About Us

EU law affects all our lives – personally and professionally. Throughout our societies, questions are raised with regard to the implications of EU law and policy. At the same time, there is a need for solutions to issues of a cross-border nature. Spark Legal Network has the knowledge and expertise to facilitate understanding, provide guidance and find solutions to any (cross-border) question on regulation or policy, at both national and European level.

Sparkestablished in 2011, has already demonstrated expertise in a wide range of EU projects. We are uniquely connected to legal professionals throughout Europe and our excellent network of legal experts links you to knowledge which is not restricted by borders; transcending language, distance and culture. We can tailor our services to the specific needs of our clients and, through Spark, you will gain access to accurate and up-to-date information on national and European law and policy in every possible area.

We actively promote the exchange of information, news and ideas regarding all aspects of European law and policy. We therefore invite everyone with an interest in European law and its links to policy to join our network. Comments and questions are also always welcome.

  • Consultancy

    We provide Europe-wide research and consultancy services on a range of legal and policy areas.

  • Legal Network

    Our experts are based at law firms, universities, consultancies, and organisations all over the European Union and EFTA Member States.

  • Current Projects

    At present we are working on a range of studies for the European Commission in collaboration with consortium partners.

  • Data protection / GDPR

    We are certified to provide Data Protection Officer (DPO) services, and assist customers across the EU with making and keeping their company GDPR compliant. Please contact us at info@sparklegalnetwork.eu for more information on our GDPR services.

  • Team

    Our network coordination and project management is conducted by a professional team based in London, Brussels and the Netherlands.

  • Get in touch

    Spark is always keen to hear from legal professionals looking for collaboration opportunities

Latest News

Spark Legal Network Data Protection and Brexit Update

The UK government published on its website an explanatory note outlining the possible scenarios in the field of data protection in case no Brexit deal is reached.[1] Based on this note, the following document offers a summary of the prospects presented by the UK government regarding the data protection situation after Brexit. In order to provide a more complex overview, we also used other sources to complete and add information.

The government firstly makes it clear that there will be no immediate change in the data protection standards in the UK. The Data Protection Act 2018, which sets the current standards, will remain in force and together with the EU Withdrawal Act it will incorporate GDPR in the UK legal order.

Nevertheless, due to the UK leaving the EU, there will be changes regarding the ways in which personal data transfers take place between the UK and the EU. The ultimate solution has not been agreed yet but, in line with our recommendations in our recent Study concerning data protection aspects after Brexit[2], there are a few possibilities:

1. An adequacy decision

Based on Article 45 of Regulation (EU) 2016/679, the European Commission can determine whether a third country guarantees “an adequate level of data protection” to that of the EU. A country can provide such data protection level by its domestic legislation or the international commitments it has entered into. Issuing an adequacy decision for the UK would greatly facilitate the exchange of personal data between the EU and UK as no further safeguards would be required. The transfer of personal data would take place the same way as intra-EU exchange.

It seems that at least for the initial period following the EU’s withdrawal from the EU, the adequacy decision will not be an option. This is because the European Commission has not yet indicated a timetable for the assessment process and the decision on adequacy cannot be taken before the UK becomes a third country.

Additionally, as we have pointed out in our Study[3], an adequacy decision will not be sufficient for public sector personal data exchanges. A multitude of legal instruments exists beyond general data protection law that determine which countries may participate in information exchanges, and on which basis. An adequacy finding would thus need to be complemented by a broader legal basis in the form of a legal agreement that would authorise the UK and EU to continue to participate in information exchanges.

However, it seems that this would be the option preferred by the UK government. The White Paper published in July 2018 encourages an “adequacy-plus” style agreement (meaning a unique situation allowing the ICO to be a member of the European Data Protection Board and to serve as a lead supervisory authority under the GDPR, even though the UK will be a third country) between the EU and UK following Brexit.

The UK government also considers other potential solutions:

2. Standard contractual clauses

Model data protection clauses are ready sets clauses prepared by the European Commission, which can be implemented between individual companies rather than on the state-level (and hence can take effect the moment the UK leaves the EU without further delay). Such clauses would also enable the free flow of personal data between the EU and UK companies, when embedded in a contract. The European Commission prepared a number of sets of clauses for transfers between data controllers in the EU and data controllers / processors outside the EU, which can be included in the contracts and which ensure the adequate protection. A full set of rules provided by the EC has to be incorporated in the contract – the provisions may not be split or modified in any way.

3. Privacy shield

Another option which is discussed with regard to the EU-UK relationship in the area of data protection after Brexit, is an agreement similar to the EU-U.S. data protection shield. The EU-U.S. Privacy Shield subordinates U.S. companies to strict rules in order to protect EU citizens’ personal data. The Privacy Shield requires the U.S. to cooperate closely with European Data Protection Authorities, as well as to monitor and enforce relevant rules and safeguards, including written commitments and assurance regarding access to data by public authorities. The privacy shield is jointly administered by the U.S. Department of Commerce and the European Commission. On 12/06/2016, the EC declared the EU-U.S. Privacy Shield adequate to enable data transfers under the EU law.

Although in the media this scenario has been widely discussed as a possible option, nothing has been decided in the negotiation process that would suggest this style agreement will be implemented any time soon.

4. Binding Corporate Rules

Within a multinational company, an adequate mechanism to transfer personal data may also be established by incorporating Binding Corporate Rules. These are basically strict rules, approved by the Lead Supervisory Authority[4] and legally binding, enforced by the company itself, which guarantee the same level of data protection as within the EU.

The BCR need to cover all the rights and obligations included in the GDPR, for instance all the data subject’s rights need to be observed and there needs to be an efficient monitoring system in place. In case of the UK as the third country, BCR would be introduced by the offices of a given company located in the EU in order to cover its UK branches.

—————————————————————————————————————————————————————

[1] Guidance: Data protection if there is no Brexit deal; 13/09/2018; https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal#before-29-march-2019; last accessed 17/10/2018.

[2] The future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes; European Parliament, Policy Department for Citizens’ Rights and Constitutional Affairs Directorate General for Internal Policies of the Union, August 2018, available at http://www.europarl.europa.eu/RegData/etudes/STUD/2018/604976/IPOL_STU(2018)604976_EN.pdf, last accessed 17/10/2018.

[3] Ibidem.

[4] Lead Supervisory is the supervisory authority of the main establishment or of the single establishment of the controller or processor, as per Article 56 GDPR.

We are glad to see how our research work contributes to EU law making!

Yesterday the European Parliament adopted the Regulation on the free flow of non-personal data, which aims to remove obstacles to the free movement of non-personal data and will enter into force by the end of 2018: http://europa.eu/rapid/press-release_STATEMENT-18-6001_en.htm

Our study on data location restrictions (SMART 2015/0054), conducted in collaboration with time.lex and tech4i2, provided evidence on the scope and magnitude of legal and non-legal barriers in Member States practices which hinder the free flow of non-personal data within the European Union in order to contribute to the sustainable development of a Digital Single Market. It provided also evidence about the costs of these barriers for private and public sector.

Publication of the study on “the future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes”

PwC, time.lex and Spark Legal Network have completed the study on the future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes. This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. It examines the available mechanisms for personal data transfers between the EU and the UK after Brexit. The study shows that the existing legal mechanisms and policy measures which are presently used to support the exchange of personal data between the EU and third countries can alleviate some of the concerns surrounding Brexit, but that none of these, in isolation or collectively, would be sufficient to permit a continuation of personal data flows and cooperation in relation to data protection on the same basis as today. Please see the factsheet for more information.