NEW ICO guidance on “Data protection if there’s no Brexit deal”
18 December 2018
With uncertainty about Brexit continuing to dominate the headlines, the Information Commissioner’s Office (“ICO”) has released some useful and practical guidance on key data protection issues if there is no Brexit deal.
The ICOs new guidance on this topic was published last week and is titled "Data protection if there's no Brexit deal". This was followed shortly thereafter by a “technical note” from the Government. The ICO and the Government are adopting a practical and pragmatic approach, in stark contrast to some of the ideological posturing from the European Commission (“EC”) on data protection issues - although one hopes in the event of a “no deal” Brexit that the EC’s stance changes somewhat, at the very least allowing some form of grandfathering protection and/or transition periods.
Lewis Silkin shared its thoughts on “Brexit and GDPR: What should you do now about EU to UK transfers of personal data? (And other related issues)” on 28 November 2018. The new guidance reflects most of our thoughts, so we don’t repeat them here and rather focus on other aspects not covered by our earlier article before the new guidance was available.
Transfer from the UK to other countries
The ICO has provided further guidance on transfers from the UK to other countries (including to the EEA):
For data transfers to the EEA the ICO states:
“The UK government has stated that, on the UK’s exit from the EU, transfers of data from the UK to the EEA will be permitted. It says it will keep this under review.”
So in essence, for now at least, no action really needs to be taken with regards to data flows to the EEA. But, as discussed in our 28 November article, even for transfers within an adequacy “bubble” our strong advice is still that a data sharing agreement is put in place - although we understand that many companies across the EEA still choose not to document formally intra-EEA or adequacy decision country transfers.
Further, arguably, privacy notices should also be updated to explain that data is transferred from the UK to the EEA under a UK “adequacy decision” (in addition to describing any transfers to other countries – as should already be described).
For data transfers to other countries the ICO states:
“If your restricted transfer is not to the EEA, then you should already have considered how to comply with the GDPR. You will continue to be able to rely on the same mechanisms.”
In the future the Government will potentially make adequacy decisions about other third countries. An adequacy decision confirms that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime. This could be good news for many former commonwealth countries with advanced data protection regimes (e.g. Australia and Singapore). One hopes also that the Government will take a pragmatic line in assessing adequacy, with less focus on ideological purity and more on equivalence. For example, where the country complies with applicable international conventions (e.g. the Council of Europe’s convention 108) and other similar international norms on data protection (e.g. the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data).
Crucially the new guidance further confirms that: “The UK government intends to recognise the EU adequacy decisions which have been made by the European Commission prior to the exit date.”
This will allow UK transfers to: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
EU-Korean and EU-Japanese talks are ongoing but it is likely that either the Government will just recognise Korea and or Japan’s data protection regimes itself or, once the EC does confirm adequacy, the Government will recognise those decisions.
In relation to EU-US Privacy Shield (which is a form of adequacy decision) the ICO states: “The only exception is in relation to the EU adequacy decision for the EU/US Privacy Shield, as this is an EU/US specific arrangement. The UK government intends to make arrangements for its continued application to restricted transfers from the UK to the USA.” One hopes that this would take place before 29 March 2019 – indeed, it would need to do so as many UK companies rely on Privacy Shield to transfer personal data to the US. The UK could simply follow the Swiss model in just mirroring the EU-US Privacy Shield arrangements as an initial stop gap.
Other appropriate safeguards – standard contractual clauses
The ICO states that: “If there is no adequacy decision which covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer. For most businesses, a convenient appropriate safeguard is the use of standard contractual clauses. The UK government intends to recognise European Commission-approved standard contractual clauses as providing an appropriate safeguard for restricted transfers from the UK”.
The technical note says that provision will be made so that the use of Standard Contractual Clauses (SCCs) that have previously been issued by the European Commission will continue to be an effective basis for international transfers in a no deal scenario. Existing SCCs will be valid and the Government will have the power to issue new clauses after Britain leaves.
This is good news and again one assumes that if and when the EC changes the standard contractual clauses that the Government will recognise them too.
The ICO also discusses the other standard safeguards and most crucially states that: “The UK government will recognise binding corporate rules authorised under the EU process before the exit date as ensuring appropriate safeguards for transfers from the UK.” This is confirmed by the technical note and further confirms that the ICO will continue to be able to authorise new BCRs following Britain’s exit (and at some point in the future the EC might of course also recognise the power of the ICO to authorise EEA-wide BCRS).
Transfers from the EEA to the UK
The ICO guidance broadly reflects our 28 November article so we don’t repeat it here, save that it recommends (1) taking stock, (2) focusing on EEA to UK transfers and (3) if necessary ensuring adequate safeguards are in place (stating as one example, “Often a relatively simple way to provide an appropriate safeguard for a restricted transfer is to enter into standard contractual clauses between the sender and receiver of personal data”).
We mentioned in our 28 November article a potentially “exploitable chink” based around the ICO’s paper on extra-EEA transfers. The ICO guidance states that: “The European Data Protection Board (EDPB) are still finalising detailed guidance on this area and we advise that you take a broad interpretation of a restricted transfer, which is that you are receiving a restricted transfer if you are a controller or processor located in the UK and an EEA located controller or processor sends you personal data.” So for now the exploitable chink is perhaps something to revisit after the EDPB has released its guidance on international transfers.
European Representatives (and UK Representatives?)
The ICO also recommends that if you are a UK based controller or processor without any offices, branches or other establishment in the EEA and you offer goods or services or monitor the behaviour of individuals in the EEA, you need to consider your Article 27 obligations to appoint an EU Representative (i.e. a contact point for EU data subjects).
This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located. Privacy notices will need to be updated.
The technical note states that the government intends to replicate the provisions of Article 27 of the GDPR to require controllers based outside the UK to appoint a representative within the UK.
There are multiple companies offering to be representatives across the EEA and the UK.
The next steps are as set out in our 28 November article. There is no need to panic, and none of these issues are insurmountable. Indeed, through the ICO and Government’s pragmatism, a lot of businesses will only have to make tweaks to their current data processing mechanisms even if we do end up with a “no deal” Brexit.
The UK left the EU at 11pm (UK time) on 31 January 2020. The EU Parliament officially approved the terms of the revised deal negotiated by the Johnson Government, and the UK Parliament has finally passed the legislation needed to implement it in the UK. This provides more certainty for UK businesses, although trade talks will now need to decide the shape of the ongoing future relationship between the UK and the EU.