Speed read: Part 2. The ‘transfers from EU back in to the UK’ conundrum…

• United Kingdom

• Brexit

04-03-2019

The issue? In our briefing last month we explained the issue.  Here’s a quick recap.  Processors in the EU have to ensure lawful transfers happen between them and the UK.   There is risk an EU processor might ‘refuse’ to make transfers of personal data back to you after Brexit, if we exit without a deal next month i.e. without any transitional arrangements.  If you’re a UK Controller you’d want to avoid this.

What’s new?  First, there has been commentary online (not from any privacy regulator or the EDPB) to the effect that a transfer of data from a processor to its controller cannot possibly be an Article 44 transfer, because it makes no sense.  However, there is no authority for that position.  There have been reports in the press (since our briefing last month) that in the event of a no-deal Brexit this transfer problem might potentially cripple key government services. 

Secondly, on 12 February 2019 the EDPB (European Data Protection Board) issued formal guidance on the issue of transfers under the GDPR in the event of a no deal Brexit.  https://edpb.europa.eu/our-work-tools/our-documents/other/information-note-data-transfers-under-gdpr-event-no-deal-brexit_en  

Does the EDPB’s guidance help in relation to this particular issue?  No, it’s entirely silent about it.  As we reported last month, the ICO’s guidance on transfers after Brexit is also silent on what to do for this particular type of transfer.  This could be because they do not think it relevant to Article 44 and should not be an issue but that is not clear. So, nothing formal from the regulators as yet to help banks, firms, and companies in the UK who might be struggling with suppliers based in the EU who are processors and who raise this issue of lawful transfers from the EU to UK.

So what happens next?  Although specific guidance from privacy regulators in the EU on this issue would be extremely helpful to many and is needed with some urgency, it appears unlikely to emerge in the next month.  Nevertheless we will keep our eyes peeled.  We will do the same in case of follow up guidance from EDPB, or the ICO. 

What can we do between now and end of March?  Remember to consider EU controller to UK controller transfers from the EU to you in the UK.  For instance, are you acting as a controller and importing into the UK data from an EU controller?  There does exist a set of EU Model Clauses to use for those. Identify and deal with EU controller to UK processor arrangements. For example, these may be required within your corporate group in intra-group servicing arrangements.

The message from EU privacy regulators (and the ICO which is at the moment part of the EDPB) is clear in the EDPB’s guidance: chosen data transfer instruments for your situation should be ready and in place for 00.00am 30 March 2019 if we have a no-deal Brexit.  The ICO has produced an interactive guide which you might find helpful and in its guidance it makes this same point.  https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/ 

Is the EDPB’s guidance helpful at all?  Yes.  It’s a useful reminder on three points.  First, identify what processing activities will involve a personal data transfer to the UK, to put in place (if there is one) the appropriate data transfer instrument before the end of March i.e. EU Model Clauses. 

Secondly, indicate in your internal documentation (this means your data record – Article 30 GDPR) that transfers to ‘third countries’ are made and what mechanisms you’re relying on for these.  This guidance is aimed at all of the EU.  So it’s the controllers and processors there who should be updating their records to mention EU to UK (third country) transfers and what mechanism they are using. The consequential action required in the UK is to note the import of such EU data based on the relevant transfer mechanism adopted. These steps should continue at least until there is a formal European Commission determination of adequacy for the UK (which it appears won’t happen any time soon).  Clearly if you are in the UK, your data record will be concerned with transfers from here outward to ‘third countries’ and until now this has not meant EEA countries.  Whether you are a UK processor, or UK controller, you may also want to record in your GDPR data record the fact you are exporting data to an EEA country. This is because UK treatment of the EEA countries as providing adequate safeguards is subject to review and may change – in which case appropriate safeguards would then need to be put in place.  

Thirdly, controllers should update their privacy notices to inform individuals that their personal data is transferred to third countries and what the mechanisms are for those.  If you know the countries, then, if you can, you should name them.  This way you can adhere to guidelines about transparency under GDPR.  If you are having to comply with GDPR because you are established in the EU (not the UK), or if you are offering goods or services to data subjects in the EU or monitoring individuals’ behaviour in the EU and you are transferring the personal data of those individuals to the UK after Brexit, your privacy notice should mention the UK as a ‘third country’..

What about UK regulators, other than supervisory authorities, are they interested? As we reported last month, yes it seems so. We are still seeing other regulatory authorities here in the UK pushing this agenda. For instance, banks and other firms are being asked what will they do about this and how this fits in with their post-Brexit plans.