No-deal Brexit – what you should prepare for
The deadline for the EU and the UK to agree on the rules for their new relationship is fast approaching, and it appears more likely than ever that the no-deal scenario will be realized. When the transition period ends on 31 December 2020 the UK will, in the no-deal scenario, automatically be left out of the EU's main trading arrangements. Further, the UK will be considered a third country under the GDPR, and all transfers of personal data to the UK must be completed on basis of transfer tools as listed and envisioned in chapter V GDPR.
By Johanne Førde
However, in light of the European Court of Justice’s ("ECJ") ruling in Schrems II (C-311/18) and the European Data Protection Board’s ("EDPB") adopting its new recommendations on 10 November 2020, implementing transfer tools as listed in chapter V GDPR may not be enough for transferring data. According to the ECJ’s ruling and the EDPB’s recommendations, an assessment of whether the overall level of protection of the right to privacy is essentially equivalent to the EU level of protection, must be made for all third countries where personal data is transferred to or accessed from. Depending on the outcome of such an assessment, it may be required to implement contractual, technical or organizational measures to supplement the specific transfer tool in order to ensure compliance with the EU level of protection of personal data.
The EDPB's guidelines set out that both controllers and processors are responsible for ensuring legal transfers and an essentially equivalent privacy level in the receiving country. Further, the EDPB provides a roadmap of the steps to take in order to find out if you (the data exporter) need to put in place supplementary measures to be able to legally transfer data outside the EEA, which, in short, are:
- Ensure that you are fully aware of your transfers (mapping your transfers).
- Identify the transfer tools you are relying on amongst those Chapter V GDPR lists and envisages.
- Assess whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
- Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.
- Take any formal procedural steps the adoption of your supplementary measure may require depending on the Article 46 GDPR transfer tool you are relying on.
- Re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it.
When preparing for Brexit, you should complete the steps of the above-mentioned roadmap, in order to determine if you need to put in place any supplementary measures to be able to legally transfer data to the UK when the transition period ends. In particular, we recommend starting the process of mapping all categories of personal data being transferred to or accessed from the UK, and identifying which transfer tool will be relevant to utilize for transfers to the UK as of 1 January 2021. Such preparations are relevant for all transfers, including intra-group transfers of personal data.
If it, in the specific assessment, is found that the chosen transfer tool is not effective in ensuring that, overall, the transferred personal data will have the benefit of an essentially equivalent level of protection, supplementary measures must be adopted. One must identify on a case-by-case basis which supplementary measures could be effective for a set of transfers to a specific third country when using a specific transfer tool. The EDPB provides examples of such measures, and lists five user cases where they find it possible to implement technical measures that can lead to adequate protection and therefore qualify as adequate supplementary measures, as well as two other user cases where they do not find any adequate additional technical measures. In particular, we would like to highlight that the EDPB mention that pseudonymization may be an adequate technical measure if the key to identify the data subjects is under the data exporter's control. This may be practical for many companies.
If relevant measures are not taken, because it is not possible or one does not prioritize it, then the company either cannot commence transfers or will even have to stop ongoing transfers. As there is no solution that fits all, we recommend all companies transferring personal data to the UK to prepare for a no-deal scenario. Transfers that do not comply, are illegal and such transfers may be stopped by the Data Protection Agency, with all contractual implications that may have.