International Transfers of Data
Under GDPR, businesses can only share personal data across borders if they have an approved 'data transfer mechanism' for international data transfers. These are:
- Adequacy Decision. This means the country has been adjudged by the EU to have a legal framework in place that provides 'adequate' protection for individual rights and freedoms. The flow of personal data with countries with an adequacy decision is unrestricted, and this is the basis on which data currently flows between EEA countries.
Note: the EEA = EU + Norway, Liechtenstein, Iceland, not Switzerland
In addition to all EEA countries, several approved countries also have an adequacy decision, so data flow to and from those countries is unrestricted. There are currently adequacy decisions in place between the EU and Andorra, Argentia, Guernsey, Isle of Man, Isreal, Jersey, New Zealand, Switzerland and Uruguay. It also has partial decisions in place with Japan (private sector organisations only), Canada (if data is subject to PIPEDA) and the USA (Privacy Shield only, see below).
- Appropriate Safeguards. Where a country does not have an adequacy finding, one of the EU approved safeguards must be in place before data transfer can be permitted. These are:
- Standard Contractual Clauses (SCC) - these are fixed contracts between data controllers and processors that must be in place before data can be cross borders
- Approved codes of conduct (CoC) - if the receiver of data has signed up to a code of conduct approved by an EU supervisory authority, the transfer can take place
- Privacy Shield - EU companies can exchange data with US companies without restrictions, provided the US company has Privacy Shield certification.
- Binding Corporate Rules (BCR) - these are used by multinational corporations to share data between the groups EEA and non-EEA entities. All BCRs have to be approved by an appropriate supervisory authority.
If the safeguards listed above are not in place, data cannot be exchanged with a country or sector that does not have an adequacy decision... unless one of several exceptions, or derogations, apply. The most common of these for the events sector are:
- the consent of the individual - for example, the registration for a congress in Dubai by an individual might construe consent for data to be shared with a hotel in Dubai, provided certain conditions are met
- the contractual obligation for the individual - using the same example as above, registration for the congress in Dubai may be construed as entering into a contract
- the vital interests of the individual - for instance, in the event of a medical emergency
International Transfer of Data
The image shows the current status of data transfer between the EEA and other countries.
- Within all EEA countries, an adequacy decision allows the free and unrestricted flow of data between countries.
- This also applies to other countries that have an Adequacy decision already, like, Switzerland and Argentina. Other counties include Andorra, Guernsey and Gibraltar, Uruguay and New Zealand… but not Australia! Canada and Japan have partial adequacy decisions only (Canada only data subject to PIPEDA, Japan, for the private sector only).
- For the USA, note the free flow of information is only with companies that have gained certification under the Privacy Shield. Note also there are two versions of the Privacy Shield - for the EU (covering all EEA countries) and one for Switzerland (which is neither in the EU nor the EEA).
- For the rest of the world, to so-called 'third countries', transfers can only take place if any of the other safeguards are in place - standard contract clauses (SCC), codes of conduct (CoC), binding corporate rules (BCR) or one of the exceptions. Note that unless a US company is certified under the Privacy Shield, it needs to follow the rules of a 'third country'.
UK - EEA Transfers Now
Looking specifically at the data exchange between the UK and the EU currently, there are no restrictions due to the adequacy decision ruling.
UK - EEA Transfers after Brexit
However, when the UK leaves the EU, it will be a 'third country' to the EU and will have to apply for an adequacy decision again. This means any transfer of data between the EU and the UK will require an alternative safeguard to be permissible.
However IF the UK enters into a TRANSITION period after agreeing on a DEAL for Brexit, it is likely there will be enough time for the UK's adequacy decision to be approved by the EU so that nothing will change.
IF however, the UK leaves the EU with NO-DEAL, then any transfers between the EU and the UK will need another safeguard IMMEDIATELY. This means, for example, an EU agency that sends rooming lists to London hotels will have to put in place other safeguards (commonly standard contract clauses) before it can continue to send the data.
For data transfers from the UK to the EU, the UK government has already announced that it will recognise all existing adequacy decisions, so the transfer from the UK to the EU will continue unrestricted.
UK-Adequacy Country Transfers
For transfers to other approved countries outside of the EEA with an adequacy decision, transfers from the UK to those countries will continue. However, for data travelling the other way, from those countries to the UK, the UK is currently negotiating with each country on a bilateral basis.
