Data Protection Post-Brexit

Transcription

1 Brexit Law your business, the EU and the way ahead Data Protection Post-Brexit What to expect and how to prepare March 2019 Understanding the practical implications of Brexit for data protection compliance, particularly for companies operating internationally and those reliant on transfers of personal data between the UK and the European Union (EU), is gaining ever greater importance as the 29 March 2019 deadline for exiting the EU gets closer. Although negotiations are still continuing and a possible withdrawal agreement has been proposed, no final outcome has as yet landed, particularly given the possibility that a vote may take place to delay Brexit. A hard Brexit in other words a no deal outcome remains possible. Businesses operating on a cross-border basis may have to introduce safeguards to enable international data transfers between the EU and UK on Brexit whether in March or at the end of any agreed transitional period, as the UK will (absent an agreement or arrangement to the contrary) default to being considered a third country under the General Data Protection Regulation (GDPR). In light of these issues and the recent notes published by the European Data Protection Board (EDPB), in particular with respect to data transfers from the EU to the UK, businesses operating in the UK should scale up their efforts to evaluate the risks that Brexit could pose to the current rules for transferring data internationally, in order to inform and adapt their planning for the UK s exit from the EU. Actions to prepare for a hard brexit Assess affected third-party contracts for: Prohibitions on data transfers outside the EU Appropriate mechanisms to allow data transfers from the EU to the UK Assess internal data flow mechanisms Are changes needed to reflect that the UK will be a third country? Review a sample of privacy notices to consider whether they adequately reflect data transfers outside the EU (including to the UK) Where the ICO is your lead supervisory authority, consider whether an alternative EU lead supervisory authority can be identified Consider whether you or your suppliers need to update Privacy Shield certification and related privacy notices Allen & Overy LLP

2 Issues we consider International data transfers - The GDPR largely preserved existing rules on international data transfers outside the EU, but the validity and legitimacy of key safeguards to enable these transfers, specifically the EU-US Privacy Shield and Standard Contractual Clauses (also known as Model Clauses), are currently under scrutiny. With the UK s exit from the EU, businesses must assess whether appropriate safeguards will be in place to allow the uninterrupted flow of data between the EU and the UK. One-stop shop mechanism One of the much lauded enhancements under the GDPR was the establishment of the so-called one-stop shop (OSS), a mechanism intended to allow controllers and processors to liaise with a single data protection authority, rather than multiple data protection authorities, in relation to cross-border data processing activities. Can this benefit be maintained, for companies operating across the EU and UK, post-brexit? Data Protection Officer Under the GDPR, many companies are required to appoint a mandatory Data Protection Officer (DPO). Many companies with operations across the EU will have appointed one person or a few individuals to carry out this role across the EU or across several member states. If that individual is located in the UK, is that sustainable post-brexit? Companies that are not established in the EU but have a UK representative The GDPR requires companies that are not established within the EU but process personal data relating to the offering of goods and services to, or monitoring the behaviour of, individuals located in the EU to appoint a representative in the EU. What is required for those companies that have appointed a representative in the UK is a new appointment required because post-brexit no establishment will exist in the EU (or vice versa)? How will Brexit affect UK data protection law? The effect of Brexit on data protection law will depend whether the article 50 withdrawal agreement and proposed transitional arrangements are ratified prior to 29 March To the extent they are, the UK will still leave the EU but the rights and obligations under most of the EU legislative framework, including GDPR, will continue to apply during the transitional period. If the agreement is not ratified and the UK leaves Europe without any transitional period (in other words, there is a hard Brexit), the UK will become a third country for the purposes of GDPR as at 11pm GMT on 29 March 2019, provided there is no Article 50 extension which will delay Brexit, or at a later date agreed as a result of any Article 50 extension. In June 2018, the EU (Withdrawal) Act 2018 (EU(W)A) received royal assent, ensuring that in the event of a hard Brexit, the GDPR, as it stands at the moment of exit is converted into domestic law please refer to our article on the EU(W)A which can be found here and which discusses the concept of retained EU law in more detail. The Data Protection Act 2018 (DPA 2018), which implemented GDPR standards across all general data processing, provides clarity on the definitions used in the GDPR in the UK context and exercises a number of modifications to make it work for the benefit of the UK in areas such as academic research, financial services and child protection. This law would remain in force although it would be subject to various modifications implemented by the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Exit Regulations) in the event of a hard Brexit. In addition, the Exit Regulations will implement a UK specific version of the GDPR which will apply in the event of a hard Brexit. The Exit Regulations, which use powers under the EU(W)A to correct deficiencies in EU-derived data protection law as a result of the UK s withdrawal from the EU, were laid before Parliament in December 2018 and will come into force in the event of a hard Brexit. The Exit Regulations ensure that the UK legal framework with respect to data protection would continue to function, for example by changing references to European institutions and law to their UK equivalents. In the medium to long term, the UK Government is unlikely to change current requirements substantially. If the UK were to adopt less rigorous standards generally thought to be an improbable outcome this would make it much more difficult to secure an adequacy or equivalent arrangement to facilitate EU-UK data transfers. 2 Allen & Overy LLP 2019

