GDPR and BREXIT – The Hype and Scaremongering Why EU and UK businesses Shouldn’t Overreact

As Brexit uncertainty continues in Britain, many UK and EU businesses including businesses in Ireland north and south – want to know what they should do about GDPR?

Some have suggested that, in the event of a hard Brexit, the UK would automatically be declared as a ‘third country’, the implication being that the UK’s data protection regulations would no longer be considered ‘adequate’ and the transfer of personal data to and the UK could be prohibited (GDPR Recital 107).

I agree that, under Brexit, the UK could be categorised as a ‘third country’ but that doesn’t automatically mean the UK’s data protection regulations will be declared as not meeting adequacy. In fact, it could be argued that it would be very unwise for the EU Commission and the supervisory authorities to adopt such a stance. Here is why:

1. To declare UK data protection regulations as inadequate would inflict social and economic chaos.

Given the amount of personal information that moves between the UK and Europe, could you imagine the economic and social chaos that would follow? As information is the ‘life blood’ of the new digital economy, it would be the physical equivalent of closing every road, railway, airport and port. It would be an act of sheer madness on the part of the EU and the supervisory authorities. The critical importance of information flow is also recognised in GDPR Recital 101 which states that “Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and cooperation”.

2. Credibility and trust in GDPR would evaporate.

To declare the UK as a ‘third country’ with inadequate personal data protection would wipe out any credibility and trust in GDPR. Why? Let’s use a simple analogy. I have three members on a team and, during their time with my company, they have each been professionally certified. One of them decides to leave and work for another company. In an act of stupidity, I declare that their certification was inadequate. Now, what does that say about the remaining team members and their certification?

The UK adopted GDPR in its entirety (UK Data Protection Act 2018) and the Information Commissioner’s Office, in London (the current UK EU GDPR supervisory authority), has been one of the leading lights in the introduction, communication and application of GDPR. To declare the UK’s data protection regulations as inadequate would not only have a devastating social and economic impact, for everyone, but would seriously undermine any credibility and trust in GDPR.

3. It would undermine fundamental human rights.

GDPR claims to a champion for the fundamental rights and freedoms of the individual. To declare UK data protection regulations as inadequate could put the personal information of billions of people at risk. It could also be interpreted as putting process and politics before any grand declarations of individual rights and freedoms.

Existing Obligations

Whatever the scenario, hard Brexit or not, the EU Commission must first decide if the UK is a third country or not. Then, as a third country, does UK data protection regulations ensure an ‘adequate level of protection’? If it does, the EU Commission can rule that data transfers require no further ‘specific authorisation’ (Article 45). In other words, the EU Commission has the power and the ability to keep personal information and data moving smoothly between the UK and Europe. This is also clarified in Recitals 103 and 104 where the regulation describes the sort of assurances and mechanisms that support an adequacy decision. They include the rule of law, access to justice as well as international human rights norms and standards and independent data protection supervision. Recital 105 also states that the Commission should also consider international data protection commitments, obligations and functioning in multilateral or regional systems. The fact that the UK adopted GDPR into to data privacy law should help there.

My point is that the UK is a world leader in international, national and EU data protection & privacy regulation and law. It easily fulfills all of these requirements and more. Indeed, any reassurances the UK might be required to give the European Commission, would be based on GDPR and, as the regulation has been fully integrated into UK law, a decision not to grant ‘adequacy’ would, in effect, mean that the EU would be declaring its own regulations as inadequate!

But, let’s consider for a moment that the EU Commission decides to not declare the UK as an ‘adequate third country’. What is the process? According to the regulation, the EU Commission would have to conduct a review examining things such as:

  • The rule of law, the respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data.
  • The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States.
  • The international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular, in relation to the protection of personal data.

During the review, “where available information reveals” that a third country no longer ensures an adequate level of protection, the Commission may to decide to repeal, amend or suspend a decision of adequacy (Article 45.5). It may also do so on the “imperative grounds of urgency”. However, the regulation also states that if a third country’s data protection regulations are deemed inadequate, the Commission shall enter consultations with the third country with a view to remedying the situation.

