On December 19th 2018 the UK Office of the Information Commissioner (ICO) published its guidance on GDPR compliance in event of a ‘no deal’ Brexit.[1] This is very welcome, but it does not go into much practical detail.
This paper aims to provide more background and to identify practical steps that small and medium businesses can take as contingency measures in case of a ‘no-deal’ Brexit. We, the authors, are not lawyers, but from our many cumulative years experience in data protection and business management
we believe that none of the actions suggested here are likely to be detrimental should a ‘no deal’ Brexit be avoided. Indeed for the most part the effort to action them would not be wasted as they reflect best practice in covering all bases and it is better to be safe than sorry.
[1] The 19th December ICO guidance
[2] The current model clauses
[3] Bryan Cave Leighton Paisner on the controller to processor model clauses
In the absence of a EU membership withdrawal agreement containing special provisions to the contrary, when the UK leaves the EU on March 29th 2019 it will become a so called ‘third country’ and cease to be party to the general assumption of data protection law adequacy enjoyed by members of the European community.
The optimum resolution to this will be for the UK to apply for and obtain an ‘adequacy decision’, but its award is not automatically assured, and even if granted it could take quite some time to obtain (an application by Japan has taken over a year so far).
In the interim (or at worst if an adequacy decision application fails), the simplest mechanism for personal data transfers between the EU and UK will be the adoption by individual businesses of standard contractual clauses (SCCs).[2] These have existed for some time but have not been amended since the GDPR came into force. As a result, despite UK Government assurances that they can still be used until they are amended, replaced or repealed by the European Commission, your European data partners might not necessarily be satisfied that the existing SCCs fully meet the requirements of the GDPR. The SCCs for EU controller to third country processor relationships are the most obvious case. A useful summary of their deficiencies compared to the GDPR has been produced by US law firm Bryan Cave Leighton Paisner.[3]
Merely including these SCCs in your EU to UK data transfer contracts may therefore be insufficient in practice to ensure compliance. It is essential to recognise that in respect of personal data transfers from the EU to the UK it will be the data protection regulatory authorities of the EU countries with which you do business (and ultimately the European Commission) that both interpret the legislation and evaluate your level of compliance with it, and their decisions may override those of the ICO. Furthermore, in the absence of an adequacy decision, your processing is likely to be scrutinised by the EU parties to your data transfers more rigorously than while the UK is in the EU, even if you have adopted the SCCs into your data transfer contracts. The standard to which you can demonstrate that you actually fulfil both the requirements of the SCCs and the obligations imposed by the GDPR will therefore be a paramount consideration, as even minor compliance failures could prompt challenges by your EU partners or EU data subjects.
European Commission document 2010/87/EU explains and contains the standard contractual clauses covering the EU controller to third country processor relationship. From the position of the importing (UK) data processor, these generally coincide with the requirements of the GDPR, except that the GDPR is more stringent in respect of the description of processing, assurance of confidentiality, cooperation with the controller in responding to data subjects, data breach notification, assisting the controller with data protection impact assessments, the controller’s right to audit the processor’s compliance, and, most importantly, restrictions on onward transfers outside the EU. In these areas, the GDPR requirements should take precedence, so merely relying as a processor on the SCCs may not ensure compliance with the GDPR in practice.
European Commission document 2001/497/EC explains and contains the earliest, and at first sight simplest, set of SCCs for controller to controller transfers. But by virtue of that very simplicity of expression it is not easy for the most part to identify specific required action points from the clauses. Consequently, it may be quite difficult for a UK controller (data importer) to be confident of demonstrating compliance. However, one of the explicit obligations is joint and several liability of both controllers, which could prove quite an onerous burden.
European Commission document 2004/915/EC explains and contains the second and latest set of SCCs for EU controller to importing (UK) controller transfers. These SCCs both are far more explicit and more obviously align with the GDPR than the 2001 set, but contain some additional requirements, notably an obligation on the data importer (the UK party to the transfer) to provide the exporter (the EU party) on demand with evidence of sufficient financial resources to cover liability to the exporter and affected data subjects (and possibly others) in case the importer breaches the SCCs. This liability is wider than merely for ‘personal data breaches’ as defined by the GDPR. If insurance is relied on to fulfil this obligation, businesses should consider the entire range of events that might result in liability to either the exporter or data subjects, and make sure they can demonstrate adequate cover. ‘Cyber breach’ policies may possibly not be sufficient, as the relevant clause in the SCCs provides for liability in respect of “any breach of these clauses” and “any breach of third party rights under these clauses”.
