Brexit – and what about data protection?

Abstract

Consequences of Brexit for Data Exports from Switzerland

On March 29, 2019, the UK is set to leave the EU. This raises data protection issues. Will data exports to the UK still be permitted after the Brexit?

Key Takeaways and Need for Action

Companies whose data processing activities are exclusively governed by the Swiss Data Protection Act (DPA) may continue to export personal data to the UK following the Brexit as before, without additional protective measures having to be taken.

From the perspective of the EU General Data Protection Regulation (GDPR) however, the Brexit will – at least temporarily – result in the UK losing its status as a country with an adequate level of data protection. Companies who export personal data within the scope of the GDPR to the UK will therefore have to provide for adequate safeguards for these exports or otherwise justify them, even if they originate from Switzerland.

In either case, privacy policies and contracts relating to data exports to the UK will have to be reviewed and, where necessary, updated.

No Change for Exports under the DPA

UK Continues to Provide for an Adequate Level of Data Protection

The good news first: From the point of view of the Swiss data protection law, the Brexit will change (almost) nothing for the time being. Under the DPA, it does not matter whether or not the UK is a member of the EU or the EEA. What is relevant instead is the level of protection offered by the UK data protection law. This was considered as adequate in the past and the Brexit will not result in any change to that end, regardless of whether or not the UK and the EU will reach an interim or final agreement on the Brexit. In addition, the UK has already announced that it will incorporate the GDPR into its domestic law, so that the UK would in the end have the same or a similar level of data protection as under the GDPR. The Federal Data Protection and Information Commissioner (FDPIC) confirmed in a communication dated January 22, 20191 that there are, from a Swiss perspective, no indications that the UK will lose its status as a country with an adequate level of data protection as a result of the Brexit.

This clarifies the essential point from the perspective of the DPA: Data exports from Switzerland to the UK will not be prohibited by Art. 6(1) DPA. As a consequence, there is no requirement to implement any of the measures or rely on the justifications of Art. 6(2) DPA. Thus, there is no need for action on this point.

Amend Contracts and Privacy Policies

Action may nevertheless be required in other areas: If contracts and privacy policies governing data exports or the processing of personal data outside of Switzerland make reference to the «EU» instead of «Europe», they will no longer cover the UK following the Brexit, regardless of whether or not the UK and the EU still reach an agreement on the Brexit. Thus, if a company promises its customers to process data only in Switzerland or in the EU, processing in the UK would no longer be permitted.

However, if a company has published its privacy statement prior to the Brexit, it will in our view be able for an interim period to argue that any reasonable reader should be aware that a
reference to the EU should continue to include the UK even after the Brexit. The relevant privacy statements should nevertheless be adapted timely.

A similar argument can be made with respect to contracts that were executed prior to the Brexit and that refer to a processing of personal data in the «EU». Absent any particular circumstances, such reference in a «pre-Brexit» agreements will usually have to be interpreted as continuing to include the UK even after the Brexit. If, however, the contract is amended, a clarification might be sensible.

Situation under the GDPR

UK Becomes a Third Country

The situation is different under the GDPR. If the UK leaves the EU without a transitional regulation or another agreement with the EU, and if the Brexit is not postponed, the UK will be considered a «third country» under the data export provisions of the GDPR as of March 30, 2019. It will then have the same status as Switzerland and other third countries (such as the USA). However, as opposed to Switzerland, the difference will be that the European Commission will not yet have issued a so-called adequacy decision for the UK. The GDPR governs data exports in a similar manner as does the DPA: As long as a country provides for an adequate level of data protection, exports to such country are permitted without there being a
need for additional safeguards or justification (Art. 45 GDPR). Other than under the DPA, however, the adequacy has to be formally recognized by the European Commission under the GDPR. For Switzerland, the European Commission rendered its adequacy decision in the year 2000. Even if there is nothing evident that might prevent such decision for the UK, it has not yet been rendered and this is not expected to happen in the weeks before the Brexit.

Safeguards for Data Exports Required

Until the European Commission will have rendered its adequacy decision or until the UK and the EU reach an agreement addressing the issue at stake, additional safeguards or justification will therefore be required for GDPR-governed post-Brexit data transfers to the UK. In our experience, many companies are not yet well prepared for this.

The EU standard contract clauses, which are regularly used in practice to govern data transfers to third countries (Art. 46 GDPR), provide for the necessary safeguards also for transfers to the UK.

