With the possibility of a hard Brexit, it is now high time to take measures to ensure that your data remain protected when they are processed or stored in the UK. This blog describes five ways to continue to comply with the GDPR.
Although the data protection authority ICO explains that in the event of a hard Brexit, the UK does intend to incorporate its own version of the GDPR into British law, there are no guarantees that the UK thereby meets the high European level of protection. Authoritative privacy professor Douwe Korff explains in a recent paper that after a hard Brexit, the UK is given the status of inadequate third country, just like, for example, Nigeria and Russia. The country then comes at the end of the queue of countries that would like a stamp of approval from the European Commission, such as Mexico, South Korea and India. The procedure for an adequacy decision could, according to the late Giovanni Buttarelli, the passionate chairman of the EDPS, take years, also because the Commission then has to assess the powers of the British law enforcement services and the guarantees for data subjects.
So it is not a good idea to wait for an adequacy decision. If you still want to or need to transfer data to the UK, there are five options to comply with the GDPR. You can use one of three types of agreement, you can invoke one of the specific exceptions in the GDPR, or you can temporarily stop the transfer of personal data to the UK.
Regardless of whether you are a data controller or a data processor, you may only transfer personal data to the UK after a hard Brexit if you ensure suitable guarantees that meet the conditions of the GDPR. You may continue to transfer personal data to the UK if you enter into a specific agreement (Article 46 of the GDPR), or if you can invoke one of the exceptions (Article 49 of the GDPR). The underlying purpose of these guarantees is that the data subjects have enforceable rights and effective remedies. There are four realistic options, namely:
Other exceptions to the ban on transfers to third countries are approved codes of conduct or certifications, but since they do not yet exist, that is only a theoretical possibility. The GDPR also offers additional options for transfers between government bodies, such as an international treaty or approved specific agreements, but so far, these are also mainly theoretical options.
The day before Budget Day, the Dutch Minister for Legal Protection announced in a letter to the House of Representatives that the waiting period at the Dutch Data Protection Authority (AP) for handling BCRs has increased to 3 to 5 years and that an increase in applications is expected after a hard Brexit. It is unlikely that the AP can assess self drafted agreements a lot quicker. Even worse: Douwe Korff explains that the BCRs approved by the ICO are no longer valid after a hard Brexit. According to its website the ICO has approved 33 BCRs. Korff writes: “After a ‘No-Deal Brexit’, UK(ICO)-approved Codes of Conduct and Binding Corporate Rules (BCRs) will no longer be recognized in the EU/EEA, and nor will any future UK(ICO)-approved certification mechanisms."
Due to the long waiting time at the DPA(s), concluding an agreement based on the EU Model Clauses with a joint controller, processor or sub-processor in the UK is currently the best option. Make sure that you, as the data controller, have control over the purposes for which the processor may process your data, that the organisation in the UK does not transmit data to countries without an adequate level of protection and that you have the right to verify through audits the compliance with the agreed data processing.
A fifth possibility to continue to comply with the GDPR after a hard Brexit is to temporarily cease the processing of any personal data in the UK. Many major cloud providers offer you the option of storing your data only in Europe. The contract usually states that the suppliers will only transfer your data to (sub)processors in countries outside the European Economic Area with your consent. We recommend you inform your supplier as soon as possible that you withdraw any prior consent for the transfer of data to the UK after a hard Brexit, for all types of personal data and processings. The prohibition on transferring without appropriate safeguards does not only apply to the personal data that you actively store or provide to a help desk, but to all personal data about your use of the services.
More information about the measures to be taken after a hard Brexit can be found in the explanation of the European Data Protection Board (EDPB) and the explanations of the ICO, the French CNIL and the Autoriteit Persoonsgegevens. Of course, you can also contact Privacy Company for customised advice.