3 In any event, the reach of the GDPR will catch UK companies that are processing personal data relating to offering products and services to, or monitoring, data subjects within the EU. Put simply, even where an organisation s only EU presence is in the UK, it will continue to be bound by the EU GDPR and relevant EU member state laws, if it processes personal data relating to the offering of goods or services to, or the monitoring of the behaviour of, data subjects in the EU. If that is the case, an EU representative should be designated to act on the organisation s behalf and to liaise with EU supervisory authorities. What will the UK s data protection relationship with the EU look like after Brexit? The European Commission, which is responsible for granting adequacy decisions, has indicated it is committed to commencing an adequacy assessment of the UK s data protection standard after Brexit but, to date, there has been no official announcement that the UK has started adequacy discussions with the European Commission. However, Giovanni Buttarelli, the European Data Protection Supervisor, indicated in an interview with the Financial Times 1 that a UK adequacy decision could take years given the amount of work required for such an assessment, even with a third country that is fully GDPR compliant, and that other third countries had already indicated their interest in applying for an adequacy decision and these applications would be heard in advance of the UK s. An adequacy decision would avoid the need to put in place something similar to the EU-US Privacy Shield for data transfers between the EU and the UK, or to adopt other compliance actions to enable mutual data transfers. Adequacy decisions either apply to a country (eg New Zealand, Israel and, recently, Japan) or to selected sectors or regimes (eg those companies in Canada that are subject to the Personal Information Protection and Electronic Documents Act, and in the US the Privacy Shield). Case law from the CJEU has also had repercussions on adequacy. It has moved the goalposts so that adequacy now means essential equivalence to EU legislation relevant to data protection, taking into account matters such as the UK s surveillance regime. As a result, an adequacy finding is not guaranteed, even if UK law mirrors the GDPR. If an adequacy decision is reached, the ICO could potentially be granted observer status under the EDPB Discretionary Rules of Procedure, but it would not under the present rules be able to participate in the OSS mechanism. The European Commission has stated that in order for the UK to receive an adequacy decision, there must be no lessening in the strength of the UK s existing data protection laws. The UK Government and the ICO have confirmed that they do not foresee any significant changes being made to UK data protection law on Brexit. The recent adequacy decision for Japan took almost three years, but the UK s data protection landscape is already much more closely aligned with the EU and so it might be expected that any decision would take much less time to be reached. The process to initiate an adequacy decision will not begin until after Brexit but if a withdrawal agreement is reached the European Commission has indicated that it can commence during the transitional period. In the event of a hard Brexit, the UK Government intends to replicate European Commission adequacy decisions made prior to 29 March 2019, with the exception of the Japanese adequacy decision, allowing data flows to adequate countries to continue. These decisions will be reviewed every four years. In the event of a hard Brexit, the GDPR will become part of UK domestic law, subject to any amendments made to adapt it from EU to UK law (UK GDPR). The DPA 2018 will continue to apply, subject to certain amendments made under the Exit Regulations, including its extra-territorial scope provisions, which will therefore apply to controllers and processors based outside the UK which process personal data relating to the offering of goods and services to, or the monitoring of the behaviour of, individuals located in the UK. The Exit Regulations provide that the UK will continue to allow the free flow of personal data from the UK to the EEA and Gibraltar at the point of exit under a UK adequacy decision. 1 Allen & Overy LLP

