BREXIT – Future of Data Transfers to the United Kingdom

Bernd Schmidt General Data Protection Regulation, International Data Protection Leave a Comment

It was a serious shock when the British people voted for Britain to leave the European Union (EU). The consequences will be massive and also affect data protection law. When the common legal framework of the EU member states no longer spans the United Kingdom, there will be a need for justifying data transfers across the English Channel. Currently the legal justifications are laid down in the EU Data Protection Directive (DPD) and the respective implementations into the member states’ national data protection laws. On 25 May 2018, the member states’ data protection laws and DPD will be replaced by the General Data Protection Regulation (GDPR). Both DPD and GDPR differentiate between data transfers within the European Economic Community (EEC) and other countries outside the EEC and favour data transfers within the EEC. Leaving the EU may be the end for such privileged data transfers to the United Kingdom.

1. Data Transfers within the EEC

Data transfers require a justification under data protection law. Whether or not data exporter and data recipients are located in the same or in different member states is irrelevant under data protection law – DPD and GDPR consider the EEC member states per se as providing adequate data protection safeguards.
The same applies to assigning data processing to data processors located within the EEC as compared to data processors located outside the EEC. Currently, Section 11 German Data Protection Act (BDSG) considers data processors located in EEC member states as a part of the data controller. As a consequence of this so-called “privileged” data processing, the requirements for justifying such assignments are substantially lower compared to assignments of data processors in third countries. This will not change significantly under the GDPR.

Today, such privileges for data transfers apply inter alia with regard to data processors in the United Kingdom and data controllers in other member states. When the UK leaves the EU and supposedly the EEC, these privileges will no longer be automatically in place. In such case, data controllers in the EEC would need to implement alternative means to ensure adequate data protection guarantees for data recipients in Great Britain.

2. Data Transfers to the UK based on an Adequacy Decision

For countries outside the EEC (third countries), DPD and GDPR assume there are no sufficient data protection guarantees in place. Countries outside the EEC are considered prima facie as “unsecure third countries”. For unsecure third countries, the EU Commission may assess whether in fact there are adequate data protection guarantees in place and make a respective ruling under Art. 25 DPD [PDF] and in the future under Art. 45(1) GDPR (adequacy decision). The EU Commission’s adequacy decisions are legally binding, but may be challenged in the courts as any act of public authorities and ultimately be overruled by the European Court of Justice (ECJ). The ECJ has recently overruled the Safe Harbor adequacy decision for data transfers to the USA (see our blog articles as of 6 October 2015 and 12 February 2016).

Currently, there are adequacy decisions in place for Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. For the USA, there is an adequacy decision for data recipients under the EU-US Privacy Shield; see our blog article as of 12 February 2016 concerning the draft).

When the United Kingdom leaves the EU, it would as a starting point need to be considered an unsecure third country. However, the United Kingdom would likely either remain in the EEC and get a status such as Norway or that in the course of exit negotiations with the EU, an adequacy decision would be taken by the EU Commission, putting Great Britain in a position such as that of Switzerland today. Such adequacy decision would appear reasonably justified where Great Britain would keep in force its data protection act [PDF] based on the DPD.

In such case, we would almost be back to the current status quo – almost. As a consequence of the ECJ safe harbour ruling, national data protection authorities have the obligation to assess individually and independent from an adequacy decision whether or not a data transfer is justified and the data recipient provides for adequate data protection safeguards. For this assessment, data protection authorities would also consider access of public authorities to personal data e.g. in the context of criminal investigations or anti-terror activities.

In this course also data transfers to Great Britain could ultimately be brought before the ECJ for review similar to the Safe Harbor Ruling. The ECJs ruling in such case is hard to predict in light of the existing cooperation between US and British authorities.

3. Data Transfers to the UK as an Unsecure Third Country

In case exit negotiations should not establish a status of the UK as secure third county or the UK would lose such status, there would be a requirement for justifying data transfers based on the so called two-step test.

On the first step, data controllers based in the EEC would need to establish a justification as for any other data recipient located in the EEC or a secure third country. In addition, they would need to establish the second-step justification, compensating for the lack of adequate data protection at the data recipients’ end.

The means of choice for the second step would depend on the individual circumstances of the data transfer. In any event, implementing the EU Commission’s standard contractual clauses would be possible and establish adequate data protection standards without the requirement of approval by the data protection authority.

For intra-group data transfers, implementing so-called binding corporate rules may also be suggested (see Art. 47 GDPR). Binding corporate rules would, however, need to be approved by the data protection authority in order to constitute a sufficient second-step justification.

4. Conclusion

The Brexit will have severe impact on the foundations of economic cooperation with the United Kingdom and provide relevant challenges for affected companies. One of many tasks would be to establish a concept for data transfers to the United Kingdom that is compliant with data protection requirements. The challenges in detail will depend on the coming exit negotiations. Affected companies should have the possible scenarios in mind and prepare for the associated challenges.

Principles, Consent and Statutory Justifications – GDPR Series, Part 3

Bernd Schmidt General Data Protection Regulation Leave a Comment

The General Data Protection Regulation (GDPR) is a milestone in the development of data protection law that may not be overestimated in its relevance. The GDPR implements various changes as compared to the current situation. German and other companies should prepare for these changes entering into force May 2018.

1. Principles for Processing Personal Data

Art. 5 GDPR stipulates the below principles for processing personal data:

  • lawful and fair data processing
  • transparent data processing
  • data processing for specified, explicit and legitimate purposes
  • data minimisation
  • accuracy of data processing
  • storage limitation
  • integrity and confidentiality of data processing
  • accountability

These principles have largely been in place under the regulation’s predecessor, Art. 6 Data Protection Directive (DPD), and have been of relevance to interpretation of the German Data Protection Act (BDSG) even though they were not directly implemented in the wording of the BDSG. The principles of Art. 5 GDPR in particular turn relevant for interpreting justifications for processing personal data contained in the GDPR and other statutes. They also limit and define the member states’ competence to complement the GDPR with domestic legal instruments as provided for in various GDPR opening clauses.

Companies shall understand these principles as general principles for tailoring their data protection organisation without a need for direct implementation or a direct requirement to base any particular assessment on these principles. Assessment of particular data handling shall rather be carried out by applying statutory justifications e.g. in Art. 6 GDPR.

2. Justifications

Both DPD and GDPR consider data processing as illegal unless there is a specific justification in place (see Recital 40 GDPR). Art. 6(1) GDPR contains a number of justifications for processing personal data, Art. 9(2) GDPR for processing special categories of personal data (not subject to this article) and chapter IX for processing personal data in special processing situations.

3. Consent

Under Art. 6(1)(a) GDPR, the data subject’s consent is a valid justification for processing personal data. Also under Art. 7(a) DPD and Section 4(1) BDSG, data subjects’ consent is considered as a justification for data processing. Detailed requirements regarding the declaration of consent follow from Art. 7 GDPR and Recitals 32, 42 and 43 GDPR. In addition, there are more specific requirements for collecting a declaration of consent from children in the context of information society services.

Under the GDPR, as under the current legal framework, a declaration of consent must be freely given, based on an informed decision of the concerned person and made in a clear manner (see Recital 32 GDPR). Differing from today’s requirements under Section 4a(1) Sentence 3 BDSG, under the GDPR a declaration of consent must not generally be made in writing. Rather, written, oral, electronic and other ways to express a declaration of consent are considered equal (see Recital 32 GDPR). Also implicit declarations of consent will therefore be legally valid where provided by the data subject in an active manner. Remaining silent – or in an online context – pre-checked boxes are no active expression of consent under Art. 8 GDPR and hence no declaration of consent.

The data controller has the burden of proof in regard to the requirements of a valid declaration of consent according to Art. 7 (1) GDPR. From a data controller’s perspective, it would therefore be prudent to collect declarations of consent in written or electronic form and retain it at least for the duration of the processing. Art. 7 GDPR expressively states that a data subject may revoke a declaration of consent at any time with effect for the future. This is in line with the current understanding of Section 4a (1) BDSG. Accordingly, a data controller is bound by an obligation to design any consent-based data processing in a manner that enables execution of individually revoked declarations of consent.

Under Art. 8(1) GDPR, children may provide a valid declaration of consent in the context of information society services from the age of 16. A declaration of consent expressed by children under the age of 16 becomes valid upon the parent’s confirmation. According to Art. 4 No. 25 GDPR and Directive (EU) 2015/1535 on procedures for the provision of information in the field of technical regulations and of rules on information society services, information society services are typically provided in return for money in the context of distance distribution, such as in app purchases and other (mobile) value added services.

4. General Statutory Justifications

The GDPR contains general statutory justifications for processing personal data in Art. 6(1)(b)-(f) GDPR. Under these rules, personal data may be processed if necessary for the purposes listed below:

  • performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – Art. 6(1)(b) GDPR,
  • compliance with a legal obligation – Art. 6(1)(c) GDPR,
  • protecting the vital interests of the data subject or of another natural person – Art. 6(1)(d) GDPR,
  • performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art. 6(1)(e) GDPR,
  • legitimate interests pursued by the controller or by a third party – Art. 6(1)(f) GDPR.

These statutory justifications are at large similar to their predecessors in Art. 7(b)-(f) DPD and Section 28 BDSG. For affected companies, particularly relevant are the justification to process personal data for the performance of contractual obligations and to pursue legitimate interests as currently covered by Section 28(1) No. 2 BDSG and Section 28(1) No. 2 BDSG. Similar justifications will also be in place under the GDPR.

In order to justify data processing for the performance of contractual obligations under Art. 6(1)(b) GDPR, the data controller must check and ensure that such data processing is in fact required for the performance of contractual obligations. The extent to which data processing is permitted is in the first place defined by the scope of contractual obligations as agreed by the parties.

Processing personal data under the legitimate interest justification of Art. 6(1)(f) GDPR requires justified interests of the data controller that outweigh the data subjects opposed interests, i.e. a balancing of interest test. When carrying out such balancing of interest, the data controller must in particular consider the data subjects’ fundamental rights and freedoms. Art. 6(1)(f) GDPR now explicitly states that when processing children’s personal data under a legitimate interest justification, one must particularly consider their specific interests.

In order to assess the scope of justified data processing under the legitimate interest justification of Art. 6(1)(f) GDPR, it appears prudent to apply the principles developed under the predecessor rule of Section 28 (1) No. 2 BDSG mutatis mutandis. In addition, Recital 47 GDPR contains further guidance for an appropriate connection between data controller and data subject and the foreseeability of data processing that turns relevant when establishing the legitimate interest justification. Where such appropriate connection is in place, e.g. in a sales and purchase of goods relationship, common data processing will be rather easy to justify. However, as today under the BDSG, also under the GDPR, justifying data processing under legitimate interests will always depend on assessing the circumstances of the individual case.

5. Special Processing Situations

Chapter IX GDPR contains statutory justifications and the permission for Member States to implement individual justifications for special processing situations. Member States may in particular “reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.” In other words, member states may implement justifications for data processing for such purposes.

Principles and rules governing the freedom of expression, press publications and scientific research as in place at a member state regulatory level will therefore continue to establish data protection justifications in certain cases. Art. 86 GDPR provides for a similar rule in regard to the right to information about public authorities’ activities which namely may turn relevant for the German Federal Freedom of Information Act (IFG) [PDF] and the German States’ Freedom of Information Acts. These laws will continue to provide for data protection justifications in particular cases.

Art. 88 GDPR establishes employment data protection law at the EU regulatory level by giving the member states authority to implement respective data protection rules. Art. 88 GDPR may trigger a new discussion about implementing employment data protection rules in Germany. So far, there have been a number of draft laws and legislative initiatives – the only result being the minimalistic and “temporary” provision in Section 32 BDSG.

Processing personal data for archival purposes, scientific and historic research is under Art. 89(1) GDPR in principle subject to the GDPR. Under Art. 89(2) GDPR, the Member States may, however, implement additional legal provisions. As currently the case, also under the GDPR, the German Federal Archive Act (Bundesarchivgesetz) and the German States’ Archive Acts may therefore restrict data protection rights and provide for data protection justifications.

The church data protection acts, namely the Church Act on Data Protection of the Protestant Church and the Regulation on Church Data Protection of the Catholic Church will be applicable under Section 91 GDPR. Currently, there is a respective Setup under Art. 140 German Constitution (Grundgesetz) in connection with Art. 137 of the German Constitution of 1919 (Weimarer Reichsverfassung). However, under Section 91 GDPR, the church data protection acts apply only to the extent that they are in line with the principles of the GDPR.

6. Conclusion

The GDPR further develops German and European data protection law in particular on the basis of the DPD. This also holds true for the principles for processing personal data and data protection justifications that are subject of this article. Companies do not have to completely change their data processing procedures under the GDPR. Where data processing is in line with current data processing requirements, at large the requirements under the GDPR are likely to be fulfilled as well. In any case, it is advisable to carefully assess deviating legal requirements and to implement respective measures in preparation for the GDPR.

Other parts of this series:

Part 1: EU Data Protection Regulation – New Series

Part 2: Fines, Penalties and Damages for Data Protection Infringements

Part 4: Commissioned Data Processing and International Data Transfer

Fines, Penalties and Damages for Data Protection Violations – GDPR Series, Part 2

Bernd Schmidt Data Protection Sanctions, General Data Protection Regulation Leave a Comment

The European Parliament has most recently adopted the General Data Protection Regulation (GDPR). Part of this new data protection framework are dramatically increased sanctions for violations of data protection law. When the GDPR enters into force, the blunt sword for enforcing data protection requirements will suddenly turn razor sharp. Companies must then be prepared for fines amounting to millions of Euros.Read More

Data Protection in Forest and Meadow – Legal Requirements for Operating Camera Traps

Bernd Schmidt CCTV, Privacy Specials Leave a Comment

Digital progress does not stop for hunters. Technical equipment, such as digital camera traps are today part of standard hunting equipment. They are used for observing wild stocks and are typically deployed in areas that are not accessible to the public. Regardless, they are in the data protection authorities focus. Hunters should be aware of applicable data protection requirements.Read More

New Consumer Protection Organisations’ Cease and Desist Claims for Data Protection Infringements

Bernd Schmidt Data Protection Sanctions, Privacy Specials Leave a Comment

Data protection is consumer protection law – infringements may result in consumer protection organisations‘ claims for case and desist. While the requirements for a consumer protecting effect of data protection law has long been subject to debate, the legislator has now implemented a new Section 2 (2) No. 11 into the German Cease and Desist Claims Act (Unterlassungsklagen Gesetz – UklaG). Section 2 (2) No. 11 UKlaG now establishes the consumer protection effect of data protection law and brings new claims for consumer protection organisations. Any company is well advised addressing these new compliance risks.Read More

Boss is Watching! New Data Protection Authorities’ Guidance on E-Mail and Internet Use at Work

Bernd Schmidt Employee Data Protection, Telemedia Leave a Comment

E-Mail and internet at work primarily serve the company’s business purposes. However, in many cases, employers allow or tolerate private use of company e-mailing or internet systems. This may result in severe restrictions for the company’s access to data stored in such systems. Companies are well advised to implement clear rules on (private) use in order to prevent undesired consequences.Read More

From Safe Harbor to EU-US-Privacy-Shield – Future of International Data Transfers

Bernd Schmidt International Data Protection Leave a Comment

The ECJ Safe Harbor Ruling anuls the EU Commissions Safe Harbor Decision and puts the future of transatlantic data transfers at stake. A new approach for data transfers between EU and USA shall bring the solution: The EU-US-Privacy-Shield. Whether or not this will be successful is to the same degree uncertain as the legitimacy of international data transfers from the EU to other third contries.

1.    The Safe Harbor Ruling

My Colleague Bernhard Freund has discussed the key aspects of the Safe Harbor Ruling. Aim of this article (without the claim of giving the comprehensive picture) is to pick up loose ends from his discussion.
The Safe Harbor Ruling has the direct consequence that a justification of transatlantic data transfers ceases to exist and creates a large number of open questions and obstacles for other international data transfers that are far from being solved.

The EU Commissions [PDF] immediate and later the German [PDF in German] governments reaction to the Safe Harbor Ruling may be summarised as “transatlantic data transfers have always been possible and will somehow be possible in the future regardless”. Accordingly, they suggest using EU Standard Contractual Clauses instead of the Safe Harbor justification. The German Data Protection Authorities’ views are more nuanced and differ between the individual Data Protection Authorities.

The Bavarian Data Protection Authority and the Hamburg Data Protection Authority [PDF in German] take the view that data transfers to the USA are possible on the Basis of EU Standard Contractual Clauses while the Data Protection Authorities of Hessen and Schleswig-Holstein see also the legitimacy of EU Standard Contractual Clauses at stake. The Rheinland-Pfalz Data Protection Authority even assumes that data transfers to the USA would with immediate effect require the Data Protection Authorities’ prior approval [PDF in German].

2.    What’s Next?

The EU-US-Privacy-Shield is now supposed to provide the final solution for these obstacles. The EU-US-Privacy-Shield approach is, however, rather uncertain. As of today, there is a mere EU Commission’s press statement, suggesting a mutual political agreement between EU Commission and US Government Representatives on protecting personal data of EU citizens in the USA.

The EU Commission’s expectations are rather high and suggesting the EU-US-Privacy-Shield would provide extensive protection for EU citizens fundamental rights (in particular with respect to their privacy rights) when their personal data are transferred to the USA. Also, the EU-US-Privacy-Shield shall bring legal certainty for affected companies. Both shall be accomplished by:

  • strong obligations on companies handling Europeans’ personal data and robust enforcement,
  • clear safeguards and transparency obligations on U.S. government access, and
  • effective protection of EU citizens’ rights with several redress possibilities.

