News from Brussels that lead to far-reaching consequences: In a notice dated 9 January 2018, the Directorate-General Justice and Consumers of the European Commission declared that the United Kingdom will become a “third country” under the General Data Protection Regulation after the withdrawal of the UK from the EU post Brexit. The term “third country” refers to those countries that are not members of the EU. Should the currently planned withdrawal date remain as agreed, transfers of data with companies based in the UK cannot legally be treated the same as data transfers with companies based in Germany or other EU member states as from 30 March 2019, 00.00h (CET). Thus, the transfer of data to the United Kingdom will need to be treated in a similar way to the transfer of data to the United States. Such transfers of data will require further arrangements in order to be legally legitimised.
Legal situation after Brexit
The purpose of the General Data Protection Regulation (“GDPR”) is, among other things, to standardise data protection laws in the European Union. Transferring data between EU-based companies will be facilitated significantly because data protection laws have been aligned in the EU member states. From day one after the withdrawal of the United Kingdom from the EU, the UK will be a “non-EU country” and has the status of a third country. As a result, the transfer of data to companies headquartered in the United Kingdom will be subject to additional requirements exceeding the specifications under the GDPR concerning data transfers within the EU. A company that intends to transfer data to England, Scotland, Wales or Northern Ireland will have to ensure the fulfilment of these additional requirements.
Who is affected?
The notice of the Commission is of significant relevance for companies that continuously transfer personal data to the United Kingdom, e.g. if a parent company or company of a consortium has its headquarters in the United Kingdom and the personnel data of the German subsidiary’s employees are administered centrally in the UK. This structure becomes critical if data from application documents has already been transferred to the third country.
The current legal development is also important for companies transferring data to the United Kingdom as part of commissioned data processing. This may be the case when using cloud-based IT-solutions, for instance, for saving customer’s personal data on a server located in the United Kingdom.
Consequences of data transfers without a legal basis
If a data transfer to a data recipient in the United Kingdom is conducted without a legal basis, this violates the GDPR. Such a violation might cause the competent supervisory authority to impose a fine of the amount of up to EUR 20.000.000,00 or 4 % of the overall annual turnover generated worldwide over the past financial year. However, the accompanying reputational damage is at least of equal significance for the company responsible for the data.
Requirements for a legally compliant data transfer to a third country
The transfer of personal data to a third country requires additional measures of justification. A two-step check has to be conducted. As a first step, it has to be determined if the data to be transferred may be transferred at all (whether within the EU or outside), meaning that sufficient consent or a legal justification exists. As a second step, it has to be determined if the conditions for a Non-EU transfer are satisfied. These conditions might be composed of different possible options. However, all of these options have in common that they aim to assure the data recipient not located in the EU a level of data protection compliant with the EU requirements.
EU Commission adequacy decisions
An adequate level of data protection exists when the EU has passed a so-called adequacy decision for a third country.
1. Adequacy decision for data transfers to the US
The EU passed an adequacy decision for data transfers from the EU to the US in the form of the Privacy Shield. A company intending to transfer data from the EU to the US has to ensure that the US company is certified under the Privacy Shield agreement. The Privacy Shield agreed on by the EU Commission and the US government aims to ensure a certain level of data protection in the US – or rather for those companies participating in the agreement – that complies with the European requirements. US-located companies may obtain this certification from the Department of Commerce (“DOC”). The prerequisite is that the company is compliant with the data protection principles set out in the Privacy Shield agreement. In order to ensure that the data recipient in the US possesses the relevant certification, the data controller from the EU may access a public list available on the homepage of the International Trade Administration (“ITA”) that lists every certified company.
2. Adequacy decision for data transfers to the United Kingdom
As soon as the United Kingdom has left the EU in March 2019, it will be treated as a third country. A company intending to transfer data to England, Scotland, Wales or Northern Ireland then has to ensure that the additional requirements are fulfilled. An adequacy decision with regard to the data protection level in the United Kingdom is not foreseeable yet.
Data transfer subject to appropriate securities
If no adequacy decision exists for the legal protection of a data transfer to a third country, the data transfer may be ensured through appropriate securities. There are several possibilities under the GDPR for companies involved in the transfer to provide such a security:
1. Adoption of EU standard data protection clauses
The companies involved may use the standard contractual clauses for the transfer of data provided by the EU Commission. This is a model contract that has to be concluded by the parties. However, the decisive factor not only is the conclusion of the contract but also that the data recipient in fact implements the contractual obligations regarding data protection and complies with them. In this case, the data recipient in the third country meets the adequate level of data protection.
2. Binding corporate rules
If binding rules for companies of the same consortium exist, they may transfer personal data within the group even to third countries. These corporate rules have to fulfil a specific set of requirements and be approved by the competent supervisory authority.
3. Code of conduct
Another appropriate security to protect personal data may be the use of a code of conduct. These rules of conduct have to be established by federations and associations and must especially include legal remedies for the persons affected by the data processing. The company responsible for the data has to ensure the data recipient is bound by the code of conduct, e.g. by binding the recipient through a contractual arrangement.
Moreover, it is possible to have specific processing operations certified, meaning to attest to the data recipient that the data processing is compliant with the requirements under the GDPR. However, in addition to the certification, it has to be ensured legally binding – e.g. through a contract – that the data recipient in fact meets the certification criteria.
Exception for specific cases
There are several exceptions provided by the GDPR. Data transfers may be permitted, for instance, if the person affected consents to the transfer explicitly. An effective consent has to be given in accordance with the general requirements of the GDPR for a data transfer within the EU. Before the consent is given, the person affected additionally has to be informed about existing risks of the data transfer that might occur without the protection mechanisms provided under the GDPR. This might be impractical at times. Furthermore, it has to be taken into consideration that the concept of consenting to the data transfer to a third country recipient is an exception and therefore to be applied restrictively.
Data transfers between the United Kingdom and the US post Brexit
After Brexit, US- or UK-based companies will have to deal with the question of how data transfers between companies located in these countries can be legitimised. By exiting the EU, the United Kingdom also leaves the Privacy Shield agreement. However, an arrangement with the US shall not affect the level of data protection which the United Kingdom needs to ensure to make data transfers with the EU possible.
What should EU and UK companies do with regards to Brexit?
“Preparing for the withdrawal is not just a matter for EU and national authorities but also for private parties”, the EU Commission states at the end of their notice. Companies should check whether they transfer data to recipients in England, Scotland, Wales or Northern Ireland. If this is the case, they should ensure that they have a legal basis for this data transfer before spring 2019 and that they are prepared for the scenario that the EU Commission does not pass an adequacy decision. In that case, the above-mentioned possibilities may constitute a legal basis for the data transfer.
Please do not hesitate to contact us if you have any questions on the GDPR. Our experts are happy to assist you with the implementation of the new legal provisions concerning data protection in your company.