4 What you should do now to prepare With the uncertainty surrounding the basis on which the UK will leave the EU, many businesses are keen to develop contingency plans with most basing those plans on the assumption of a hard Brexit. Given that it is difficult to predict the outcome of the negotiations, some may wish to consider whether it would be appropriate to go ahead and implement measures to be ready for a hard Brexit. As with Safe Harbor, in the event of a hard Brexit, there may be an informal grace period to allow affected companies to put appropriate provisions in place. However, the EDPB in a note adopted on 12 February 2019 stated that all data transfer instruments must be in place as of 30 March 2019 indicating no grace period will be applied. Businesses can however take comfort from the fact they will be in good company, with others facing similar challenges. Many would expect that businesses are unlikely to be penalised by supervisory authorities if the appropriate instruments are not in place, although this is difficult to predict with certainty. Some of the possible areas to consider are set out below. In most cases, the conclusion is that action is unlikely to be required. The key exception concerns the implementation of safeguards for transfers between the EU and the UK, where action is likely to be required, in relation to international data transfers involving other group companies, suppliers, customers and others. The issues below may need to be supplemented depending on the specific circumstances for each business, and should be kept under review as circumstances evolve and further guidance emerges. Implications for international data transfers What steps are required to facilitate international data transfers involving third parties? The burden to consider updates to agreements with suppliers will disproportionately fall on the affected suppliers. For a supplier processing data within the UK, but with customers in the EU, it can expect to receive (if indeed, it is not already receiving) customer enquiries about the implications of Brexit. As with article 28 processor clause amendments required under the GDPR, suppliers with significant numbers of customers will need to adopt an organised and systematic approach in order to manage the exercise effectively and efficiently. In some cases, agreements with suppliers will require the supplier to keep data within the EU and to seek consent from the customer to transfer data outside the EU. Nevertheless, it is possible for a customer to pre-authorise certain transfers, provided appropriate safeguards are implemented (eg Model Clauses). Post-Brexit, it is possible that a supplier may need to seek consent or a waiver from its customer to transfer data to the UK from the EU. It will come down to the drafting of the agreement whether the UK s exit from the EU actually leads to a transfer (if data is already in the UK), but it would be prudent to assess at least whether there is a possibility that such restrictions will be invoked by Brexit. In the event of a hard Brexit, absent a swift resolution (eg in the form of an adequacy decision), it will be necessary to implement safeguards to enable international data transfers from the EU to the UK, in order to ensure compliance with the transfer restrictions under Chapter V of the GDPR. It is possible that an existing data transfer agreement, between the customer and supplier, would without amendment apply to EU to UK transfers post-brexit (by virtue of the UK falling within the definition of a third country under the terms of that agreement), but whether that is the case will depend on the terms of that agreement. In many cases, an amendment may be required, or a new agreement, to extend the terms to data transfers from the EU to the UK. Data transfers from the UK to the US relying on the Privacy Shield mechanism can continue, provided that the Privacy Shield participants have (i) updated their Privacy Shield commitments before 29 March 2019 to state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield (the US Department of Commerce has issued model language to be used to address this issue) and (ii) at the time of the transfer, their privacy 4 Allen & Overy LLP 2019

