Call us: +32 2 566 90 00 Email: [email protected]

Brexit and data protection

Whether you are an European group or an advertising company, working in the media usually means advertising at an international level. This means that your clients or providers could potentially be located in the UK. Therefore, you could be transferring data to the UK.

In view of the forthcoming Brexit decision in March 2019 and the recent entry into force of the General Data Protection Regulation (GDPR), Nicolas Hamblenne & Gaëtan Goossens of KOAN Law Firm in Brussels, shed light on the likely issues that businesses may face in terms of data protection and transfers.

The current situation

At the time of writing this article, the proposed deal (i.e. the Withdrawal Agreement and Political Declaration) is far from being cast in stone. There are indeed several scenarios: New Deal / No Deal / No Brexit. Besides political considerations and while most requirements under the GDPR will most likely remain the same, there willbe an impact on data transfers to the UK.

Currently – thanks to the harmonised approach of the GDPR on data transfers, there is a specific regime of free data flow within the European Economic Area (hereafter: “EEA”). This means that any legal entity located in the EEA can legally transfer personal data to another company located in another country of the EEA without any obstacle.

Any personal data transfer to a country located outside of the EEA (hereafter: “Third Country”) is in principle prohibited. In case of a Brexit, the UK will be considered as a “Third Country” except if a specific status is negotiated as part of the Brexit deal. This seems however quite unlikely. There is no need to explain the commercial disaster if personal data flows had to be stopped between the EU and the UK.

Data transfers exceptions

Fortunately, even in the situation of a No Deal Brexit, it will still be possible to transfer data to the UK. Indeed, the GDPR foresees (i) some exceptions in order to allow data transfers such as using Standard data protection clauses, Binding corporate rules, approved codes of conduct, approved certification mechanisms or (ii) limited derogations which allow for transfers in specific cases (such as transfers based on consent or when necessary for the fulfilment of a contract in the benefit of the data subject).

These exceptions and derogations are often burdensome from an operational/administrative (and often legal) point of view, especially for small media companies.

Aside from these limited exceptions and derogations, there is the possibility of an adequacy decision. Those decisions recognise that the third country provides an adequate level of protection of personal data, ensuring thus a safe and legal transfer. The countries deemed to have a data protection regime essentially equivalent to those in the EU are compiled on a list (the so-called “white list”).

However, an adequacy decision usually takes months (if not years) and less than a dozen countries have received their golden pass so far. The decision lies also mainly with the European Data Protection Board (“EDBP”) and the European Data Protection Supervisor (“EDPS”) and not only the European Commission or Parliament.

Before any adequacy decision takes place, it is likely that a “status quo” situation remains for at least two years in terms of data transfers between the EU and the UK. No cast-iron timetable can however be pledged at this stage. The Withdrawal Agreement states that during this transition period, any reference to “Member States” in the EU data protection legislation should be understood as including the UK. On its side, the European Commission has indicated that it “will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal, endeavouringto adopt decisions by the end of 2020, if the applicable conditions are met” (Art 9 of the Political Declaration). 

Recommendations

Whether you are based in the UK or not, despite the uncertainty surrounding Brexit and its potential impact on data protection, we recommend companies and not-for-profit organisations to continue their ongoing GDPR compliance programme. The GDPR is a very good standard for data protection and the global trend seems to follow this approach (see the recent legislation updates across the globe, e.g. in California, Brazil, etc.).

In any case, we also recommend to follow your Data Protection Officer’s advice and your (lead) national authority’s guidance (if any). You should also obviously keep an eye on the current negotiations and put in place contingency plans in case of a “No Deal” scenario (by considering, for example, alternative transfer mechanisms to maintain data flows).

Conclusion

Political chaos seems to be a global trend nowadays. However, companies and not-for-profit organisations require legal certainty in order to operate in an efficient manner. It remains to be seen how the EU and the UK will negotiate (or not) the new deal of the century, especially with regard data, being the “oil of the 21stcentury”. On our side, we stand ready.

 

 

 

 

Nicolas HAMBLENNE

 

Gaëtan GOOSSENS

Senior Associate

 

Associate

[email protected]

+32 2 566 90 00

 

[email protected]

+32 2 566 90 00