Brexit and Data Protection: Out Is Out
By Peter Schaar, Chairman, European Academy for Freedom of Information and Data Protection, Berlin
What the consequences of the the UK Brexit referendum are for data protection currently cannot be said conclusively. Considerable uncertainties remain until the end of the upcoming exit negotiations at least. Unless specific arrangements on data protection are made between the EU and the UK, the United Kingdom will be seen from the EU perspective as a regular third country like any other non-member state, such as Japan or South Africa.
At best, the country gets a status like Norway, which belongs to the European Economic Area and is thus largely obliged to apply EU law, without, however – as the EU member states – to have effective decision power and participation rights, in particular in the European Data Protection Board set up by the EU General Data Protection Regulation (GDPR).
I am sceptical that the UK Parliament will implement the GDPR completely by changing the British law by May 2018 when the GDPR starts to be applicable. This seems to be very unlikely, especially since the United Kingdom has already struggled with the adoption of the new EU privacy rules. For example the British Government “opted out” from Art. 48 of the GDPR, the so-called “NSA clause” that is to protect European citizens against third country government access to personal data. Nevertheless the provisions of Art. 48 would probably apply in future to the United Kingdom after the leave from the EU. The transmission of personal data to government authorities protected by the GDPR based on British court rulings or administrative orders will be legal then only within the framework of mutual legal assistance agreements between the UK and the EU or its member states. This is particularly important because the British Parliament has recently stepped up drastically the already strong surveillance powers of security agencies and its corresponding obligations of companies with the amended “Investigatory Powers Bill”. The “national security exemption” of article 4 TFEU will not longer be applicable for the UK. The practices of GCHQ and other government agencies will have to be taken into account even in the assessment of the EU Commission about a possible adequacy decision for the UK (see below).
It seems likely to me that the very requirements of the GDPR provisions on transfer of personal data to third countries (art. 44 and following) will apply in the future on the UK. Thereafter, any transfer of personal data will be permissible only if the data controller and the data processor comply with the conditions laid down in the GDPR. This also concerns the possible onward transfer of personal data to another third country or to an international organization. The GDPR allows the transmission on the basis of “adequacy decisions” of the European Union or other appropriate safeguards, in particular on the basis of standard contractual clauses or under a system of binding corporate rules(BCR).
The UK Information Commissioner (ICO) already pointed out that the United Kingdom continues to need clear and effective privacy laws, irrespective of the question of EU membership (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/04/statement-on-the-implications-of-brexit-for-data-protection/). If the British legislator follows this advice, the European Commission could make a decision under article 45 on the existence of an “adequate level of data protection” in the UK. However, such a finding is not supposed to run by itself and it would require negotioations and a thorough examination and assessment of the British data protection system. This could hardly be managed within the available two-year period for the implementation of the EU exit.
In the light of the above companies running business in the UK as well as public bodies of member states and EU institutions have to prepare for the situation that the transmission of personal data from the EU to the UK (including the hosting of personal data on the British soil) will be much more difficult in the future as it is today. This concerns in particular those companies with business processes which are based on combining personal data of various member states or using servers or switching centers located in the UK.
- Datenschutz-Brexit: out is out
Von Peter Schaar, Vorsitzender der Europäischen Akademie für Informationsfreiheit und Datenschutz Die Frage nach den Folgen des Brexit-Volksentscheid für den Datenschutz kann derzeit nicht abschließend beantwortet werden. Zumindest bis zum Ergebnis der anstehenden Austrittsverhandlungen bleiben erhebliche Unsicherheitsfaktoren. Sofern keine besonderen Vereinbarungen zum Datenschutz getroffen werden, wird Vereinigten Königreich ab dem...
- The New EU General Data Protection Regulation – A First Assessment
The results of the trilogue of the EU institutions (European Parliament, Commission and Council) on the data protection reform package is an important milestone on the way into the global information society. The General Data Protection Regulation (GDPR) will replace 28 different data protection laws of the Member States. The...
- 27.01.2016: EAID-Veranstaltung zu den Konsequenzen aus dem EuGH-Urteil zu Safe Harbor
Am Mittwoch, dem 27. Januar 2016, ab 18 Uhr (Vorabend des Europäischen Datenschutztags) führt die EAID in den Räumen der Europäischen Akademie Berlin (Grundewald), Bismarckallee 46/48, eine Vortrags- und Diskussionsveranstaltung Konsequenzen aus dem EuGH-Urteil vom 6. Oktober 2015 zu Safe Harbor durch. Wegen der beschränkten Platzzahl wird um Anmeldung per...
chris pounder | 30.06.2016
In the case of UK-European companies established in the UK and EU (controllers and processors), they can shift the centre of gravity of the processing decisions into the EU (see the establishment definition in Article 4(16)) and satisfy their GDPR requirements for transfers to the UK for the pr...