Out-Law News | 15 Feb 2019 | 10:38 am | 4 min. read
The European Data Protection Board (EDPB) set out the guidance as part of a five-step plan for organisations to ensure compliance with EU data protection laws when accounting for a potential 'no deal' Brexit.
"When transferring data to the UK, you should: identify what processing activities will imply a personal data transfer to the UK; determine the appropriate data transfer instrument for your situation; implement the chosen data transfer instrument to be ready for 30 March 2019; indicate in your internal documentation that transfers will be made to the UK; update your privacy notice accordingly to inform individuals," the EDPB said in an information note published earlier this week.
Currently, data can flow freely to the UK as it is a member of the EU and subject to the General Data Protection Regulation (GDPR).
The GDPR places restrictions on the transfer of personal data outside the EEA. Businesses are prohibited from transferring personal data to non-EEA countries unless they have in place one of a number of safeguards to ensure EU data is adequately protected when processed in those 'third' countries. In a 'no deal' Brexit, that will include where personal data is transferred to the UK.
In its note, the EDPB highlighted that European Commission-endorsed standard contract clauses (SCCs) are "a ready-to-use instrument" for businesses planning data transfers to implement. Earlier this month, Ireland's Data Protection Commission said SCCs were "likely to be relevant to most Irish businesses that transfer personal data to the UK" in a 'no deal' Brexit scenario.
SCCs, also known as model clauses, were developed by the European Commission for use in cross-border contracts. They create a contractual framework for how personal data should be handled when transferred outside of the EU to 'third countries'. The Commission has previously issued decisions that endorse model clauses as tools providing for adequate protection of personal data when used for data transfers, as is required by EU data protection law. The use of model clauses has therefore become widespread among international businesses which many companies have come to rely on for demonstrating compliance.
Other legal mechanisms for underpinning EU-UK data transfers post-Brexit may be more difficult to put in place given the time left before Brexit is scheduled to take effect, according to the EDPB's note.
The EDPB said that while businesses planning data transfers can modify or add to SCCs to "provide appropriate safeguards" particular to their own situation, the "tailored" clauses must be authorised for use by organisations' local data protection authority, following an opinion of the EDPB.
Similarly, 'binding corporate rules' (BCRs), which businesses can commit to facilitate intra-group data transfers outside of the EEA, need approved by the relevant national DPA, following an EDPB opinion.
Some of the other tools for underpinning data transfers, provided for in the GDPR, are not available to use yet.
Under the GDPR it is open to industry bodies to develop codes of conduct or establish certification schemes that set "binding and enforceable" standards on data transfers and allow organisations that sign-up to the code or certify against the scheme to demonstrate their compliance with the requirements around data transfers set out in the Regulation. However, to-date, no such codes or certification mechanisms have been developed for data transfers.
The EDPB said it is "working on guidelines in order to give more explanations on the harmonised conditions and procedure for using these tools".
Derogations apply to the GDPR's main rules on data transfers. The EDPB said EU businesses may be able to turn to the derogations as a basis for transferring personal data to the UK in the event of a 'no deal' Brexit. However, the derogations "must … be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive", it said.
One of the listed derogations is where businesses obtain the explicit consent of data subjects to carry out the transfer of their data, having explained the possible risks of the arrangement. Others include where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, and where the transfer is necessary for important reasons of public interest, where it is necessary to protect the vital interests of individuals where the data subject is physically or legally incapable of giving consent, or where it is necessary for the establishment, exercise or defence of legal claims.
Where none of the derogations listed apply, data transfers that are not repetitive and limited in volume may still be permitted where it is necessary "for the purposes of compelling legitimate interests" the business is pursuing, so long as those interests are not overridden by the interests or rights and freedoms of the data subject and "suitable safeguards" are provided for, and the data controller will be required to inform the ICO, or other relevant local supervisory authority.
"The issue remains for processor transfers – the requirements of the GDPR in relation to external transfers are not limited to those made by a controller," data protection law expert Claire Edwards of Pinsent Masons, the law firm behind Out-Law.com said. "Processors also are subject to the strict international transfer requirements."
"Currently there are no approved model clauses, or other approved tools, except where a company already has an approved processor BCR, which permits a processor to transfer outside of the EEA, or following Brexit, the UK. Response from various supervisory authorities and the European Commission on this point has not provided any clarity in terms of what mechanism could be used, and when an appropriate set of standard model clauses which permits such transfer will be available," she said.
The EDPB has previously issued guidance to help businesses understand how the derogations may be relied upon in practice.
The UK government has said that, in a 'no deal' Brexit scenario, data flows from the UK to the EU will not be disrupted.