TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, 12 January 2018 Related reading: Tim Cook talks Apple's privacy stance, pushback to app-tracking framework



Greetings from Brussels!

This week the Directorate-General for Justice and Consumers of the European Commission issued a "Notice to Stakeholders" regarding the withdrawal of the United Kingdom from the EU and its impact on EU rules in the field of data protection. This is the first statement of its kind in relation to a post-Brexit environment regarding an adequacy decision and what the alternatives might be for the U.K.

I hear you asking, "What is a 'Notice to Stakeholders’?" These are not commonplace in European Commission communications. However, one should not be overly concerned. They are, as the term suggests, a communication to any parties that may be interested. Furthermore, there have now been a few similar notices issued in recent times by the Commission in relation to the impact of Brexit on company law, EU trademarks and community designs, and the transport sector. As the data protection notice mentions, the content is targeted largely at "private parties in (all) the Member States," not EU and national administrations per se, who should be well advanced in their preparations ahead of Brexit. On the other hand, private parties may be less advanced, particularly in the SME sectors, in which case the notice serves as a reminder to be prepared for the U.K. withdrawal and the possible legal repercussions on data flows. Once Brexit comes into effect, the free flow of personal data from the EU to the U.K. — and vice versa — will probably be done differently than we know it today.

Eduardo Ustaran, partner and European head of data protection at law firm Hogan Lovells and based in London, said it was a statement of political significance. I agree. He’s not wrong there. Ironically, there has been sufficient — if not exhaustive — coverage of what Brexit might mean for data flows and transfers once it happens. As Ustaran suggests, the notice in some respects serves as a stark reminder to the U.K. government and businesses of the obvious consequences of not reaching a Brexit deal covering data protection and preserving the status quo.

The notice reiterates that, subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date — 30 March 2019 — the EU rules for transfer of personal data to third countries apply; in effect, the U.K. becomes a "third country." With the ongoing uncertainty surrounding the Brexit talks, this is not an easy time for businesses either in the U.K. or in the rest of the EU. There will be major implications for many businesses within the EU using U.K.-based companies to process data should this issue not be addressed appropriately between now and when the U.K. leaves the EU. Think of all the controller entities with large supply chains and distribution channels cross-border between the EU and the U.K. As I reported back in September last year, according to the CBI, the U.K., as a global leader in cross-border data flows, accounts for 11.5 percent of all data transferred globally, of which three-quarters is with the EU. This is not insignificant. The knock-on effects of not achieving data flow adequacy will also invariably impact the EU-U.S. Privacy Shield data-sharing framework.

In the absence of a favorable withdrawal agreement, or an adequacy decision, all is not lost in that data flows can continue under an array of alternative mechanisms, including consent, contractual necessity, using EU model clauses, or binding corporate rules. Stewart Room, data protection lead partner at PwC, stated recently in a company press release that the U.K. has several substantial reasons to be optimistic that a positive outcome will be achieved in the absence of an "automatic" adequacy decision. He cites the U.K.'s legislative framework being on a par with Europe, as the GDPR will already be in effect and because the U.K. is committed to continue the GDPR's principles after Brexit. Moreover, Room cites the strong track record of the ICO in regulatory enforcement, as well as the healthy data protection litigation culture in the U.K., supported by the courts, which in turn favors effective recourse to those who feel that their rights have been infringed.

The U.K. government has already stated it will seek adequacy, and therefore there is a decision for the European Commission to make. It is in the interest of many, even beyond the borders of the EU and U.K., that a favorable outcome comes to pass. 


If you want to comment on this post, you need to login.