Will post-Brexit Britain be ‘Adequate’?
If you were to hold a straw poll of the people of Britain (I’ve purposefully avoided the term ‘referendum’) and ask which two terms they would like banished from the lexicon in 2018, it’s a safe bet that amongst the huddle of phrases such as “on fleek” and “squad goals”, “Brexit” and “GDPR” are likely to come somewhere near the top of the list.
Much like their counterparts in the list (admittedly, I had to look them up online) they are highly unlikely to disappear soon, especially with the countdown to Brexit about to tick past the six month marker. Assuming that the Brexit negotiations conclude with Britain leaving the EU, whether this is with a hard, soft or other Brexit, the UK will become a ‘third-country’ for the purposes of transferring personal data from the EU. The importance of this is that data transfers from the EU into data importing third countries, as we will become, are prohibited except in the presence of a small number of strictly controlled exceptions.
When Adequacy is more than sufficient
The simplest solution to this problem is for the UK to gain approval from the EU Commission to be regarded as an ‘adequate jurisdiction’. This will effectively allow for the transfer of personal data to and from the EU in much the same way as if we were still part of the Union. To receive this adequacy status the UK will need to be considered as having laws that are, in practice, equivalent to those that safeguard personal data processed within the EU. This may seem simple enough but considering the commercial benefit aligned to adequacy status, there are still only 11 jurisdictions world-wide holding adequacy in the eyes of the EU. This demonstrates the political difficulty inherent in securing such status. Getting this far has been no cake walk for the UK and the road ahead is likely to be even more difficult.
After months of enduring the relentless foreboding prior to May 25th 2018, many of our clients would politely issue us with requests to “make the GDPR go away!” In some ways, the lawmakers in Westminster heard their exasperated pleas and responded by passing the Data Protection Act 2018. Although technically this didn’t perform the desired vanishing act to remove the GDPR from the agenda, it did usher in the benefit of changing the terminology we employ in the UK (although the term GDPR is used interchangeably), updating the old Data Protection Act 1998 and on the same day as the GDPR became fully enforceable, it neatly and seamlessly provided the mechanism to transposed this new European legislation into our own legal framework.
This last action may seem an unnecessary indulgence as the GDPR, being a Regulation, instantly binds all countries in the EU, but the hunt for adequacy in the face of Brexit negotiations demanded swift and coordinated action from the Government and the ICO. This almost instantaneous transfer of the GDPR into our laws completes a key condition of gaining adequacy status, that of having a legal data protection framework consistent with the concepts enshrined in EU data protection law. To have achieved this synchronised action from both houses of Parliament and the ICO in such a short time frame is nothing short of a small miracle when viewed in the prism of the ongoing maelstrom currently underway in Whitehall and Brussels.
To cement our position as an adequate jurisdiction, the UK must demonstrate its ability to enforce these laws, provide effective redress for individuals who have suffered an infringement of their rights and ensure legal limits on the state’s interference with the privacy of individual data subjects. Much of this responsibility falls on the shoulders of the Information Commissioner’s Office who have been at the forefront of shaping EU legislative guidance, and is set to continue its history of working closely with organisation to ensure compliance and enforceability of data protection law. The courts of the UK have also provided leading EU case law advancing the privacy rights of individuals. All of this lend weight to the suggestion that an adequacy decision is likely.
There is some concern regarding interferences from UK governmental security agencies with regards to privacy and a recent attempt by the UK government to secure an early and enhanced adequacy status, shortly after the DPA 2018 was enacted, was met with expected derision by the EU. Despite these considerations, it is expected that all efforts will be undertaken to ensure adequacy is granted to the UK at the time of exiting the EU.
Contracting for an uncertain future
To compound concerns around the issue, the EU Commission has indicated that it will not provide a ruling on adequacy until the UK becomes a third country, which could provide for a period of time between leaving the EU and gaining any subsequent adequate status, all the while leaving the UK without an appropriate solution to personal data transfers.
During this interim period or should the UK fail to gain adequacy status in the event of ceasing to be a Member state, the only options available at this time will be to rely on one of the safeguards provided for in Article 46 of the GDPR. Most commonly used are the EU standard data protection clauses adopted by the commission, commonly known as the ‘Model Clauses’. Although these are reasonably straightforward in terms of incorporating into contractual relationships, they will cause a degree of further admin and legal work between data importers (which will be the default position of companies in the UK from the date of leaving the EU) and data exporters (those in the EU).
Although an extra burden on parties looking to share personal data, these clauses do provide the most straightforward option as the remainder of safeguards are only applicable in limited circumstances. It should come as no surprise during these uncertain times to hear that the validity of the Model Clauses is currently being challenged in the European Courts and there is the potential that they may share the same fate as Safe Harbour, creating a further challenge to any business relying on them as their chosen method of safeguarding personal data exports to third countries.
The lack of utility provided by the other safeguard options available and the reduced certainty surrounding the Model Clauses highlights the importance of securing adequate status on the day the UK ceases being a Member State of the EU.
Hope for the best, plan for the worst
There is little that the average business in the UK can do while this political ballet unfolds and it’s difficult to imagine the EU discarding such a key bargaining chip by granting adequacy while negotiations are still underway but it’s fair to say that a common sense solution is the most desirable, with adequacy being the primary goal for the UK.
All we can do during these testing times is expect the ICO to continue demonstrating their ability to enforce the principles of the GDPR and give effect to the rights of individuals enshrined in the legislation. This will most likely manifest itself in continued education, enforcement notices, investigations and fines, and this level of scrutiny is a further reason for businesses to continue their efforts to establish compliance and demonstrate accountability at all times.
Should we fail to gain status as an adequate jurisdiction, the businesses of the UK will have to resort swiftly to alternative safeguards to govern the importing of personal data from the EU. Guidance issued this week from the Department for Digital, Culture, Media and Sport has encouraged businesses to consider the implications of a “no-deal” Brexit (with adequacy status not forthcoming) by considering other arrangements for the transfer of personal data from the EU.
However much we may hope this isn’t the reality we face next spring, the sensible approach is to invest the time we are afforded now to review all contracting practices within your organisation, identify the data flows to and from the EU and ascertain which of the alternative safeguards would be most appropriate should adequacy fail to transpire.
If you are interested in undertaking a Brexit Contract Audit, please contact us by calling 01603 339044 or email firstname.lastname@example.org.
Please note: the content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in each individual circumstance.