Spark Legal Network Data Protection and Brexit Update

The UK government published on its website an explanatory note outlining the possible scenarios in the field of data protection in case no Brexit deal is reached.[1] Based on this note, the following document offers a summary of the prospects presented by the UK government regarding the data protection situation after Brexit. In order to provide a more complex overview, we also used other sources to complete and add information.

The government firstly makes it clear that there will be no immediate change in the data protection standards in the UK. The Data Protection Act 2018, which sets the current standards, will remain in force and together with the EU Withdrawal Act it will incorporate GDPR in the UK legal order.

Nevertheless, due to the UK leaving the EU, there will be changes regarding the ways in which personal data transfers take place between the UK and the EU. The ultimate solution has not been agreed yet but, in line with our recommendations in our recent Study concerning data protection aspects after Brexit[2], there are a few possibilities:

1. An adequacy decision

Based on Article 45 of Regulation (EU) 2016/679, the European Commission can determine whether a third country guarantees “an adequate level of data protection” to that of the EU. A country can provide such data protection level by its domestic legislation or the international commitments it has entered into. Issuing an adequacy decision for the UK would greatly facilitate the exchange of personal data between the EU and UK as no further safeguards would be required. The transfer of personal data would take place the same way as intra-EU exchange.

It seems that at least for the initial period following the EU’s withdrawal from the EU, the adequacy decision will not be an option. This is because the European Commission has not yet indicated a timetable for the assessment process and the decision on adequacy cannot be taken before the UK becomes a third country.

Additionally, as we have pointed out in our Study[3], an adequacy decision will not be sufficient for public sector personal data exchanges. A multitude of legal instruments exists beyond general data protection law that determine which countries may participate in information exchanges, and on which basis. An adequacy finding would thus need to be complemented by a broader legal basis in the form of a legal agreement that would authorise the UK and EU to continue to participate in information exchanges.

However, it seems that this would be the option preferred by the UK government. The White Paper published in July 2018 encourages an “adequacy-plus” style agreement (meaning a unique situation allowing the ICO to be a member of the European Data Protection Board and to serve as a lead supervisory authority under the GDPR, even though the UK will be a third country) between the EU and UK following Brexit.

The UK government also considers other potential solutions:

2. Standard contractual clauses

Model data protection clauses are ready sets clauses prepared by the European Commission, which can be implemented between individual companies rather than on the state-level (and hence can take effect the moment the UK leaves the EU without further delay). Such clauses would also enable the free flow of personal data between the EU and UK companies, when embedded in a contract. The European Commission prepared a number of sets of clauses for transfers between data controllers in the EU and data controllers / processors outside the EU, which can be included in the contracts and which ensure the adequate protection. A full set of rules provided by the EC has to be incorporated in the contract – the provisions may not be split or modified in any way.

3. Privacy shield

Another option which is discussed with regard to the EU-UK relationship in the area of data protection after Brexit, is an agreement similar to the EU-U.S. data protection shield. The EU-U.S. Privacy Shield subordinates U.S. companies to strict rules in order to protect EU citizens’ personal data. The Privacy Shield requires the U.S. to cooperate closely with European Data Protection Authorities, as well as to monitor and enforce relevant rules and safeguards, including written commitments and assurance regarding access to data by public authorities. The privacy shield is jointly administered by the U.S. Department of Commerce and the European Commission. On 12/06/2016, the EC declared the EU-U.S. Privacy Shield adequate to enable data transfers under the EU law.

Although in the media this scenario has been widely discussed as a possible option, nothing has been decided in the negotiation process that would suggest this style agreement will be implemented any time soon.

4. Binding Corporate Rules

Within a multinational company, an adequate mechanism to transfer personal data may also be established by incorporating Binding Corporate Rules. These are basically strict rules, approved by the Lead Supervisory Authority[4] and legally binding, enforced by the company itself, which guarantee the same level of data protection as within the EU.

The BCR need to cover all the rights and obligations included in the GDPR, for instance all the data subject’s rights need to be observed and there needs to be an efficient monitoring system in place. In case of the UK as the third country, BCR would be introduced by the offices of a given company located in the EU in order to cover its UK branches.

—————————————————————————————————————————————————————

[1] Guidance: Data protection if there is no Brexit deal; 13/09/2018; https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal#before-29-march-2019; last accessed 17/10/2018.

[2] The future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes; European Parliament, Policy Department for Citizens’ Rights and Constitutional Affairs Directorate General for Internal Policies of the Union, August 2018, available at http://www.europarl.europa.eu/RegData/etudes/STUD/2018/604976/IPOL_STU(2018)604976_EN.pdf, last accessed 17/10/2018.

[3] Ibidem.

[4] Lead Supervisory is the supervisory authority of the main establishment or of the single establishment of the controller or processor, as per Article 56 GDPR.

We are glad to see how our research work contributes to EU law making!

Yesterday the European Parliament adopted the Regulation on the free flow of non-personal data, which aims to remove obstacles to the free movement of non-personal data and will enter into force by the end of 2018: http://europa.eu/rapid/press-release_STATEMENT-18-6001_en.htm

Our study on data location restrictions (SMART 2015/0054), conducted in collaboration with time.lex and tech4i2, provided evidence on the scope and magnitude of legal and non-legal barriers in Member States practices which hinder the free flow of non-personal data within the European Union in order to contribute to the sustainable development of a Digital Single Market. It provided also evidence about the costs of these barriers for private and public sector.