5 policy with respect to the type of personal data transferred includes a commitment to comply with Privacy Shield principles where personal data is transferred from the UK. 1 Identify potentially impacted data flows/supplier relationships 2 Ramp up any review of agreements with suppliers to consider if impacted by contractual restrictions on international data transfers outside the EU 3 Assess the safeguards which are already in place for international data transfers to suppliers and whether any further safeguards are required. For example, a company established in the EU may need to require its supplier to enter into Model Clauses, for the purposes of data transfers from the EU to the UK or to ensure that, when exporting personal data to a US company that relies on Privacy Shield, that the commitments and privacy policies have been updated to refer to the UK; and 4 Prepare templates, eg for communications with vendors or customers regarding contractual arrangements What steps are required to facilitate international data transfers on an intra-group basis? Many businesses, which have operations within and outside the EU, are likely already to have in place some form of intragroup agreement, or a suite of agreements, incorporating Model Clauses, to cover data transfers between the EU and the rest of the world. As with agreements with suppliers and customers, it will depend on the terms of existing Model Clauses whether they will automatically extend to apply to EU to UK transfers post-brexit. In some cases amendments will be required, in others not. Binding Corporate Rules (BCRs), an internal agreement which permits data transfers within a corporate group, may also be utilised. If an organisation has BCRs in place for all non-eu data flows, a similar assessment is required to consider to what extent the BCRs would, without amendment, apply in order to enable transfers in compliance with the restrictions. Where the ICO is the lead supervisory authority for any approved BCRs, businesses should identify a new EU supervisory authority according to the criteria set out in the Article 29 Working Party Guidance 263 and make the necessary changes to update the BCRs, for example by changing the notification arrangements. One potentially significant impact is that the EDPB has stated in its note for companies with the ICO as its BCR lead supervisory authority (ICO BCRs) that any ICO BCRs currently going through the review process will need to be restarted using a new EU lead supervisory authority. For ICO BCRs that were near to approval, this could be a significant backward step as the BCR approval process can take a number of years. Conversely, any ICO BCRs which have been submitted to the EDPB for approval will proceed although a new EU lead supervisory authority must be appointed and the draft BCRs will need to be resubmitted for approval. Compared to agreements with customers and suppliers, it will generally be easier to decide on and implement an intragroup solution. Defining the problem is likely to require a review of a small number of existing agreements and implementation will not involve third party dependencies. As such, save for any internal governance requirements (and, if applicable, adjustments to deal with any ongoing BCR approvals), and the mechanics of execution, it should be relatively easy to implement a satisfactory solution. Allen & Overy LLP

6 1 Where intra-group Model Clauses or BCRs are in place, review them to assess to what extent they would automatically cover post-brexit transfers. Consider what amendments may be required and how they will be implemented, including where the ICO is the lead supervisory authority, nominating an EU based supervisory authority and any consequential changes to internal BCR documents 2 Where ICO BCRs are going through the review process, determine which EU supervisory authority should be appointed as the new lead supervisory authority and, unless the review process can be completed before 29 March 2019, or any alternative date agreed following an Article 50 extension, and the draft submitted to the EDPB for approval, the BCR process will need to be restarted; and 3 Where ICO BCRs have been submitted to the EDPB, a new EU lead supervisory authority will need to be appointed and the draft BCRs resubmitted for approval Processing personal data is it necessary to update internal policies and procedures? Many companies operating across multiple jurisdictions will have already taken the view that their best course of action is to comply with the GDPR. EU data protection law is, in some senses, a benchmark for the regulation of data processing. Similar legislation has been adopted, for example, in Argentina, Mexico, Switzerland, Israel, South Africa and New Zealand. Experience shows that multi-national companies often prefer to have policies and procedures that are consistent across the countries in which they operate. These companies will often have updated their policies and procedures across their business activities in response to the GDPR. For these companies, Brexit (whether hard Brexit or soft Brexit) is unlikely to require a change of approach, given that the UK data protection regime is unlikely to change significantly in the short to medium term. For businesses that have aligned their policies and procedures with the GDPR to a more limited extent, and also maintain different policies and procedures within and outside the EU, in the medium to long term, there may be some limited scope to differentiate between those policies and procedures applicable to data processing taking place under UK and EU laws respectively. However, the extent to which that is an option will depend on the extent to which UK law departs from GDPR over time, and in turn, that will depend on any terms agreed between the EU and UK, whether as part of a withdrawal agreement or adequacy decision. The extent to which it is desirable will also depend on a range of other factors, including the cost and complexity of managing multiple parallel policies and procedures. No action required. Is it necessary to update privacy notices provided to individuals? The GDPR has introduced, under articles 13 and 14, a requirement that privacy notices provide details of international data transfers to third countries, as well as the safeguards that have been implemented for the purposes of those transfers. 6 Allen & Overy LLP 2019

