EU Wide Personal Data Rules
The basic rules relevant to handling other people’s personal information, e-commerce and email marketing are EU wide rules at present.At present and most likely in most scenarios post-Brexit, the EU and UK rules are likely to remain broadly similar.
The UK would be free to revise these rules. Common sense would say that the UK would wish to leave most or all of the rules as they are after Brexit. However, there is nothing inevitable and much depends on political circumstances.
The principles and rules in the GDPR in relation to personal data now apply directly in both Ireland and the UK. The GDPR is a directly applicable EU regulation so that the exact same law applies throughout the EU.
Moving Data
Data may not be transferred out of the EU (and correspondingly from UK perspective, out of the UK) unless the country to which the transfer is made has adequate protection for the privacy of data subjects and data processing. The transfer of data out of the EU from an EU perspective and out of the UK from a UK perspective may take place only if conditions set out in the GDPR (and UK equivalent) are complied with. They must cover any transfers of personal data from one to the other. The provisions must ensure the equivalent level of protection as the GDPR. The Data Protection Commission and the Information Commissioner in the UK have the power to prohibit the transfer of data.
The EU maintains an approved list of countries to satisfy the requirement. It involves the EU making inadequacy decision in relation to the data protection legislation of that country. While it would be reasonable to assume that the EU would approve the UK for this purpose in particular since it has the identical laws, the EU in its hard Brexit contingency planning publications has not done so. Rather it has advised using one of the alternative measures mentioned below.
Accordingly, for the below purposes in the event of a hard Brexit the near future unless the EU changes its approach, the below contractual requirements will apply. The EU has published a model contract by which a recipient of data can agree to comply with EU minimum standards. The person transferring the data must ensure that the transfer takes place in accordance with the contract. The data importer must submit their protection facilities for audit by the data exporter by the authorities.
If there is a breach of the requirements, persons affected can recover compensation against the importer and exporter jointly unless both can prove neither is responsible. The data subject is a third-party beneficiary of the agreement which means that the data subject (i.e. the person about whom the data is concerned) can take legal action directly against the importer in the other country.
The controller must ensure itself that the processor has adequate technical and organisational measures to protect the data. The data controller remains liable for the breach regardless of who is at fault. The implications of all of this are that on a reciprocal basis both under EU and UK law respectively movements of personal data in and out of the UK need to be covered in this manner.
Compliance Options for Cross Border Data Movements
One would expect that the EU Commission will either approve the UK rules as adequate or the whole matter of data protection would be the subject of specific provisions in a long-term trade agreement. There are provisions for ongoing review.In the absence of a general consent or determination by the EU commission in relation to the transfer to the third country concerned the processor may transfer personal data to the country only if it has appropriate safeguards. There must be provision for the enforcement of data rights for the persons concerned and that they have effective legal remedies.
The safeguarding may be provided by
- legally binding instrument between bodies concerned
- binding corporate rules
- standard data protection clauses
- an approved code of conduct which is binding and enforceable with the appropriate safeguards
In the absence of an adequacy decision in relation to the country concerned and appropriate safeguards including binding corporate rules, the transfer of personal data to a third country may take place only where there is very explicit consent or and certain other circumstances of narrow necessity. There are a number of other limited exceptions.
Standard contractual clauses are most likely those most relevant. This is a standard template of terms and conditions. A business may provide other additional clauses to meet the standards provided that the data subjects’ rights are not reduced.