Unfortunately, the regulation doesn’t place a time limit on such consultations. In the meantime, controllers and processors may transfer data, without authorisation, to a third country only if adequate safeguards, enforceable data subject rights and effective legal remedies for data subjects are available (Article 46). They include measures such as binding corporate rules (Article 47) and standard data protection clauses adopted by the Commission and supervisory authority etc. Recital 108 offers further explanation:

“In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default…”

Again, these requirements and safeguards will already exist in a UK business that has implemented GDPR. It makes a complete nonsense of the regulation to seek further reassurance. This includes the costly imposition of EU pre-approved binding corporate rules. Further, Article 49 sets out derogation for specific situations. It states that in the absence of an adequacy decision (Article 45(3)) or of appropriate safeguards (Article 46), including binding corporate rules, a transfer or set of transfers of personal data to a third country can take place if one of the following conditions is met:

  1. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  4. the transfer is necessary for important reasons of public interest;
  5. the transfer is necessary for the establishment, exercise or defence of legal claims;
  6. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  7. the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

The continued exchange of information can only take place if it is occasional and necessary, not repetitive, limited and in the public interest. For example:

 “…in cases of international data exchange between competition authorities, tax, or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health… A transfer of personal data should also be regarded as lawful where it is necessary to protect and interest which is essential for the data subject’s or another person’s vital interests, including physical integrity of life, if the data subject is incapable of giving consent.” (Recital 111, 112, 113).

Recital 113 also adds: “For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase in knowledge should be take into consideration”.

It is clear then that the EU Commission and the supervisory authorities have sufficient power and latitude to keep the data wheels of commerce and co-operation turning in the event of Brexit without organisations and businesses having to implement even more costly and complex regulation.

Article 50 also declares that the EU Commission shall take appropriate steps to:

  1. develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
  2. provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
  3. engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
  4. promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

Let’s hope the EU Commission is doing what it is required to do and and hasn’t fallen into the trap of replacing the importance of data protection regulation with political convenience.

It would be unwise for the EU Commission and its supervisory authorities to declare UK data protection regulations as inadequate. If they do, any progress that’s been made in recent years to protect the rights of data subjects will evaporate. Also, any delay or silence, could be interpreted as political posturing. If it hasn’t already, let’s hope Article 50.1-3 will be adhered to in the coming months.Report th

As Brexit uncertainty continues in Britain, many UK and EU businesses including businesses in Ireland north and south – want to know what should they do about GDPR?

Some have suggested that, in the event of a hard Brexit, the UK would automatically be declared as a ‘third country’, the implication being that the UK’s data protection regulations would no longer be considered ‘adequate’ and the transfer of personal data to and the UK could be prohibited (GDPR Recital 107).

I agree that, under Brexit, the UK could be categorised as a ‘third country’ but that doesn’t automatically mean the UK’s data protection regulations will be declared as not meeting adequacy. In fact, I would argue that it would very unwise for the EU Commission and the supervisory authorities to adopt such a stance. Here is why:

1. To declare UK Data Protection regulations as inadequate would inflict social and economic chaos.

Given the amount of personal information that moves between the UK and Europe, could you imagine the economic and social chaos that would follow? As information is the ‘life blood’ of the new digital economy, it would be the physical equivalent of closing every road, railway, airport and port. It would be an act of sheer madness on the part of the EU and supervisory authorities. The critical importance of information flow is also recognised in GDPR Recital 101 which states that “Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and cooperation”.

2. Credibility and trust in GDPR would evaporate.

To declare the UK as a ‘third country’ with inadequate personal data protection would wipe out any credibility and trust in GDPR. Why? Let’s use a simple analogy. I have three members on a team and, during their time with my company, they have each been professionally certified. One of them decides to leave and work for another company. In an act of stupidity, I declare that their certification was inadequate. Now, what does that say about the remaining team members and their certification?

The UK adopted GDPR in its entirety (UK Data Protection Act 2018) and the Information Commissioner’s Office, in London (the current UK EU GDPR supervisory authority), has been one of the leading lights in the introduction, communication and application of GDPR. To suddenly declare the UK’s data protection regulations as inadequate would not only have a devastating social and economic impact, for everyone, but would seriously undermine any credibility and trust in GDPR.

3. It would undermine fundamental human rights.

GDPR claims to a champion for the fundamental rights and freedoms of the individual. To declare UK data protection regulations as inadequate could put the personal information of billions of people at risk. It could also be interpreted as putting process and politics before any grand declarations of individual rights and freedoms.