7 Many companies will have revised privacy notices to refer in some cases to specific third countries to which data is transferred and to provide details of the relevant safeguards, such as Model Clauses, which are applied to those transfers. It is unlikely that privacy notices would need to be updated in light of Brexit, but it should be considered. For example, for a business headquartered in the UK, but which has operations throughout the EU, it may consider it appropriate, post- Brexit, specifically to refer to the UK as a destination country for data transfers in such notices or, for US organisations which rely on the Privacy Shield mechanism, to include a commitment to comply with the Privacy Shield principles where personal data is transferred from the UK. In other cases, it may simply be necessary to amend a notice to correct a factual inaccuracy. For example, privacy notices may have assured individuals that data is processed exclusively within the EU, whereas that may not continue to be true as a result of Brexit. In any case, it is unlikely to be necessary or appropriate proactively to contact individuals to advise them of changes to a privacy notice of this nature. EDPB guidance on transparency under the GDPR is clear that non-material changes are not required proactively to be brought to the attention of individuals and it is likely that changes of the nature described above would fall into that category. As such, one would hope not to see another flurry of privacy notices being foisted on individuals, similar to what was experienced in the run up to 25 May Review a sample of privacy notices to consider whether international data transfers are adequately described. Consider whether to update templates. Is it necessary to appoint a new lead supervisory authority? For a business with a main EU establishment located in the UK, where the ICO is currently identified as the lead supervisory authority, consideration should be given to whether an alternative lead supervisory authority can be identified post-brexit, in order to take advantage of the OSS in relation to processing within the EU. For some organisations that have their headquarters located in the UK, they may find that they do not have a main establishment within the EU, or that they only have another main establishment for specific and limited cross-border processing activities, so the option of migrating to another lead supervisory authority may simply not be available. For others, the situation may be more finely balanced. If a business will, as a result of Brexit, relocate any infrastructure and personnel to the EU from the UK for other reasons (eg in financial services, to continue to benefit from passporting within the EU), it may be possible to determine that a new main establishment arises within the EU as a result of that structural change. No action required. However, assess whether the business has an alternative main establishment within the EU, which may be able to take advantage of the OSS. Note the separate recommended actions above where a business has ICO BCRs. Allen & Overy LLP

8 Is it necessary to relocate an (EU) DPO? The GDPR is silent as to where (geographically) a DPO should be based. This is particularly relevant to the extent that a single DPO is appointed for multiple undertakings pursuant to article 37(2) GDPR). The only requirements of significance are that any DPO must be easily accessible from each establishment for which it is the appointed representative and must have expert knowledge of both UK and EU data protection law. However it should be noted that guidelines on DPOs adopted by the EDPB do recommend that a DPO should be located in the EU, whether or not a controller or processor is located in the EU, although these guidelines are not legally binding. As such, to the extent an organisation has located a DPO, for multiple EU undertakings, in the UK, Brexit should not have any impact on the accessibility of that individual and so there should be no impact. No action required. Is it necessary to appoint a representative? As with the GDPR, the UK GDPR has extra-territorial effect. Consequently any controller or processor based outside the UK which process personal data relating to the offering of goods and services to, or the monitoring of the behaviour of, individuals located in the UK, will need to appoint a representative in the UK, in addition to any representative they may have appointed in the EU. In addition, any UK company which offers goods and services to, or monitors the behaviour of, individuals located in the EU will need to consider whether they should appoint a representative in the EU. Determine whether it will be necessary to appoint a new representative in the UK or EU and, where appropriate, make that appointment. 8 Allen & Overy LLP 2019

9 Your Allen & Overy contacts Jane Finlayson-Brown Partner Tel Nigel Parker Partner Tel Ali Parvin Peerpoint Consultant Tel David Smith Special adviser Tel If you would like to discuss the issues raised in this paper in more detail, please contact any of the experts above or your usual Allen & Overy contact. Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP s affiliated undertakings. CO: Allen & Overy LLP