UK - US Transfer after Brexit
The UK is currently making arrangements with the US to create a US - UK Privacy Shield agreement, which should be in place after the transition period. In the event of a NO DEAL, US companies with Privacy Shield certification need to publicly declare that their commitment to protecting personal data includes data from the UK.
Representatives after Brexit
Under the EU GDPR, any organisation based outside of the EEA which does not have a branch or office within the EEA is required to appoint a 'representative' in the country where it does most of its personal data processing. After Brexit, the UK GDPR will have a similar requirement for any international organisation processing the data of individuals within the UK.
Not only does this mean that international organisations might now need to appoint two representatives (one in the UK, one in an EEA country), it also means that businesses throughout the EEA may need to appoint a representative in the UK... and vice versa.
For example, an events agency in Paris that regularly processes the data of delegates from the UK may need to name a representative in the UK. Likewise, for a UK DMC that provides events services to EEA agencies. The primary role of the representative is to communicate with the local supervisory authority, should there be an enquiry or a data breach.
The role of the ICO
The ICO (Information Commissioner's Office) is the data protection authority of the UK and currently sits on the European Data Protection Board (EDPB) which governs GDPR. After Brexit, it will continue to regulate data protection in the UK but will no longer be a partner to the EDPB. Also, many of its rulings will become invalid. For example:
- ICO approved BCRs will need to seek a new EU supervisory authority to validate
- any ad hoc contract clauses approved by the ICO will no longer be valid
- the same is true of any ICO approved GDPR codes of conduct or certification schemes
All these will require organisations to find a new lead supervisory authority within the EU, and the concept of the 'one stop shop' will stop applying to UK businesses.
EDPB members currently operate a One-Stop-Shop system between them, which means organisations that work across EEA borders only need to deal with one lead supervisory authority. After Brexit, the ICO will be independent of other EEA supervisory authorities, which means businesses may need to deal with more than one supervisory authority. If, for example, there was a data breach at the UK branch of an international events agency, the agency could face disciplinary proceedings (and fines) from both the ICO and the appropriate EEA supervisory authority.
Another impact is that the current EU 'standard contractual clauses' may be replicated under the UK GDPR, meaning two types of terms may be required for the two types of personal data - UK and EEA. And any existing BCR will need to be updated to reflect that the UK would be considered a 3rd country by the EEA.
Cloud Service Providers
All the principles about transferring data across borders apply equally to cloud-based systems. Along with standard business applications used by most organisations (CRM, HR, storage etc.), those managing events also use several cloud-based systems for delivery during the events lifecycle. For each of these, an understanding of where (in the world) your data is stored is an essential first step in understanding what additional steps need to be taken to ensure you can continue to use the system after Brexit.
Other Changes After Brexit
This article has focused on the transfer of data between the UK, the EU and the rest of the world, which is the area most impacted by Brexit. Other actions business will have to take include;
- Updating privacy notices/policies to reflect that UK and EU citizens' data are processed separately, in line with the relevant legislation
- The EU GDPR requires all businesses to keep detailed records of all processing of EU citizens' data - this may need to be replicated for UK citizen's data
- Existing and new DPIA's may need to be updated to reflect the transfer of data across borders
- The assigned DPO (data protection officer) will need to be aware of processing and legislation surrounding the two GDPR legislations
- The long-awaited update to PECR, the Privacy and Electronic Communications Regulation, will not apply to the UK, which will be treated like any other third country by the EU. The UK may pursue equivalent legislation by itself
What should businesses do to prepare for Brexit? Whether there is a DEAL or NO DEAL, companies will need to act, and it is better that they understand the implications now, and have a contingency plan. The news changes daily, and it's possible that the UK will leave the EU on 31st October 2019... or it may not leave on that date..., or Article 50 may be revoked. Much depends on the risk appetite of the company, but an audit of all types of personal data (UK and EU), together with a mapping of the flow of this data across borders should be a starting point.
Disclaimer: The content of the two articles are for informational purposes only. They are not intended to be legal advice, and nor should it be construed as such. Please consult a data protection professional or legal adviser for guidance on your specific circumstances.
Smartec Business Solutions provide a number of GDPR services for the events sector, including data audits, outsourced DPO and representative services. For details, see https://www.smartecbs.com/