We know we are going to leave the European Union (EU). That’s a given. What is unclear is whether we are going to leave the European Economic Area (EEA). It all depends on whether we leave the EU with a deal in place that allows us to remain in the EEA. If we leave with no exit agreement in place at all, we will automatically leave the EEA.
If we’re not in the EU and we’re not in the EEA we’ll be in the third category which is ‘the rest of the world’, or in GDPR terminology, we’ll be a Third Country.
EU member states can transfer data between EU/EEA countries without a lot of consideration, back and forth between the data exporter and the data importer. However, if the UK leaves the EEA it will have a significant impact on EU member states transferring personal data out to the UK.
It is possible for an EU member state to transfer personal data to a Third Country, if the European Commission have reviewed the data processing governance framework or data transfer scheme of the country in question and have determined that it offers a level of protection for personal data that is equitable to, or better than, the protection offered by the GDPR. That is called making an adequacy decision.
The list of countries that have had a favourable adequacy decision are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
America has a partial adequacy decision. The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, the European Commission and the Swiss Administration to provide an acceptable mechanism for the transfer of personal data between the EU, Switzerland and the US. It was awarded a ‘partial’ adequacy decision because Privacy Shield isn’t country-wide, it is business-specific. You can transfer personal data to a business or organisation in the US if they have signed up to, and adhere to, the Privacy Shield scheme. For example, MailChimp is a US company that will be familiar to many. When you upload your mailing lists to MailChimp the data is stored on MailChimp’s servers in the US, which is a Third Country. But because MailChimp is a fully-fledged member of the Privacy Shield scheme, that’s perfectly acceptable.
So, does the UK have a framework in place that is as good as the GDPR? Yes, it is contained within the Data Protection Act 2018 (DPA18). Section 2 of DPA18 is (effectively) the GDPR in its entirety, which enshrines GDPR into British Law. In theory then, if our framework is a copy and paste of the GDPR, it must be good enough for the European Commission. Unfortunately, it can take years for an adequacy decision to be completed, and the European Commission hasn’t even started looking at our case, because currently we’re still in the EU and the EEA!
If we do leave the EEA it is unavoidable that, for an unknown duration, we are going to be a Third Country without an adequacy decision.
So how are EU member states going to be able to transfer personal data to the UK? There are four different provisions for this:
1. Standard Data Protection Clauses
2. Binding Corporate Rules
3. Codes of Conduct and Certification Mechanisms
Let’s quickly trim off the ones that don’t provide long-term solutions.
Derogations are country-specific deviations from the letter of the GDPR that have been approved by the European Commission and the Supervisory Authority of the country in question, in our case the ICO. They allow a degree of flexibility in certain conditions and are a condoned and justified deviation from the usual permitted behaviour.
Unfortunately, they must be applied restrictively, and cannot become the ‘norm’ because, by definition, they are the exception to the rule. Additionally, they relate to ‘processing activities that are occasional and non-repetitive’. So, derogations are not the ideal platform on which to base regular business transfers of personal data.
One down three to go.
The European Data Protection Board (formerly the Article 29 Working Party) say that Codes of Conduct and Certification Mechanisms can offer appropriate safeguards for transfers of personal data to Third Countries if there are binding and enforceable commitments on the company in the Third Country. In the EDPB guidance of 12th February 2018 they say these tools are new under the GDPR and that they are “…working on guidelines in order to give more explanation on the harmonized conditions and procedures for using these tools”. And, as we have said many times, there is no certification in the UK for GDPR nor DPA18 compliance. So, we don’t have a certification framework to build on.
Two down, two to go. We are left with Standard Data Protection Clauses and Binding Corporate Rules (BCRs).
Binding Corporate Rules are internal rules which define the international policy in a multinational group of companies and international organizations regarding intra-organizational personal data cross-border transfers. That is, transfer of personal data within a border-spanning organisation. As you can image, these contract-like documents must be detailed and comprehensive, and there is a standard set of information and topics which are mandatory for inclusion. Finally, your BCRs must ratified as acceptable by your lead Supervisory Authority. That is, the equivalent of the ICO in the country where your HQ is located.
Binding Corporate Rules are a lot of work to create and implement. They can neither be put in place quickly nor cheaply, but for a multinational or large international organization they can simplify matters greatly once they are implemented.
If you are not a multinational there is a single option left. We can use Standard Data Protection Clauses.
Both the data exporter (the EU company) and the data importer (the UK company) must agree to use a contract of Standard Data Protection Clauses approved by the European Commission. These contracts provide the additional data protection safeguards that are required in the case of a transfer of personal data to any Third Country.
Take note, you cannot modify the Standard Data Protection Clauses, and both parties must sign them. If they are not signed, they are not considered as being in place.
Standard Data Protection Clauses may be included in a wider contract and additional clauses might be added, so long as they do not contradict, directly or indirectly, the Standard Data Protection Clauses. You can’t add bits to the contract to try and override bits of the Standard Data Protection Clauses that you don’t like or that are onerous for you to follow.
The Devil is always in the detail with these types of regulations. Strictly speaking, you can modify the Standard Data Protection Clauses to take into account a specific or particular situation. Once they have been changed of course, they are no longer Standard Data Protection Clauses. They will become ad hoc Data Protection Clauses, and these must be authorised by the data exporter’s Supervisory Authority before they can be used.
The ICO have produced two templates that you can use for Standard Data Protection Clauses. One is for the rare case where the data exporter and the data importer are joint Data Controllers, and one for the more common case where one party is the Data Controller and one party is a Data Processor.
These must be completed and signed by both parties.
Remember, these are for the transfer of personal data from an EU member state to a Third Country. We will be the Third Country. The company in the EU that is transferring the data to the UK might well have their own Standard Data Protection Clauses provided by their Supervisory Authority that they may choose to use.