Publication of the study on “the future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes”

PwC, time.lex and Spark Legal Network have completed the study on the future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes. This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. It examines the available mechanisms for personal data transfers between the EU and the UK after Brexit. The study shows that the existing legal mechanisms and policy measures which are presently used to support the exchange of personal data between the EU and third countries can alleviate some of the concerns surrounding Brexit, but that none of these, in isolation or collectively, would be sufficient to permit a continuation of personal data flows and cooperation in relation to data protection on the same basis as today. Please see the factsheet for more information.

Spark now certified DPO services provider

Spark Legal Network is happy to announce we are now certified to provide Data Protection Officer (DPO) services. We are now even better equipped to assist with any GDPR related queries and able to help ensure that your company fully complies with the new EU data protection requirements. We can help drafting policy notices, processor-controller agreements, personal data breach policies and other documents as well as suggest ways to improve datasecurity in your company and advise on Brexit related data protection issues. For more information, please contact us at: info@sparklegalnetwork.eu

New Study – Enforcement of State aid rules and decisions by national courts

Spark Legal Network, in collaboration with the European University Institute, Ecorys and Caselex, is carrying out the study on the enforcement of State aid rules and decisions by national courts, for the European Commission (DG COMP).

The aim of the Study is to provide a comprehensive overview of the enforcement of State aid rules by national courts since 2007. The Study covers all 28 Member States and gathers information regarding the most relevant rulings adopted by national courts on State aid matters at all levels of jurisdiction, from first to last instance courts.

For further information about this project, please get in touch via email.

Publication of the Final Report of the “study to support the review of Directive 2003/98/EC on the re-use of public sector information”

Deloitte, Open Evidence, WIK Consult, time.lex, the Lisbon Council and Spark Legal Network have completed the study to support the review of Directive 2003/98/EC on the re-use of public sector information, for the European Commission (DG CONNECT). Based on the best data available, this study provides an evaluation of the implementation the PSI Directive and of the changes introduced by revision of the PSI Directive in 2013. It also provides an assessment of the effectiveness, efficiency, relevance, coherence and added value of the PSI Directive and builds on this to offer some policy options and perspectives for the future.

Study on the future relationship between the UK and the EU following Brexit in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes

Spark Legal Network is participating in the study on the future relationship between the UK and the EU following Brexit in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes (European Parliament’s LIBE Committee).

The objective of this study is to have an overview of the legal and institutional prerequisites for the continuation of exchanging and processing of personal data between the UK and the EU following Brexit and in view of a future agreement.

The study is expected to last 3 months. For further information about this project, please get in touch via email.

Study on assessing the independence and effectiveness of National Regulatory Authorities (NRAs) in the field of energy

Spark Legal Network, in collaboration with Groningen Centre of Energy Law and Trinomics BV, is carrying out the study on “Assessing the independence and effectiveness of National Regulatory Authorities (NRAs) in the field of energy”.

The general objective of the study is to assess the independence of the national regulatory authorities in the field of energy and their effectiveness in performing key identified tasks in the following 12 Member States: Austria, Bulgaria, Croatia, Czech Republic, France, Germany, Greece, Hungary, Lithuania, Romania, Slovakia and Spain. The outcome of the study will analyse the implementation practice and focus on issues encountered by NRAs both as regards their independence and their effectiveness. The study will strive to identify for each issue their causes and consequences.

The study is expected to last 10 months. For further information about this project, please get in touch via email.

Study to support the review of Directive 2003/98/EC on the re-use of public sector information

Spark Legal Network, in collaboration with Deloitte, Open Evidence, WIK Consult and time.lex, has been carrying out the study to support the review of Directive 2003/98/EC on the re-use of public sector information, for the European Commission (DG CONNECT). The study involves the evaluation of the functioning of the PSI Directive based on the state of play regarding the re-use of public sector information in the 28 EU MS. It also includes an evaluation of the changes introduced by revision of the PSI Directive in 2013 and the interplay between the PSI Directive and other relevant pieces of legislation, such as the INSPIRE Directive. Based on the results of the evaluation, the study also assesses the expected impact of a limited number of policy options, and compares the different options.

For further information about this project, please get in touch via email.

Publication of the Final Report of the study “An evaluation of the anti-doping laws and practices in the EU Member States in light of the General Data Protection Regulation”.

Tilburg University Institute for Law Technology and Society, and Spark Legal Network have completed the study “An evaluation of the anti-doping laws and practices in the EU Member States in light of the General Data Protection Regulation” for DG for Education and Culture. This study examined the relationship between anti-doping laws and practices in the EU and the European data protection framework, in particular the General Data Protection Regulation.

The research involved the conduct of legal desk research by national legal experts on the national laws regarding anti-doping and data protection in each of the 28 Member States. In addition, the study team interviewed the NADOs (National Anti-Doping Organisations) of 12 selected countries, a DPA (Data Protection Authority), WADA (World Anti-Doping Agency), EU Athletes, and one IF (International Federation).

Based on the results of the above research, the study team developed conclusions and provided recommendations regarding different possibilities to be explored in order to address the issue of the protection of personal data in the current system of anti-doping.