The European Commission published a Notice to Stakeholders on 9th January on the potential implications of Brexit for EU Data Protection law. This is the first time the EU has made a statement on the adequacy decision and what the alternatives might be for the UK. Stewart Room, data protection lead partner at PwC, reassures UK organisations that even if that adequacy decision isn’t given, there are plenty of other opportunities open to them, commenting:
“The Notice published yesterday by the European Commission confirms that after Brexit the UK will become a "third country" for the purposes of EU law, which will potentially impact personal data exports from the EU to the UK. It also confirms that, as a third country, the UK’s "adequacy" for EU Data Protection law purposes is a matter for decision by the European Commission, rather than a status that occurs automatically.
“However, it does provide considerable comfort around the fact that data exports need not be unnecessarily interrupted if an adequacy decision isn’t granted, because the law contains a series of other mechanisms for organisations to rely upon, to keep data flowing. These other options may not be as frictionless as an adequacy decision, but many organisations in the UK will be very familiar with how they work, because they use them already to transfer personal data from the UK to other third countries. These include: consent, contractual necessity, using European model clauses or Binding Corporate Rules.
“The Commission's Notice also stresses that the General Data Protection Regulation (GDPR) has been designed to reduce the legal and administrative burden of using these other mechanisms, which UK data importers and exporters alike will welcome.
“While an adequacy decision is not an automatic right, the UK government has already confirmed that they will seek one and there are substantial reasons to be optimistic that a positive outcome will be achieved. This is because the totality of the data protection legal framework needs to be considered by the decision-takers in the UK, and in this sense the UK already exceeds the quality of data protection in some areas, in comparison with other EU Member States. Key considerations in the UK's favour include:
At the date of Brexit, the UK's legislative framework will be on a par with Europe's, because the GDPR will be in effect and because the UK is committed to continue the GDPR's principles after Brexit, by way of the Data Protection Bill that is currently progressing through Parliament;
The UK has one of the world's best resourced and most influential national Data Protection regulators in the Information Commissioner's Office (ICO). The volume of the ICO's activities over the past ten years, in both the advisory and enforcement fields, far surpasses those of many other EU regulators;
There is already a healthy data protection litigation culture in the UK, which the courts have supported in a series of landmark cases, demonstrating that the judicial system provides effective recourse to those who feel that their rights have been infringed;
The wider sectoral and professional rules on data protection and in related areas, such as cyber security, knit together to provide another comprehensive layer of protection for fundamental rights and freedoms.
“So, on a compare-and-contrast basis, the UK appears to be perform as well as, or better than, other EU Member States. The UK also compares favourably with third countries that have already obtained adequacy decisions, such as Canada and the United States (which has a de facto, bespoke adequacy decision in its favour, within the Privacy Shield).
“There are areas of complexity, such as national security, but in an operational sense the differences between the UK and the rest of Europe may not be as great as perceived. It’s important to remember that the GDPR excluded the activities of the intelligence services from regulation, whereas the UK Data Protection Bill brings them into scope. However, if this area remains contentious, it will be open to the European Commission to make a partial adequacy decision in the UK's favour, to cover all other areas and commercial and social activities in particular.
“For multinational companies and well resourced organisations, the absence of an adequacy decision should not present any insurmountable barriers to continued international data flows and in comparison to the adjustments that they have to make to bring the GDPR into effect, the additional administrative burdens involved may be relatively small. SMEs, not-for-profits and smaller public authorities may require more support to adjust to a world without an adequacy decision in the UK's favour, but the publication of free guidance and template documentation by the regulator, professional and membership organisations and the data protection community itself will go a long way towards mitigating their challenges.
“All organisations should consider their strategy for ensuring that international data flows can continue, whether the adequacy decision is granted or not. It’s important to understand the extent to which data is transferred around the world, and how that may be impacted by Brexit changes.”
Notes for editors:
For further information about Brexit, the GDPR, the Data Protection Bill and PwC's services please contact Felicity Main via the details below to speak to Stewart Room, data protection lead partner.
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. © 2016 PwC. All rights reserved