Existing Obligations

Whatever the scenario, hard Brexit or not, the EU Commission must first decide if the UK is a third country or not. Then, as a third country, does UK data protection regulations ensure an ‘adequate level of protection’? If it does, the EU Commission can rule that data transfers require no further ‘specific authorisation’ (Article 45). In other words, the EU Commission has the power and the ability to keep personal information and data moving smoothly between the UK and Europe. This is also clarified in Recitals 103 and 104 where the regulation describes the sort of assurances and mechanisms that support an adequacy decision. They include the rule of law, access to justice as well as international human rights norms and standards and independent data protection supervision. Recital 105 also states that the Commission should also consider international data protection commitments, obligations and functioning in multilateral or regional systems. The fact that the UK adopted GDPR into to data privacy law should help there.

My point is that the UK is a world leader in international, national and EU data protection & privacy regulation and law. It easily fulfills all of these requirements and more. Indeed, any reassurances the UK might be required to give the European Commission, would be based on GDPR and, as the regulation has fully integrated into UK law, a decision not to grant ‘adequacy’ would, in effect, mean that the the EU would be declaring its own regulations as inadequate!

But, let’s consider for a moment that the EU Commission decides to not declare the UK as an ‘adequate third country’. What is the process? According to the regulation, the EU Commission would have to conduct a review examining things such as:

  • The rule of law, the respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data.
  • The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States.
  • The international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular, in relation to the protection of personal data.

During the review, “where available information reveals” that a third country no longer ensures an adequate level of protection, the Commission may to decide to repeal, amend or suspend a decision of adequacy (Article 45.5). It may also do so on the “imperative grounds of urgency”. However, the regulation also states that if a third country’s data protection regulations are deemed inadequate, the Commission shall enter consultations with the third country with a view to remedying the situation.

Unfortunately, the regulation doesn’t place a time limit on such consultations. In the meantime, controllers and processors may transfer data, without authorisation, to a third country only if adequate safeguards, enforceable data subject rights and effective legal remedies for data subjects are available (Article 46). They include measures such as binding corporate rules (Article 47) and standard data protection clauses adopted by the Commission and supervisory authority etc. Recital 108 offers further explanation:

“In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default…”

Again, these requirements and safeguards will already exist in a UK business that has implemented GDPR. It makes a complete nonsense of the regulation to seek further reassurance. This includes the costly imposition of EU pre-approved binding corporate rules. Further, Article 49 sets out derogation for specific situations. It states that in the absence of an adequacy decision (Article 45(3)) or of appropriate safeguards (Article 46), including binding corporate rules, a transfer or set of transfers of personal data to a third country can take place if one of the following conditions is met:

  1. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  4. the transfer is necessary for important reasons of public interest;
  5. the transfer is necessary for the establishment, exercise or defence of legal claims;
  6. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  7. the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

The continued exchange of information can only take place if it is occasional and necessary, not repetitive, limited and in the public interest. For example:

 “…in cases of international data exchange between competition authorities, tax, or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health… A transfer of personal data should also be regarded as lawful where it is necessary to protect and interest which is essential for the data subject’s or another person’s vital interests, including physical integrity of life, if the data subject is incapable of giving consent.” (Recital 111, 112, 113).

Recital 113 also adds: “For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase in knowledge should be take into consideration”.

It is clear then that the EU Commission and the supervisory authorities have sufficient power and latitude to keep the data wheels of commerce and co-operation turning in the event of Brexit without organisations and businesses having to implement even more costly and complex regulation. Article 50 also declares that the EU Commission shall take appropriate steps to:

  1. develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
  2. provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
  3. engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
  4. promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

Let’s hope the EU Commission is doing what it is required to do and and hasn’t fallen into the trap of replacing the importance of data protection regulation with political convenience. It would be unwise EU Commission and its supervisory authorities to declare UK data protection regulations as inadequate. If they do, any progress that’s been made in recent years to protect the rights of data subjects will evaporate. Also, any delay or silence, could be interpreted as political posturing. If it hasn’t already, let’s hope Article 50.1-3 will be adhered to in the coming months.