17.12.2020 - Reading time 15 Minutes

Top 7 Brexit data protection to-dos

Brexit is drawing closer. Companies should take action to ensure that compliance with data protection rules is guaranteed with the end of the transitional phase.

We recommend the following 7 to-dos (explained in more detail below):

  1. “Know your transfers”: Create an overview of all data processing operations with reference to the United Kingdom
  2. Determine the specific justification mechanism (often standard data protection clauses).
  3. Analysis of the level of data protection in the third country
  4. In the absence of an equivalent level of data protection: Additional measures
  5. Regular evaluation of measures
  6. Documentation of all steps
  7. Amend privacy policies

A. What does Brexit mean in terms of data protection law?

The agreement for the United Kingdom’s withdrawal from the European Union provides for a transition period until 31 December 2020. After the end of this transition period, the United Kingdom becomes a third country in terms of data protection law. Data transfers to third countries are only permitted under Art. 44 et seq. GDPR, data transfers to third countries are only permitted under certain additional conditions. It depends in particular on whether an adequate level of data protection is guaranteed in the third country.

The EU Commission may for example determine by providing a resolution on adequacy that an adequate level of protection exists in the third country. This has so far been done for Japan, Israel, partially for Canada and some other countries. The EU Commission is currently evaluating the level of data protection in the UK and whether an adequacy resolution can be issued. At this stage, however, it is not possible to make any clear predictions as to whether and when an adequacy resolution is to be issued for the United Kingdom. There are indicators, however, that speak against a short-term adequacy resolution in any case. For example, there is extensive data sharing between the US and the UK as part of the Five Eyes intelligence alliance. A decision of the ECJ (ruling dated 6.10.2020, C 623/17) also raises doubts about the level of data protection in the UK. The ECJ has ruled that the unwarranted storage and sharing of connection data for preventive purposes, as required by UK surveillance laws, is unlawful.

In the absence of an adequacy decision, alternative safeguards to guarantee an adequate level of data protection need to be applied. Suitable safeguards include primarily the use of standard data protection clauses as well as Binding Corporate Rules, approved codes of conduct and approved certification mechanisms and individually negotiated contractual clauses. We assume that in most cases standard data protection clauses are eligible as a justification instrument. Please note, however, that in certain cases, such as transfers to a dependent branch in the UK, standard data protection clauses cannot be stipulated.

B. Are standard data protection clauses sufficient?

The ECJ has already established in its Schrems II ruling that standard data protection clauses are generally not sufficient to ensure an adequate level of data protection due to the considerable access powers of security authorities without further safeguards. It is not inconceivable that this applies to a similar extent to the United Kingdom.

C. 7 To-Dos

We recommend seven concrete to-dos to check whether and to what extent you need to take action. Regardless of Brexit, undertake the audit steps as a matter of course for all third-country processing operations. This is a consequence of the Schrems 2 case law.

The to dos are as follows:

  1. Know your transfers”: Create an overview of all data processing operations with reference to the United Kingdom
    We urge you to gain an overview of the relevant processing operations of personal data with reference to the United Kingdom.
  2. Determine the specific justification mechanism:
    The specific justification mechanism needs then to be defined. In many cases, the use of standard data protection clauses is advisable here.
  3. Analysis of the level of data protection in the third country
    We would be glad to support you in analysing the level of data protection. We are already experienced in assessing the level of data protection in non-EU countries. Nonetheless, cooperative interaction with the contracting partner in the United Kingdom is essential. Essential aspects to be included, inter alia, in the context of examining the level of data protection:
    1. Existence of official powers of access
    2. Extent of official powers of access
    3. Extent of data transmission
    4. Sensitivity and categories of personal data in the third country
    5. Existing technical, contractual and organisational security measures
  4. In the absence of an equivalent level of data protection: Additional measures
    Should no equivalent level of data protection be established, then further contractual, technical and/or organisational measures are required. To this end, the European Data Protection Board recently published a draft of comprehensive recommendations (<u>https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_de</u><u>).</u>
    Complementary measures may include the inclusion of additional contractual terms and conditions, such as restricting the recipient’s access rights in the UK. One possible technical measure is the implementation of end-to-end encryption.
  5. Regular evaluation of measures
    The measures are to be regularly evaluated.
  6. Documentation of all steps
    All steps are to be documented.
  7. Amend privacy policies
    If you have not already done so, we would ask you to amend your privacy policy (both for the website and for employees) to include the relevant references to third countries, i.e. specifically with reference to data processing in the United Kingdom.

D. How can EU companies avoid excessive costs?

At this point in time, the legal situation has not yet been clarified in many respects. In contrast to the USA with Schrems 2, there is no ECJ ruling that makes comparably detailed and critical statements on the level of data protection in the UK. Of course, this also means that EU companies have more leeway in their argumentation. Potential data protection risks are significantly reduced by following the audit steps described above. However, do not underestimate the amount of time involved. The aforementioned proposed solution would involve committing significant resources, both for EU companies and for their internal or external advisors.

We would therefore like to provide you with other possible solutions that involve significantly less effort, but probably also entail somewhat higher data protection risks. Excluding all data protection risks related to Brexit would require stopping all UK-related data processing. Naturally, we do not consider this to be a pragmatic approach.

Alternative 1: Focus on concluding standard data protection clauses

As an alternative pragmatic approach, we suggest that you at least conclude standard data protection clauses with your UK contractual partners without the further audit steps. This option would save a lot of time. However, should a data protection supervisory authority undertake an audit and determine that an adequate level of data protection is not given for the relevant data processing in the UK, we anticipate a risk of regulatory sanctions despite concluding the standard data protection clauses. Of course, it is entirely questionable whether authorities would actually initiate investigations on their own initiative in the first few months after the end of the transitional phase.

Alternative 2: Waiting for an adequacy resolution

You could also wait and speculate that an adequacy resolution is likely in the near future. However, this approach would result in even greater data protection risks. Without an adequacy resolution or conclusion of standard data protection clauses, the corresponding processing operations are clearly unlawful due to the lack of a justification mechanism within the meaning of Art. 44 et seq. GDPR, the corresponding processing operations clearly qualify as being unlawful. Should an authority become aware of this, then this would possibly result in sanctions.

Do you have questions about the trials and tribulations of Brexit? We would be pleased to assist you!

secjur GmbH is a modern and fast-growing legal tech company. Our four locations in Regensburg, Düsseldorf, Berlin and Hamburg have teams of lawyers, business economists and IT specialists working on holistic solutions for data protection and data security.

Arrange a free initial meeting