EU-UK data transfers post-Brexit
The UK and the EU have not yet reached agreement on an arrangement that would preserve cross-border data flows post-Brexit. The EU’s chief negotiator, Michel Barnier, has previously rejected a proposal put forward by the UK.
The proposed arrangement sought to continue the uninterrupted and secure EU-UK personal data flows, which the UK argued was “vital for all partners”, including having the Information Commissioner’s Office remain on the European Data Protection Board (“EDPB”, formerly the Article 29 Working Party).
Mr Barnier emphasised that the only option for the UK would be an adequacy decision, which could be a lengthy process and not without challenges. This would mean standard contractual clauses may be needed for the immediate future post-Brexit (from 1 January 2021, assuming the draft agreement on the proposed transition period is ratified) to legitimise EU-UK personal data transfers.
Revised E-Privacy Regulation
The EDPB has supported the swift adoption of the E-Privacy Regulation, which will replace the existing E-Privacy Directive and will govern processing of personal data by electronic communications services (including email and sms marketing, telemarketing and cookies/tracking technologies).
Critically, the EDPB confirmed that GDPR-grade consent needs to be obtained before processing electronic communications data or before using the storage or processing capabilities of a user’s terminal equipment. Organisations will not be able to rely on broad “legitimate interests” that go beyond what is necessary to provide the electronic communications service. This will apply to cookies and similar tracking technologies.
New fees regime for funding the Information Commissioner’s Office
The UK’s Data Protection (Charges and Information) Regulations 2018 came into force on 25 May 2018 and introduced the requirement (subject to limited exemptions) for data controllers to pay a data protection fee to the ICO, which is tiered depending on turnover and number of staff and ranges from £40 to £2,900.
The Regulations apply to organisations that are based in the UK, but also those who are not based in the UK but process personal data relating to data subjects who are in the UK when the processing takes place, where the processing relates to either: (a) the offering of goods or services to data subjects in the UK; or (b) the monitoring of data subjects’ behaviour in the UK.
Organisations that hold a valid ICO registration prior to 25 May 2018 do not need to do anything until their current registration expires, but where an organisation’s registration has lapsed, or an organisation has become a data controller after 25 May, they should complete the ICO’s self-assessment tool to confirm which fee applies to them. Failure to pay the fee could result in a fine from the ICO.
CJEU broadens the concept of data controllership
The recent ruling by the Court of Justice of the EU in Case C-210/16 Wirtschaftsakademie found that Wirtschaftsakademie (a company offering educational services) was a joint controller alongside Facebook in respect of personal data processed about visitors to its Facebook fan page.
Despite the fact that Wirtschaftsakademie did not have access to the data processed, other than in anonymised form for statistical purposes, the fact that it helped set the “parameters” by which the personal data was processed was enough to have influence over Facebook’s processing and therefore made it a data controller.
The judgment means that an organisation can be a joint controller without even having access to the personal data, if it establishes the purposes of the processing and facilitates the means of the processing. This interpretation significantly broadens the concept of data controllership, and could have far reaching consequences on how organisations engage with platform services, moving from a controller-to-processor basis to a controller-to-controller basis.
Is any new EU legislation expected to come into force and effect before the end of the transition period?
The E-Privacy Regulation, which is currently in draft form, is expected to be in final form and published in the Official Journal by end of 2018 or the first half of 2019. The current draft has a one year implementation period, meaning that it would apply in the UK provided it is passed before the end of 2019.
Is a new regulator needed, or do additional powers to be given to an existing regulator?
No. The ICO will continue to be the UK data protection supervisory authority post-Brexit. However, the relationship between the ICO and other EU supervisory authorities and the EDPB is currently unclear. We expect more clarity as all parties get to grips with the GDPR and their new roles.
Is there an existing “equivalence” or “recognition” regime for recognising Third Country regulatory regimes?
The EU data protection regime includes a mechanism by which the European Commission can recognise a third country’s regulatory regime as being “adequate”, which allows personal data to be transferred from the EU to that country.
The UK is seeking a bespoke arrangement on data transfers. However, the current position – per the statement issued by Michel Barnier (discussed above), is that the UK must apply for an adequacy decision post-Brexit. If/until adequacy is granted (or a bespoke agreement is concluded), standard contractual clauses will be needed to legitimise any transfers of personal data outside of and into the UK.
Does current UK government policy mean that (subject to the terms of a future trade agreement between the UK and the EU) material changes to regulation or enforcement are likely post-Brexit?
This is unlikely, given that the UK is looking for an arrangement (or, failing that, an adequacy decision) that recognises the UK’s regulatory regime as affording broadly similar protection for personal data. However, this could potentially change depending on the outcome of the UK’s adequacy application post-Brexit.
What should businesses be doing now to prepare for Brexit?
- Continue with GDPR projects through to completion, as an organisation which is compliant pre-Brexit is likely to be compliant post-Brexit.
- Update agreements to ensure that the data protection provisions allow for the transfer and processing of personal data to the UK as a matter of contract (typical data protection clauses will impose restrictions on the transfer of data outside the EEA).
- Continue to monitor the position concerning EU-UK data transfers post-Brexit and consider updating agreements to include standard contractual clauses to legitimise data transfers (as a matter of regulatory law) until such time that the UK is granted adequacy.
Dates for the Diary
|H1 2019||The e-Privacy Regulation, which will replace the existing ePrivacy Directive and will govern the processing of personal data in connection with electronic communications services (including email and sms marketing, telemarketing and cookies/tracking technologies) is expected to be passed into EU law.|