A key session at the conference this year was the “Let’s talk about Brexit” panel discussion, featuring Eleonor Duhs from Fieldfisher LLP; Roxanne Morrison from the Confederation of British Industry; Steve Wood, the Deputy Commissioner for Policy at the ICO, and Mikko Nova from Vodafone, who had just been crowned DPO of the Year.
The session covered these topics:
- Implications for transfers to and from the EU for UK companies
- in a deal scenario
- in a no-deal scenario
- Key considerations for no-deal planning
- Use of Model Clauses where the current approved versions are insufficient
- The position on EU Representatives and Lead Supervisory Authority
Implications for transfers to and from the EEA for UK companies
Under the GDPR there is a requirement for members of the EEA transferring personal data to a “third Country” outside the EEA (a Restricted Transfer) to ensure that there is a legal basis for such transfers. This basis may be that the European Commission has issued an “adequacy decision” with regards to the third country, i.e. they have an adequate national data protection regime in place to protect data subject’s rights. If this isn’t the case, businesses must ensure that there is an appropriate safeguard in place - usually Binding Corporate Rules, which are a method of certifying transfers between group companies, or Standard Contractual Clauses, which are a set of template agreements prepared by the European Commission, again to ensure the rights of data subjects.
In the event of a deal there will be a two year transition period. Data can continue to flow between the EU and the UK during this transition period as if the UK was still a member of the EEA. The UK will apply for an adequacy decision with the intention of a smooth transition to becoming a third country with an adequacy decision in place by the end of the transition period. If no such decision is obtained, organisations will have to look at having appropriate safeguards in place for the transfer of personal data.
In the event of a no-deal exit, there will be no transition period. The UK will immediately be a third country without the benefit of having an adequacy decision in place. Organisations involved in the transfer of personal data from the EEA to the UK will therefore need to ensure that there are adequate safeguards in place for the transfer of personal data out of the EEA to the UK, as a third country. This could be Binding Corporate Rules in the case of intra-group transfers or Standard Contractual Clauses for non-group transfers for instance.
Key considerations for no-deal planning
The panel agreed that a good approach would be to:
- Review the ICO guidance found here
- Review data flows
- Identify risks, including identifying key risks (i.e. important data which flows from the EEA to UK) and controls for risks either in place or to be put in place
- Look at the possibility of onshoring
- Where onshoring isn’t appropriate, put in place an appropriate mechanism for making the transfer legal under the GDPR i.e. Binding Corporate Rules or Standard Contractual Clauses
It was emphasised that the obligation under the GDPR will be on the EEA entity transferring to the UK to have the relevant mechanisms in place, as the UK government has indicated that it will deem transfers from the EEA as having the equivalent of an adequacy decision.
Standard Contractual Clauses
Eleonor Duhs fielded the difficult question of the appropriateness of the use of the current approved forms of Standard Contractual Clauses and focused on one particular scenario: Transfers from EU data processors to UK controllers. Ms Duhs acknowledged that there is no current suitable Model Clause template that deals with this type of transfer and advised that there are two market approaches to this: (1) use the Controller to Controller Standard Contractual Clauses in order to put some protections in place; or (2) not to regard this type of transfer as a Restricted Transfer so as not to require a legal mechanism in place for the transfer. A preferred position between these two market approaches was not confirmed by those on the panel and there was an indication from the ICO that this is to be reviewed in Brussels this week.
Position on EU Representatives and Lead Supervisory Authority
If a non-EU business is caught by the extraterritoriality provisions of the GDPR, and the business has an EU Representative based in the UK, the business will now need to nominate a Representative in the EU.
Lead Supervisory authority
In the event of a no-deal, the ICO will no longer be able to be the Lead Supervisory Authority in relation to certain cross-border processing and may need to be replaced with one in the EU. However, there are specific criteria that need to be met and it may be the case that there is no appropriate Lead Supervisory Authority for the transfer.
The panel emphasised in closing that practitioners should:
- Follow the key consideration for no-deal planning
- Keep up-to-date on the Max Schrems challenge against the use of Standard Contractual Clauses for updates in this area
- keep up-to-date on the ePrivacy Regulations, as it is thought that the UK will still adopt these