On Tuesday 9 January, the European Commission published a Notice To Stakeholders about the potential implications of Brexit for EU data protection law. This is the first time that the EU has made a statement on the adequacy decision and what the alternatives might be for the UK.
In response, Stewart Room (data protection lead partner at PwC) has moved to reassure UK organisations that, even if this adequacy decision isn’t given, there are plenty of other opportunities open to them.
“The Notice To Stakeholders confirms that, after Brexit, the UK will become a ‘third country’ for the purposes of EU law, which will potentially impact personal data exports from the EU to the UK,” stated Room. “It also confirms that, as a third country, the UK’s ‘adequacy’ for EU data protection law purposes is a matter for decision by the European Commission, rather than a status that occurs automatically.”
Room continued: “However, it does provide considerable comfort around the fact that data exports need not be unnecessarily interrupted if an adequacy decision isn’t granted, because the law contains a series of other mechanisms for organisations to rely upon to keep data flowing. These other options may not be as ‘frictionless’ as an adequacy decision, but many organisations in the UK will be very familiar with how they work, because they use them already to transfer personal data from the UK to other third countries. These include consent and contractual necessity using European model clauses or Binding Corporate Rules.”
The Commission’s Notice To Stakeholders also stresses that the General Data Protection Regulation (GDPR) has been designed to reduce the legal and administrative burden of using these other mechanisms. This is something that Room believes UK data importers and exporters alike will welcome.
“While an adequacy decision isn’t an automatic right, the UK Government has already confirmed that it will seek one and there are substantial reasons to be optimistic that a positive outcome will be achieved. This is because the totality of the data protection legal framework needs to be considered by the decision-takers in the UK. In this sense, the UK already exceeds the quality of data protection in some areas in comparison with other EU Member States.”
Considerations in the UK’s favour
Key considerations in the UK’s favour include the following:
*At the date of Brexit, the UK’s legislative framework will be on a par with Europe’s as the GDPR will be in effect and because the UK is committed to continuing the GDPR’s principles after Brexit by way of the Data Protection Bill that’s currently progressing through Parliament
*The UK has one of the world’s best resourced and most influential national data protection regulators in the Information Commissioner’s Office (ICO). The volume of the ICO’s activities over the past ten years, in both the advisory and enforcement fields, far surpasses those of many other EU regulators
*There’s already a healthy data protection litigation culture in the UK, which the courts have supported in a series of landmark cases, in turn demonstrating that the judicial system provides effective recourse to those who feel their rights have been infringed
*The wider sectoral and professional rules on data protection and in related areas, such as cyber security, knit together to provide another comprehensive layer of protection for fundamental rights and freedoms
UK versus other EU Member States
“On a compare-and-contrast basis,” continued Room, “the UK appears to be performing as well as, or better than, other EU Member States. The UK also compares favourably with third countries that have already obtained adequacy decisions, such as Canada and the United States (which has a de facto bespoke adequacy decision in its favour within the Privacy Shield).”
Room added: “There are areas of complexity, such as national security, but in an operational sense the differences between the UK and the rest of Europe may not be as great as perceived. It’s important to remember that the GDPR excludes the activities of the intelligence services from regulation, whereas the UK Data Protection Bill brings them into scope. However, if this area remains contentious, it will be open to the European Commission to make a partial adequacy decision in the UK’s favour to cover all other areas, and commercial and social activities in particular.”
For multinational companies and well-resourced organisations, Room believes the absence of an adequacy decision shouldn’t present any insurmountable barriers to continued international data flows and, in comparison to the adjustments that they’ve to make to bring the GDPR into effect, the additional administrative burdens involved may be relatively small.
“SMEs, not-for-profits and smaller public authorities may require more support to adjust to a world without an adequacy decision in the UK’s favour, but the publication of free guidance and template documentation by the regulator, professional and membership organisations and the data protection community itself will go a long way towards mitigating their challenges.”
In conclusion, Room stated: “All organisations should consider their strategy for ensuring that international data flows can continue, whether the adequacy decision is granted or not. It’s important to understand the extent to which data is transferred around the world and how that may be impacted by Brexit changes.”