of data protection according to Art. 44 ff. GDPR.
Since many companies currently transfer customer or employee data to the UK as well as a lot of data centres of service providers are located there, the Brexit will cause a need for adaption in terms of data protection matters. After the Brexit these Companies must ensure that there is an adequate legal basis for the relevant data transfers to the UK. Furthermore, according to Art. 13, 14 GDPR, the data subjects must be informed regarding the transfer of personal data outside the EU/EEA. All privacy policies on websites, privacy notices to employees etc. therefore would have to be adjusted. In the event of a data subject’s request for information, Art. 15 GDPR stipulates that the data subject must be informed about the transfer of his/her personal data to a third country. When personal data are transferred to the UK deemed as a third country, companies would eventually have to adjust their records of processing activities pursuant to Art. 30 GDPR.
It is recommended that in particular those companies transferring a lot of personal data to the UK at least are aware of these potentially required adaptations in order to further ensure compliance with EU data protection laws. As the GDPR, principally does not privilege any group of companies, the aforementioned recommendation also apply to data flows within such groups.
29. January 2018
Withdrawal of the United Kingdom from the Union and EU leads to United Kingdom become a third country.
The European Commission annouced, that on 30.03.2019, 00:00h (CET) the United Kingdom will no longer be member of the Union and EU, all Union and secondary law will cease to apply.
That means, tat all stakeholders processing personal data need to consider the legal repercussions of Brexit, beacuse as of the withdrawal date, the EU rules for transfer personal data to third countries apply. GDPR allows a transfer if the controller or processor provides appropriate safeguards.
Safeguards may be provided by:
- Sandarad data protection clauses (SCC)
- the Commission has adopted three sets of model clauses which are available on the Commission’s website
- Binding corporate rules (BCR)
- legally binding data protection rules approved by the competent data protection authority which apply within a corporate group
- Condes of Conduct
- Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
- Certification mechanisms
- Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country
Besides a transfer may take place based on consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest.
These procedures are already well-known to business operators beacuse they are uses today for the transfer of personal data to non EU-countries like the USA, Russia or China.
The decision is disappointing for everyone who were hoping for an adequate level of data protection in the United Kingdom.
Stakeholders should prepare for the requirements associated with recognition as a third country.
4. April 2017
After the Brexit, keeping data by the UK companies and organizations is expected to become more certain locally than globally.
Elizabeth Denham, the UK’s Information Commissioner, recently commented before the House of Lords EU Home Affairs Sub-Committee, that the UK should apply to the European Commission for a full “adequacy” decision in terms of proving the adequate data protection measures as UK will become soon a non-EU country.
British government comments on the free trade deal with these words: “no deal for the UK is better than a bad deal for the UK”.
In the context of Brexit, it is crucial for the industry of the UK to keep the data-flows unhindered though.
British politician David Davis indicates that the UK and EU are now on their way to find and maintain equivalence (and not identity) in their relations (especially when it comes to business) in order to keep up their common interest.
Even though Davis is not using the “adequacy” term in his speech, this is what the UK technology industry is asking for.
Government assures that if no accord in that matter will be reached, there are still many alternatives to adequacy.
5. October 2016
Last week, Elizabeth Denham, held her first speech as UK Information Commissioner (ICO). In this speech she referred, amongst others, to the effects of the Brexit with regard to the application of the GDPR.
Denham remarked that the GDPR involves the modernization of European Data Protection and the necessity of these new rules in order to ensure cross-border commerce and the protection of individuals. As the GDPR may be applicable before the UK has left the EU, she ensured that the ICO will keep on providing guidance and advice on the GDPR.
Furthermore, she stated that even after the UK has formally left the EU, flows of personal information will be still necessary, so that the level of data protection in the UK should be essentially equivalent to the one in the EU. Therefore, she encourages businesses to improve and adapt their practices to the GDPR.
