Short Reads

Brexit and data protection: preparing for a 'no-deal'

Brexit and data protection: preparing for a 'no-deal'

Brexit and data protection: preparing for a 'no-deal'

18.02.2019 NL law

As it stands, the UK will exit the European Union at midnight on 29 March 2019. Therefore, businesses within the UK, or with trade relations with the UK, would be best advised to assume that a no-deal Brexit is inevitable. The exchange of personal data  within the EU is governed by the General Data Protection Regulation (GDPR). In a no-deal Brexit, the GDPR will cease to be applicable in the UK upon its EU exit.

The national data protection authorities, united in the European Data Protection Board (EDPB), published an 'information note' on 13 February regarding personal data transfers in the event of a no-deal Brexit. The EDPB reaffirms the importance of making adequate arrangements for data streams to and from the UK in the event that no deal is reached. In particular, it sets out the options open to safeguarding the transfer of data to the UK under the GDPR once it leaves the European Union.

Data transfers from the UK

The UK has indicated that it will incorporate the GDPR into its legal system after Brexit As a consequence, data transfers from the UK to the rest of the EU should not be affected by Brexit, and will be subjected to the same safeguards as they are now.

Data transfers to the UK

More problematic, for the time being, are transfers of personal data to the UK. The EDPB's note indicates that, in the event  of a no-deal Brexit, the UK will become a 'third country' for the purposes of the GDPR. As a result, data streams from the EU towards that country may no longer flow freely as they do between EU-members, but must be subjected to one of the 'safeguards' envisioned by the GDPR, as set out below. 

Adequacy Decision

The adequacy decision is a mechanism, by which the European Commission may declare that a non-EER country offers a sufficient level of data protection in its legal system, and that no further measures by the data controller or processor are required for data streams to the UK. An adequacy decision for the UK would enable UK data transfers after a no-deal Brexit and is the preferred option under the withdrawal agreement. However, a possible Adequacy Decision for the UK is not expected before late 2020. Therefore, a 'legislation gap' between March 29th and the expected adequacy decision is highly likely.

Binding Corporate Rules

If the data is exported within a single group of companies or an international organisation, the company group may impose what are known as Binding Corporate Rules (BCRs) on its respective entities. This is essentially a 'Code of Conduct' that brings the non-EU entities in line with the data protection standards already applicable to their EU counterparts. Companies may draft their own BCRs, but they must be approved by the data protection authority of the company's lead authority. Such approval processes  take time and are not a quick solution that can be reached before the 30 March deadline.

Standard Model Clauses

The Standard Model Clauses (SMC) is a list of data protection clauses pre-approved by the European Commission. If incorporated in the agreement with a non-EU processor or joint controller the SMC is sufficient to comply with the GDPR's provisions on data transfers outside the Union. Separate versions exists for controller-to-controller transfers (both the original version and the alternative version can be used, depending on the parties' preference), and for controller-to-processor transfers. The SMCs must be signed by both parties, and must not be amended in any way in order to be valid.

Use of the SMCs will often be the most practical option, as these do not hinge on approval from a data protection authority.

Derogations

In exceptional circumstances, the data controller may transfer data outside the EU without any of the above safeguards in place. In particular, the transfer is permitted where the data subject has given explicit consent for the transfer. This is different from the 'general' form of consent which can be used as a grounds for processing, as the data subject must be informed of the particular risks associated with the data transfer.

Codes of conduct and certification mechanisms

Lastly, companies may adhere to approved codes of conduct set out by industry-specific representative bodies or associations and approved by the EDPB. In addition, certification bodies may be created to certify and monitor companies on a voluntary basis. However, these provisions are something for the future – no code or body has acquired the required approval from the EDPB as yet. It is therefore not expected that such tools will be in place for post-Brexit data transfers very soon, though it may be useful to contact your industry association to check if they are likely to be adopted in the near future.

Team

Related news

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more

08.06.2021 NL law
De Europese Klimaatwet uitgelicht

Short Reads - Op 21 april 2021 is een voorlopig akkoord bereikt over de Europese Klimaatwet. Deze Klimaatwet kan worden gezien als de kern van de Europese Green Deal, die in december 2019 werd gepubliceerd door de Europese Commissie. Het overstijgende doel van deze instrumenten is om een klimaatneutraal Europa te bewerkstelligen in 2050. De Europese Klimaatwet zorgt ervoor dat deze klimaatneutraliteitsdoelstelling in een Europese verordening wordt vastgelegd. Dit blogbericht gaat nader in op de Europese Klimaatwet en legt uit wat dit met zich brengt.

Read more

19.07.2021 BE law
One year of Schrems II: a state of affairs for international data transfers

Articles - International data transfers have been the subject of intense debates ever since the Court of Justice issued its landmark judgement of Schrems I, on 6 October 2015. The intensity of the debate was further reinforced since the Schrems II decision one year ago, on 16 July 2020. The decision annulled the U.S. Privacy Shield and severely tightened the rules on the use of standard contractual clauses (“SCCs”).

Read more

08.06.2021 NL law
Actualiteiten milieustrafrecht: zorgelijke ontwikkelingen

Short Reads - Vrijdag 28 mei jl. hadden wij een inspirerend webinar over actualiteiten op het gebied van milieustrafrecht. Wij spraken gedurende 90 minuten onder meer over aansprakelijkheden van bestuurders, de zorgplichten, incidentenrapportages vanuit strafrechtelijk- en bestuursrechtelijk perspectief.

Read more

18.06.2021 NL law
FAQ: Wat houdt het Wetsvoorstel elektronische gegevensuitwisseling in de zorg (Wegiz) in en wat is de verhouding tot de AVG?

Short Reads - (Digitale) gegevensuitwisseling in de zorg is een actueel thema. Illustratief is een item bij EenVandaag van april 2021 waarin de analoge werkwijze bij gegevensuitwisseling in de zorg wordt aangekaart, maar ook dit artikel in het NRC van afgelopen maand waarin verslag werd gedaan van een datalek waardoor duizenden gevoelige patiëntgegevens op straat kwamen te liggen. 

Read more

03.06.2021 NL law
First material judgment in Dutch damages proceedings in trucks infringement

Short Reads - In its judgment of 12 May 2021, the Amsterdam District Court ruled that it has not been established that it is definitively excluded that the trucks infringement led to damage to the claimants. However, this does not alter the fact that it must still be assessed for each claimant whether the threshold for referral to the damages assessment procedure has been met. For this to be the case, it must be plausible that a claimant may have suffered damage as a result of the unlawful actions of the truck manufacturers. The Amsterdam District Court has not yet ruled on this issue.

Read more