In the news this Autumn the government’s guidance on Brexit planning. Data protection was not on the first guidance to be published but that does not mean that there are no issues that need to be addressed.
The timing for sorting out dataflows between the UK and the EU is right now. As this article shows, solutions need to be identified and implemented by the end of 2018 to allow time for data subject information (Privacy Notices) to be updated and published in the first quarter of 2019. Remember that, in a supply chain, clients and subcontractors will have to amend the wording of their Privacy Notices too to reflect the fact that the UK will be outside of the EU from the end of March 2019.
Appointing a representative
Regardless of hard or soft Brexit there will be a need for Appointed Representatives in some cases. The provision (Article 27) looks like this:
In certain cases organisations located outside the Union that process personal data of data subjects who are in the Union must designate a representative in each member state where the data subjects are located.
This applies where the organisation located outside the Union is either:
(a) offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) monitoring the behaviour as far as their behaviour takes place within the Union.
So, an online business selling across the EU will be required to designate a representative in each member state. A business that sells to French consumers will require an appointed representative in France.
There is a saving provision, no appointed representative is required if:
- the processing is occasional,
- does not include large scale processing of special category data or criminal convictions and offences and
- is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
If a representative is required, the appointment must be in writing authorising that person/company to “be addressed” either as well as or in place of the controller/processor. Communication will be from supervisory authorities and data subjects on all issues related to personal data processing and for purposes of ensuring compliance with GDPR.
If your organisation decided that a designated Data Protection Officer is required, I think that indicates that your data processing activities represent a certain level of risk and it may be difficult to argue that the saving provision will apply in that case.
Note that the UK disapplied Article 27 in the Data Protection Act 2018 so there is no equivalent requirement for controllers in the EU to appoint a representative if they process personal data relating to UK citizens.
Hard and soft Brexit
After Brexit the UK will be a “third country” for purposes of data transfers from within the EU. Personal data only flows freely within the EU and between the EU and third countries that have an “adequacy finding” (where the European Commission has made a finding that certain countries outside of the EEA have “adequate” controls for personal data relating to EU citizens, such as Jersey, Switzerland, New Zealand, the US privacy shield scheme).
A hard Brexit is one without agreements with the EU. It seems safe to say that this will include no agreement on Adequacy. Even if there is agreement we would need a bespoke solution as the adequacy decision can only be taken after the UK leaves the EU. If the UK does not have a bespoke agreement on adequacy then all dataflows from the EU will cease unless we can show other safeguards.
The potential of this is serious as it will stop organisations based in the UK from holding or accessing data relating to EU citizens unless steps are taken now to legitimise transfers of personal data after the end of March 2019. The ICO has indicated that it will regard transfers of personal data from the UK to the EU as meeting adequacy standards as GDPR is in place across the EU but it will be keeping this under review.
Options depend on how personal data on EU citizens is collected as well as the corporate structure of the controller’s group. If personal data is collected direct from data subjects, then a consent clause would be an option. If it is provided indirectly, then adopting the EU model clauses (controller/controller or controller/processor as appropriate) is a good solution. If there are other companies in the group that have an establishment in the EU then routing data collection through an EU company could be another option.
There is a need for Brexit planning, don’t leave it too late to address these very real issues. Solutions are there but they may take time to put in place. Allow an extra month or two for making changes to Privacy Notices and you need to have your Brexit solutions by the end of 2018.
Update on Brexit
In November 2018 it was announced that a Brexit agreement had been finalised for both sides to consider. Report is (I have not read the document myself) that the agreement provides for international data transfers between the UK and EU to continue throughout the transitional period. Presumably alternative arrangements, such as an Adequacy Decision, can be pursued during the transitional phase, once the UK has left the EU. The agreement, if adopted, would therefore allow more time for a solution to be found to the fact that the UK will be a “third country” after Brexit and not automatically deemed as providing “adequate” security for EU citizen’s personal data.