On 12 February 2019, the European Data Protection Board (EDPB) met for its seventh plenary session. You can see our blog on the full session here.
At this session, the EDPB adopted two information notes. The information notes offer guidance on data protection issues in the event of a no-deal Brexit, namely: data transfers generally and binding corporate rules lead supervisory authorities (BCR lead).
Data transfers in the event of a no-deal Brexit
The guidance is separated into three distinct sections.
Preparation for transfers of data from the EEA to the UK
The EDPB sets out five steps for businesses to take in advance of Brexit. Businesses who transfer data from the European Economic Area (EEA) to the United Kingdom (UK) should start preparing now. To prepare, the EDPB suggests the following:
I. Identify the processing activities that require the transfer of personal data
II. Determine the data transfer mechanism that is most appropriate on the facts
III. Prepare the relevant transfer mechanism in advance of 30 March 2019
IV. Indicate in internal documents that you will be transferring data to the UK
V. Update your privacy notices accordingly.
Data transfers from the EEA to the UK
In the event of a no-deal Brexit, the UK will become a third country. This means that, post-Brexit, data transfers to the UK can only occur under the following mechanisms:
I. Adequacy agreement. There is currently no adequacy agreement in place for the UK.
II. Standard contractual clauses. These can be used alongside your data processing agreement. They must not be modified, and must be signed as provided by the European Commission.
III. Binding corporate rules. These are personal data protection policies agreed by a group of companies, and approved by the BCR lead supervisory authority and the EDPB.
IV. Codes of conduct and certification mechanisms. These should contain binding and enforceable commitments, such as to provide appropriate safeguards. The EDPB is planning to publish guidance in this area.
V. Relying on derogations. There are a number of derogations which allow for the transfer of personal data without the safeguards listed above. However, these are interpreted very restrictively.
Data transfers from the UK to the EEA
Current practice can continue. Personal data can transfer freely from the UK to the EEA.
Binding Corporate Rules lead supervisory authorities
The guidance is relevant to groups of companies for whom the UK supervisory authority, the Information Commissioner’s Office (ICO), acts as the BCR lead. The ICO will no longer have a mandate to act as BCR lead in the event of a no-deal Brexit. Affected companies should start to consider their options now.
The EDPB’s advice is that groups of companies headquartered in the UK should identify a new BCR lead within the EU. The EDPB’s advice is the same, regardless of whether:
I. You are an authorised BCR holder.
II. You are not yet a BCR holder, but wish to apply.
III. You currently have a BCR application under review by the ICO.
IV. You currently have a draft ICO decision before the EDPB for approval.
In scenarios three and four above, the newly-appointed BCR lead will take over the review and approval processes.
The decision as to which BCR lead to appoint should be based on the criteria in Article 29 Working Party’s guidance from April 2018.
The guidance in EDPB’s information notes provides a level of certainty in a very uncertain time. The EDPB has provided clear, practical steps for businesses to take to ensure that personal data can transfer freely in the event of a no-deal Brexit.
As things currently stand, the UK will leave the EU on 29 March 2019. We therefore suggest that, in light of the EDPB’s guidance, you start to conduct an internal review of your data transfer mechanisms sooner rather than later.