On Jan. 9, the European Commission's Directorate-General for Justice and Consumers published a “Notice to Stakeholders” on the intersection of Brexit and EU data protection rules. The guidance clarified, “Transfers based on approved standard data protection clauses or on binding corporate rules will not be subject to a further, specific authorisation from a supervisory authority.”
One interpretation of this statement is that BCRs currently approved by the U.K. Information Commissioner’s Office will continue to be a compliant way to transfer data out of the EU after Brexit officially takes hold. This conclusively decides part of the debate originally raised by this author in The Privacy Advisor in October on whether already-approved U.K.-based BCRs will be in legal compliance after Brexit. However, the guidance does not address how the EU will handle BCRs still pending ICO approval. Further, the guidance tangentially indicates U.K. subsidiaries will be unable to serve as a company's "main establishment" for the purposes of identifying a lead supervisory authority, i.e., the data protection authority which, among other responsibilities, oversees any BCR issues.
This is not the only formal statement recently published on this topic. In November, the ICO issued a blog post reinforcing its commitment to organizations that have U.K.-approved BCRs or are in the approval process. However, despite the U.K.'s desire to “carry on receiving and accepting BCR authorisation applications in the run up to, and beyond, GDPR taking effect," it is important to keep in mind there is still no existing EU-U.K. agreement upon which to base this continuing relationship. At the very least, the ICO’s statements require confirmation from the EU government in order to hold weight. We can now be sure that stakeholders with U.K.-approved BCRs need not worry about their BCRs falling out of data-transfer compliance post-Brexit. But, again, what about BCRs that are still pending approval with ICO? Can the ICO still be a lead supervisory authority (LSA) moving forward? Ultimately, despite the Commission and the ICO’s published statements, the following questions remain unanswered.
Is there an indication the ICO will continue approving BCRs post-Brexit?
No. While the Commission has now made clear that approved BCRs will not require further authorization, it also has made it clear that the ICO will not be able to continue approving BCRs after Brexit, absent a negotiated agreement on this point. Further, U.K. subsidiaries will not be able to serve as “main establishments” under the GDPR.
The Article 29 guidance on LSA selection under the GDPR, together with the recent notice to stakeholders, clearly indicates that the ICO will no longer meet requirements to serve as an LSA under the GDPR. Companies with multiple establishments in EU member states will be required to identify their LSAs by determining a “main establishment” within the EU. In its recent notice, the Commission confirms that on March 30, 2019, the U.K. will become a third country and expressly clarifies, “A third country is not a member of the EU.” This means that after March 30, 2019, a U.K. subsidiary can no longer serve as a “main establishment,” and the ICO will be unable to serve as an LSA for BCRs.
Even if the U.K. and EU were to reach a negotiated agreement to facilitate the continued flow of data permitting U.K. subsidiaries to assume the role of “main establishment” (and therefore possibly permitting the ICO to assume the role of LSA to BCRs), this would have to be compliant with the GDPR which requires a subsidiary serving as the “main establishment” to meet the following requirements;
- Have the power to make and implement EU data processing decisions;
- Assume liability for EU data processing;
- Have sufficient assets to meet any sanctions imposed.
It is hard to imagine a scenario where an establishment in a country outside the EU could fulfill these requirements. This is supported by GDPR Article 56, which states: “The supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.” And, “The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.”
Determining a main establishment will not be as easy as a company simply selecting a subsidiary in the EU country of its choosing. The Commission's guidance states, “The GDPR does not permit ‘forum shopping.' If a company claims to have its main establishment in one Member State, but no effective and real exercise of management activity or decision making over the processing of personal data takes place there, the relevant supervisory authorities will decide which supervisory authority is the ‘lead’, using objective criteria and looking at the evidence.”
In other words, choosing a main establishment is a factual determination. A company could not simply select a subsidiary as their main establishment before it is determined all requirements, as listed above, are met.
If a company’s only EU subsidiary is currently located in the U.K. (including U.K. companies), and they seek to obtain or maintain BCRs, they should consider establishing a subsidiary elsewhere in the EU that can fulfill all the requirements for a main establishment, as listed above.
Does ICO have the ability to process all pending BCR applications before March 30, 2019?
Not likely. There are currently about 40 BCR applications in the works with ICO, according to its blog. Currently, the ICO is LSA to only 21 BCRs, with the most recently approved BCRs dated Feb. 22, 2017. In order for the approval to pre-date Brexit, it would have to take place before March 30, 2019, according to the Commission's notice. Typically, it takes about 18 months to get approval. Back in June 2016, privacy lawyers were already saying that ICO has a “significant backlog of requests,” and “it may not be possible to get BCRS approved prior to the exit date, not least because ICO will have its hands full potentially putting in place new U.K. legislation and working out how it will interact with EU privacy regulators post exit.”
Given these considerations, companies currently waiting on ICO to process their BCR applications would be well-advised to consider alternative safeguards to allow for data transfers.
While it is confirmed that approved BCRs will not require further authorization post-Brexit, it also seems clear that the EU will not allow the ICO to serve as an LSA for those BCRs, necessitating companies currently using the U.K. as its LSA find a new one.
Of course, if an agreement is negotiated between the UK and the EU, it is possible Brexit will not impact your privacy program. However, relying on this possibility would be a Hail Mary approach. The EU has now put company stakeholders on notice that “Preparing for [Brexit] is not just a matter for EU and national authorities but also for private parties."
If your business has either approved or pending BCRs with ICO, a more prudent approach to this issue would be preparing to utilize an alternative adequacy mechanism to safeguard data transfers after March 2019. For a list of these adequacy mechanisms, see the Commission's notice.
If you want to comment on this post, you need to login.