This article is part of the FERMA/AIRMIC joint Brexit Newsletter which is designed to give risk professionals unique insight into Brexit related risks and mitigation strategies.
In view of the forthcoming Brexit decision in March 2019 and the recent entry into force of the General Data Protection Regulation (GDPR), Antoine Druetz & Nicolas Hamblenne of KOAN Law Firm in Brussels, shed light on the likely issues that (not-for-profit) organisations and other businesses may face in terms of data protection and transfers.
The current situation
At the time of writing this article, there are indeed several scenarios: New Deal / No Deal / No Brexit. Besides political considerations and while most requirements under the GDPR will most likely remain the same, there will be an impact on data transfers.
Currently – thanks to the harmonised approach of the GDPR on data transfers, there is a specific regime of free data flow within the European Economic Area (hereafter: “EEA”). This means that any legal entity located in the EEA can legally transfer personal data to another company located in another country of the EEA without any obstacle.
Any personal data transfer to a country located outside of the EEA (hereafter: “Third Country”) is in principle prohibited. In case of a Brexit, the UK will be considered as a “Third Country”. There is no need to explain the commercial disaster if personal data flows had to be stopped between the EU and the UK.
Data transfers exceptions
Fortunately, the GDPR foresees (i) some exceptions in order to allow such data transfers such as using Standard data protection clauses, Binding corporate rules, approved codes of conduct, approved certification mechanisms or (ii) limited derogations which allow for transfers in specific cases (such as transfers based on consent).
These exceptions and derogations are often burdensome from an operational/administrative (and often legal) point of view, especially for small businesses and not-for-profit organisations.
Aside from these limited exceptions and derogations, there is the possibility of an adequacy decision which basically consist of a list of countries deemed to have a data protection regime essentially equivalent to those in the EU (the so-called “white list”).
However, an adequacy decision usually takes months (if not years) and less than a dozen countries have received their golden pass so far. The decision lies also mainly with the European Data Protection Board (“EDBP”) and the European Data Protection Supervisor (“EDPS”) and not only the European Commission or Parliament.
Before any adequacy decision takes place, it is likely that a “status quo” situation remains for at least two years in terms of data transfers between the EU and the UK. No cast-iron timetable can however be pledged at this stage. The Withdrawal Agreement states that during this transition period, any reference to “Member States” in the EU data protection legislation should be understood as including the UK. On its side, the European Commission has indicated that it “will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal, endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met” (Art 9 of the Political Declaration).
Recommendations
Despite the uncertainty surrounding Brexit and its potential impact on data protection, we recommend companies and not-for-profit organisations to continue their ongoing GDPR compliance programme. The GDPR is a very good standard for data protection and the global trend seems to follow this approach (see the recent legislations updates across the globe, e.g. in California, Brazil, etc.).
We also recommend to follow your Data Protection Officer’s advice and your (lead) national authority’s guidance (if any). You should also obviously keep an eye on the current negotiations and put in place contingency plans in case of a “No Deal” scenario (by considering, for example, alternative transfer mechanisms to maintain data flows).
Conclusion
Political chaos seems to be a global trend nowadays. However, companies and not-for-profit organisations require legal certainty in order to operate in an efficient manner. It remains to be seen how the EU and the UK will negotiate (or not) the new deal of the century, especially with regard data, being the “oil of the 21st century”. On our side, we stand ready.
The authors Antoine Druetz and Nicolas Hamblenne can be contacted using the following details.
Antoine Druetz – Partner
adr@koan.law
+32 2 566 90 00
Nicolas Hamblenne – Associate
nha@koan.law
+32 2 566 90 00
Read related articles from the FERMA-Airmic Brexit newsletter: