It was a serious shock when the British people voted for Britain to leave the European Union (EU). The consequences will be massive and also affect data protection law. When the common legal framework of the EU member states no longer spans the United Kingdom, there will be a need for justifying data transfers across the English Channel. Currently the legal justifications are laid down in the EU Data Protection Directive (DPD) and the respective implementations into the member states’ national data protection laws. On 25 May 2018, the member states’ data protection laws and DPD will be replaced by the General Data Protection Regulation (GDPR). Both DPD and GDPR differentiate between data transfers within the European Economic Community (EEC) and other countries outside the EEC and favour data transfers within the EEC. Leaving the EU may be the end for such privileged data transfers to the United Kingdom.
1. Data Transfers within the EEC
Data transfers require a justification under data protection law. Whether or not data exporter and data recipients are located in the same or in different member states is irrelevant under data protection law – DPD and GDPR consider the EEC member states per se as providing adequate data protection safeguards.
The same applies to assigning data processing to data processors located within the EEC as compared to data processors located outside the EEC. Currently, Section 11 German Data Protection Act (BDSG) considers data processors located in EEC member states as a part of the data controller. As a consequence of this so-called “privileged” data processing, the requirements for justifying such assignments are substantially lower compared to assignments of data processors in third countries. This will not change significantly under the GDPR.
Today, such privileges for data transfers apply inter alia with regard to data processors in the United Kingdom and data controllers in other member states. When the UK leaves the EU and supposedly the EEC, these privileges will no longer be automatically in place. In such case, data controllers in the EEC would need to implement alternative means to ensure adequate data protection guarantees for data recipients in Great Britain.
2. Data Transfers to the UK based on an Adequacy Decision
For countries outside the EEC (third countries), DPD and GDPR assume there are no sufficient data protection guarantees in place. Countries outside the EEC are considered prima facie as “unsecure third countries”. For unsecure third countries, the EU Commission may assess whether in fact there are adequate data protection guarantees in place and make a respective ruling under Art. 25 DPD [PDF] and in the future under Art. 45(1) GDPR (adequacy decision). The EU Commission’s adequacy decisions are legally binding, but may be challenged in the courts as any act of public authorities and ultimately be overruled by the European Court of Justice (ECJ). The ECJ has recently overruled the Safe Harbor adequacy decision for data transfers to the USA (see our blog articles as of 6 October 2015 and 12 February 2016).
Currently, there are adequacy decisions in place for Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. For the USA, there is an adequacy decision for data recipients under the EU-US Privacy Shield; see our blog article as of 12 February 2016 concerning the draft).
When the United Kingdom leaves the EU, it would as a starting point need to be considered an unsecure third country. However, the United Kingdom would likely either remain in the EEC and get a status such as Norway or that in the course of exit negotiations with the EU, an adequacy decision would be taken by the EU Commission, putting Great Britain in a position such as that of Switzerland today. Such adequacy decision would appear reasonably justified where Great Britain would keep in force its data protection act [PDF] based on the DPD.
In such case, we would almost be back to the current status quo – almost. As a consequence of the ECJ safe harbour ruling, national data protection authorities have the obligation to assess individually and independent from an adequacy decision whether or not a data transfer is justified and the data recipient provides for adequate data protection safeguards. For this assessment, data protection authorities would also consider access of public authorities to personal data e.g. in the context of criminal investigations or anti-terror activities.
In this course also data transfers to Great Britain could ultimately be brought before the ECJ for review similar to the Safe Harbor Ruling. The ECJs ruling in such case is hard to predict in light of the existing cooperation between US and British authorities.
3. Data Transfers to the UK as an Unsecure Third Country
In case exit negotiations should not establish a status of the UK as secure third county or the UK would lose such status, there would be a requirement for justifying data transfers based on the so called two-step test.
On the first step, data controllers based in the EEC would need to establish a justification as for any other data recipient located in the EEC or a secure third country. In addition, they would need to establish the second-step justification, compensating for the lack of adequate data protection at the data recipients’ end.
The means of choice for the second step would depend on the individual circumstances of the data transfer. In any event, implementing the EU Commission’s standard contractual clauses would be possible and establish adequate data protection standards without the requirement of approval by the data protection authority.
For intra-group data transfers, implementing so-called binding corporate rules may also be suggested (see Art. 47 GDPR). Binding corporate rules would, however, need to be approved by the data protection authority in order to constitute a sufficient second-step justification.
The Brexit will have severe impact on the foundations of economic cooperation with the United Kingdom and provide relevant challenges for affected companies. One of many tasks would be to establish a concept for data transfers to the United Kingdom that is compliant with data protection requirements. The challenges in detail will depend on the coming exit negotiations. Affected companies should have the possible scenarios in mind and prepare for the associated challenges.