In substance, they are broadly accepted by companies and do not pose particular challenges. The practical problem is, however, that many companies have not yet implemented them for transfers to the UK and preparations may not yet be well underway, even if this may take time. In order to implement the standard contractual clauses, companies must first identify all relevant data transfers to the UK and the respective counterparties, and then implement the standard contract clauses in their agreements with the relevant counterparties where needed.

The good news is, however, that more and more international businesses can rely on existing group-wide contracts for data transfers. These contracts may facilitate the adjustments needed in view of the Brexit. For instance, companies that govern their group-internal data flows with Homburger’s Intra Group Data Transfer Agreement (IGDTA) will not have to adapt their agreement: The current and recent versions of this IGDTA will automatically implement the appropriate contractual safeguards for exports to the UK after the Brexit in the same way as this is provided for exports to third countries.

Relying on a Justification Instead?

If a company is unable or unwilling to implement contractual safeguards for data exports to the UK after the Brexit, it will be necessary to assess on a case-by-case basis whether one of the exceptions laid down in Art. 49 GDPR applies. This may be the case, for example, if the data subject’s consent has been obtained or if the transfer is required in order to fulfil a contract with the data subject. Further, data transfers for the assertion, exercise or defense of legal claims are also permissible. Thus, data transfers to the UK for the purposes of legal proceedings will continue to be permissible.

GDPR Applicable also in Switzerland?

Finally, the question arises whether the GDPR applies to data exports from Switzerland. A counterargument one could raise is that even if the GDPR were to apply to the relevant processing activity, exports of such data would not originate from the EEA, but from Switzerland and thus from a third country with own data export rules that are recognized as adequate by the EU. However, the wording of Art. 44 GDPR and the relevant Recital 101 of the GDPR suggest to the contrary that exports from Switzerland will fall within the scope of the export rules under the GDPR if and insofar as the relevant data processing activity itself is governed by the GDPR. Thus, even data exports originating from Switzerland may fall within the scope of the data export rules of the GDPR.

Interim Conclusion

To sum up, if a Swiss company processes personal data and such processing falls within the scope of the GDPR (e.g., as a result of an offering of goods or services in the EEA or as a result of observing the behavior of individuals in the EEA), it will have to safeguard or justify its transfer of such personal data to the UK as from March 30, 2019, unless the EU and the UK reach an agreement to the contrary or the Brexit is postponed. To do so, it may either rely on the EU standard contractual clauses, implement other safeguards accepted under the GDPR or seek to justify the export on a case-by-case basis under the exceptions laid down in the GDPR. Once the European Commission has rendered an adequacy decision, such safeguards will no longer be required.

Further Measures under the GDPR

In addition to regulating any data transfers to the UK, it will have to be examined whether additional steps are required to be taken under the GDPR. Privacy policies may have to be adapted to account for the UK leaving the EU, and it may be necessary to update the records of processing activities pursuant to Art. 30 GDPR. These policies and records must state whether personal data is transferred to a third country and, if so, which protective measures are used to ensure an adequate level of data protection. The same applies to any privacy impact assessment for data processing involving data exports to the UK.

If a Swiss company has appointed a representative in the UK in accordance with Art. 27 GDPR, it will have to nominate such a representative – probably in addition – in an EEA country and update the relevant information in its privacy policy. If the British Information Commissioner’s Office (ICO) was previously the EU lead authority for a group of companies, it will need a new lead authority within the EEA, provided that the group continues to have a main establishment in the EEA. If a group of companies relies on binding corporate rules (BCR) approved by the ICO, they will remain valid. In the event of an adjustment (e.g., because of the Brexit) however, they will have to be submitted to the data protection authority of another EEA state.

Where this cannot be completed until the Brexit, the affected companies will need to implement the EU standard contractual clauses to ensure appropriate safeguards for their intra-group data transfers to the UK.

Those companies who do not implement the necessary measures can be fined under the GDPR. However, we would expect that the data protection authorities in the EEA will initially not focus on prosecuting companies for not having fully prepared for the Brexit, in a similar way as they did not focus on sanctioning companies whose data exports became illegal overnight following the decision of the European Court of Justice (ECJ) on «Safe Harbor». While there were threats of action, no relevant enforcement occurred, or at least none became public. However, these cases show how important it is for an organization to have an efficient and effective data protection compliance management in place.

Fussnoten

1 See https://bit.ly/2H2I8BD (visited 28 Februar 2019, not in English).

If you have any queries related to this Bulletin, please refer to your contact at Homburger or to: