Greetings from Brussels!
It has been quite the week for privacy pros the world over with the handing down of the CJEU "Schrems II" ruling. And despite the volume of debate on the subject, it remains an unfinished story as we wait for clarity and guidance from the regulatory community on the future of international data transfers.
That aside, I came across a poignant update emanating from the EDPB this week on BCRs in the context of Brexit. You may recall early June I wrote a piece on the return to the vogue of BCRs. This latest information note adopted by the EDPB on Wednesday spells out the urgency of actions to be taken by the supervisory authorities, holders of approved BCRs and organizations that have BCRs pending with the ICO to ensure that the mechanisms in question can still be used as a valid transfer tool come the end of the transition period of 31 Dec.
As the UK ICO will no longer qualify as a competent authority under the GDPR following the Brexit transition, the BCR approvals awarded by the UK ICO under the GDPR will effectively no longer have legal standing in EEA jurisdictions. In addition, the content of the BCRs in question may need to be amended as they generally contain references to the U.K. legal regime. This also applies to BCRs already approved under the directive pre-GDPR. That is to say, any connection to the legal framework of the U.K., such as the corporate entity designated, the competent courts or the competent supervisory authority, needs to be replaced by equivalent roles for corporate entities and competent authorities in accordance with EU law.
The note goes further to say that BCR holders that have the ICO as their BCR "lead supervisory authority" need to put in place all organizational arrangements to identify a new BCR lead authority in the EEA. Furthermore, the change of BCR lead will have to take place before the end of the transition period.
It is also worth the reminder that the European Commission published its own stakeholders' notice 6 July regarding the withdrawal of the U.K. and the EU rules in the field of data protection. The applicable BCR rules and circumstances are clearly addressed. Moreover, in the European Commission communication “Getting ready for changes,” the commission states while it will use its "best endeavours" to assess the U.K. from an adequacy perspective the advice is clear: Businesses and state public administrations should take the necessary steps to ensure the compliance of any personal data transfers to the U.K. with Union data protection law, irrespective of the scenario whereby an EU adequacy decision will be taken with regard to the U.K.
There is also a useful checklist of criteria in annex to the EDPB information note designed to facilitate the change process of lead authority resulting from Brexit, with the mention that all EEA applicable law mentions for both controller and processor BCRs need amending. This is certainly worth a gander as applicable to organizations.
Suffice to say there is a lot going on in the field at the moment, with regulatory developments bearing a substantial impact on global data flows. Pandemic aside, 2020 looks to be turning into a busy year for privacy pros as they figure out the next steps. In practice, the politics of global data continues to create new challenges for organizations and regulators alike: We are not out of the woods yet.