The USA are now supposed to implement these safeguards into their national regulations while the EU Commission prepares a new adequacy decision in cooperation with the Art. 29 Group and the Member States’ representatives. This process shall be accomplished within three months.

3.    Legal Risks Remain

The aim of the EU-US-Privacy-Shield is providing ultimate legal certainty. Whether this will be achieved remains to be seen as the ECJ’s requirements are rather high. The USA must no less then change the practice of data analysis in the interest of national security, public interest and for executing US laws. Instead of storing and analysing EU citizens personal data without further requirements by US agencies, the USA must now implement statutory justifications considering the principle of necessity and proportionality according to European standards.

It is rather unlikely that the EU-US-Privacy-Shield will last if the USA don’t meet these high standards, because the ECJ has empowered and obliged European Data Protection Authorities to assess these requirements in each individual case and independent from any EU Commissions adequacy decision. Should they come to the conclusion, these standards are not fulfilled they must bring action to the national courts ultimately taking the issue to the ECJ. Recital 57 and 65 of the Safe Harbor Ruling state:

„Thus, even if the Commission has adopted a decision pursuant to Article 25 (6) of that directive, the national supervisory authorities […] must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the directive […] where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must […] be able to engage in legal proceedings. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity.”

Accordingly, whether or not the EU-US-Privacy-Shield in fact fulfils the high expectation to bring legal certainty remains open.

4.    Effects for other International Data Transfers

Following the Safe Harbor Rulings, the Data Protection Authorities would be required to assess also the legitimacy of data international data transfers on the basis of other justifications, e.g. the EU Standard Contractual Clauses in the individual case and independent from any EU Commission’s ruling. Ultimately, they would also be required to bring such data transfers to the courts for review where they have doubts regarding its legitimacy. Where the German Data Protection Authorities confirm the validity of the EU Standard Contractual Clauses for transatlantic data transfers, this is to be supported in the interest of affected companies. It is, however, far from certain this will be their final approach.

Not enough. The USA are by far not the only country being considered unsecure in respect to its data protection regulation for the reason of extensive government agencies’ permissions for acquiring and analysing personal data in the interest of national security- and other public- or governmental interests. This leads to the question of whether or not we may just be at the beginning of a new approach for assessing legal requirements for international data transfers. It may well be possible there will be a new distinction required. In addition to distinguishing secure and unsecure third countries, there may be countries that have so little data protection standards that would under no circumstances permit for transferring personal data there.

It is rather unlikely that respective candidates, such as Russia, China or North Korea would agree to comply with European data protection standards when storing and processing EU citizens’ personal data.

5.    Open Issues

Affected companies shall carefully monitor developments in the legal framework for international data transfers and adopt their legal and risk management strategies accordingly. In order to do so, it is advisable to analyse international data flows and assess whether potentially critical data flows may technically or legally be adjusted in case need be. This includes assessing for commissioned data processing whether fully encrypted processing is possible and whether the provider may be replaced without negative impact for the company.

On short term, it is expected that (German) Data Protection Authorities would focus their supervisory activities to EU-US data transfers. Accordingly, this should be the starting point for any international data flow analysis throughout the process the analysis shall then be extended to other countries following a risk evaluation.

Cookie-Banner – Legally Unnecessary Online Annoyance?

Bernd Schmidt General Data Protection Regulation Leave a Comment

They increasingly appear on websites – Information Banner containing this or similar wording: “This website deploys cookies – in case you continue using this website, you consent to deploying cookies on your browser.” Typically, there would be an additional link to a cookie policy containing more information on deployed cookies. This is not really of interest to any user. It is therefore surprising that most website operators are under no obligation to provide cookie banner or cookie policies under German law.Read More

Copying ID cards is prohibited? That depends…

Bernhard Freund Privacy Specials 1 Comment

Scanning and copying of ID cards is a widespread practice in the German business sector. Copies of ID cards are required as proof of identity, taken to the file or scanned (e. g. by online services, credit agencies, logistics companies, fitness studios). Does this practice violate data protection law or the often claimed “ban” on copying ID cards? In short: In many cases it is – but not always. Read More

Morphing in POV-Ray

Bernhard Freund Various Leave a Comment

A few days ago I created a 3D-animation with POV-Ray. I had played around with this ray-tracer some fifteen years ago, but only scratched the surface. Now I wanted to create a somewhat sophisticated animation including a scene where some text would appear out of a particle cloud. Thus, I needed to transformRead More