Comparing options 1 and 2, we suggest that, due to both their lack of specificity and their imposition of joint and several liability, the 2001/497/EC SCCs might not be the best choice if you have the option to choose between them and the second and later set.
Where a UK business has obtained personal data from an EU exporter and intends to transfer it onward to another third country, the UK forwarding party will be obliged to ensure that its obligations under the GDPR and the adopted SCCs are also imposed on the recipient of the onward transfer. This might be problematic in practice where standardised sub-processing services are provided on the basis of unilaterally imposed non-negotiable contracts drawn up by third country service providers (e.g. transnational ‘cloud’ providers) that are the recipients of the onward transfer. A special case of this worthy of note is the possibility that the UK as a third country may not be able to rely on declarations by US service providers of compliance with Privacy Shield, as once outside the EU the UK will itself no longer be a party to Privacy Shield.
Where a third country (e.g. UK) data controller directly collects and processes the personal data of subjects in the EU, the SCCs will not be applicable. Instead, the relevant requirements of Article 49 of the GDPR must be met. In practical terms, this means that either the data subject’s specific, explicit, informed consent must be obtained for every transfer, or the data must be exclusively processed for the purposes
of entering into or performing a contract to which the data subject is a party. This is not hugely different from existing requirements in respect of EU data subjects except that the choice of lawful basis is more limited. Specifically, the currently widely relied on ‘legitimate interest’ lawful basis will not be available for such processing.
UK businesses processing the personal data of subjects in the EU for the purpose of offering goods or services or in order to monitor their behaviour within the EU will be required to appoint a representative in the EU, which data subjects can approach to query the principal’s processing or exercise their rights.
UK business processing of the personal data of subjects in the UK is currently subject to the Data Protection Act 2018, which for the most part echoes the GDPR. The ICO somewhat confusingly stated in the December 19th guidance that ‘When the UK exits the EU, the EU GDPR will no longer be law in the UK. The UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the “UK GDPR”)’ although it would appear at first sight that this has already been accomplished in the DPA 2018. However regardless of the specifics, transfers by UK businesses to the EU and elsewhere of the personal data of subjects in the UK will continue to be subject to the UK Data Protection Act 2018 or any UK legislation that replaces it.
These twelve action points should be considered now by UK businesses transferring personal data from the EU to the UK. In the event of a ‘no deal’ Brexit and while the UK has not been granted an adequacy decision, they will be fundamental to demonstrating compliance to your EU data partners and data subjects in the EU, regardless of any UK data protection legislation.
[1] Map all the personal data sharing you undertake and identify all cross border transfers to and from your business to ensure that no transfers pass under the radar.
[2] Review your reliance on the ‘legitimate interest’ lawful basis, and determine whether consent or contractual necessity should be relied on instead for processing the personal data of subjects in the EU.
[3] Ensure measures are in place to record consent or evidence of contract as the lawful basis for every transaction that includes collection of personal data directly from subjects in the EU.
[4] Ensure that your privacy notices accurately, fully and clearly express all your relevant processing in internationally accessible terms (e.g. in the languages of the EU countries where you do business), as any deficiencies here could be a prime source of complaints.
[5] Enter into negotiations with all your EU business partners from which you obtain personal data for inclusion of the relevant SCCs into your existing data processing contracts.
[6] As soon as possible engage with potential EU data sources for foreseeable future data transfer requirements as post-Brexit negotiations may prove harder.
[7] If you are acting as a data processor for an EU data controller, ensure that your revised contracts fully meet the requirements of the GDPR where these exceed those of the 2010/87/EU SCCs.
[8] Review all contracts relating to your onward personal data transfers to other third countries to ensure they will meet the standards of the GDPR, particularly with reference to US parties relying on Privacy Shield.
[9] Where contracts with third country processors or recipients of onward transfers are non-negotiable and may not be, or remain, compliant, consider finding alternative providers.
[10] Establish whether you are offering goods or services to data subjects in the EU as defined by the GDPR, and if so investigate and negotiate representation in the EU.
[11] Where you are in a controller/controller relationship with an EU partner, review your insurance cover or other measures to ensure you can fulfil the financial cover obligation in respect of the full range of potential liability (particularly with reference to 2004/915/EC clause II(f)).
[12] In order to support the audit requirement of the SCCs, prepare full documentation of your processing in accordance with Article 30 of the GDPR even if you currently consider your business exempt.
Mike Barwise
Director, BiR
Peter Barnes
Director, Barnes Meridian Consulting
15/01/2019