The coming Brexit confronts many entrepreneurs and practitioners alike with difficult data protection problems. Here we focus on the measures cross-border companies need to take to remain compliant with the GDPR after Brexit. This article explains what action needs to be taken and what companies need to pay attention to.
An orderly Brexit subject to the Brexit Treaty negotiated between the UK Government and the EU would lead to the GDPR remaining applicable in the UK for a further two years after withdrawal. In this case, there will be no need for action under data protection law—at least for the time being. Therefore, only the disorderly hard Brexit will be discussed below.
Transfer of personal data
The GDPR makes a fundamental distinction between data transfers to another responsible party, on the one hand, and to a contract processor, on the other. Such data transfers are only permitted under certain conditions. If the receiving controller or contract processor is in a third country, i.e. outside the EU/EEA, the data sender must ensure an appropriate level of data protection.
This results in a two-stage admissibility check for data transfers to third countries:
- At the first stage, the legality of the transfer to the recipient is checked. In the case of a transfer to another responsible party, this requires a legal basis as defined in Article 6 of the GDPR (or Article 9 of the GDPR for special data categories). There is no group privilege in the GDPR that generally justifies intra-group data transfers. If, on the other hand, data are transferred to a processor, there is no need for a separate legal basis, but only for the conclusion of a processing contract pursuant to Article 28 of the GDPR.
- In the case of transfers to responsible persons or contract processors in a third country, an examination of the appropriate level of data protection must be carried out at the second stage. However, the GDPR does not stipulate any special provisions to guarantee an adequate level of data protection for transfers within the EU/EEA. It is also irrelevant in this respect whether the data concerned were collected in Austria or in another Member State. Since the GDPR provides for the same level of data protection in all Member States, there is no need for special provisions in this context.
Extraterritorial scope of GDPR application
A curiosity of the GDPR, which has unsurprisingly remained largely invisible within the EU, is its applicability to the processing of personal data of persons residing in the EU by companies in third countries, if these companies offer goods or services in the EU, according to Article 3, paragraph 2(a) of the GDPR. For example, numerous US companies, in particular the major players in the digital economy, have suddenly shown compliance with the largely unknown GDPR to the astonishment of US consumers. In the same way, following a hard Brexit Article 3, paragraph 2(a) of the GDPR will also apply to companies in the UK that offer their products and services in the EU and process EU residents’ personal data for this purpose.
What are the data protection consequences of a hard Brexit for data transfers to the United Kingdom?
After a hard Brexit, the UK will be a third country within the meaning of the GDPR. For data transfers from the EU to third countries—irrespective of the legal basis or the conclusion of a processing contract—an adequate level of data protection in the third country must be guaranteed as described above. The GDPR provides the following possibilities for this:
- The EU Commission may make an adequacy decision for the third country. Such decisions currently only exist for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. An adequacy decision for Japan has also been available since 23 January 2019.
- For corporations, so-called binding corporate rules offer an alternative. However, these must first be approved by the responsible data protection authority. This requires the approval of all data protection authorities under whose jurisdiction the transferring company falls.
- EU standard data protection clauses: If the EU Commission does not make an adequacy decision, then EU standard data protection clauses are the simplest way of ensuring data transfers to third countries are adequately protected. Approval by the data protection authority, as under the former DSG 2000, is no longer required. However, the EU standard data protection clauses are currently under attack. The European Court of Justice (ECJ) is threatening to annul them, as it did with the Safe-Harbour Agreement, the Privacy Shield’s predecessor.
- Standard supervisory data protection clauses must be adopted by the national supervisory authority and approved by the Commission.
In practice, the EU standard data protection clauses are most often agreed, especially since this ready-made set of agreements involves the least administrative effort, at least from the point of view of the sender. It is difficult to predict whether and, if so, when the EU standard data protection clauses will be rescinded by the ECJ. As a precaution, however, companies should prepare an emergency strategy now.
Article 49 of the GDPR does make some exceptions concerning the admissibility of data transfers to a third country without adequate guarantees, but there is no space to discuss them here.
The special problem posed by a branch office
An Austrian subsidiary operating as an independent branch of an English parent company will not be directly affected by Brexit. The subsidiary is independently responsible for the data processing it carries out. If, however, a subsidiary transfers personal data to the parent company in the UK, the principles mentioned above apply here as well; namely, the transferring controller must ensure an appropriate level of data protection. The same applies, of course, for a transfer from a parent company in Austria to a subsidiary in the UK.
However—and this is often overlooked in practice—as a matter of principle, dependent branches (i.e. business locations without legal personality) of companies established in the UK are not responsible for processing personal data separately from the company. All data processing such a branch carries out are attributable to the company it is assigned to. The UK parent company also remains responsible for data processing within the framework of the dependent Austrian branch within the meaning of the GDPR.
However, the GDPR is applicable to the data collection and processing carried out within the framework of an Austrian branch because these take place in the EU. It is unnecessary in this case to resort to the GDPR’s extraterritorial scope. The UK parent company must therefore keep a register of processing activities for its dependent branch.
In the case of a hard Brexit, what data transfers to the United Kingdom must be considered and what measures should be taken by 31 October in any event?
- Identify and verify the processing activities concerned: against this background, companies operating internationally should identify all transfer processes from the EU to the UK that contain personal data as a first step prior to a hard Brexit and then prepare corresponding information letters or e-mails (see below) which can be can be sent at short notice in the case of a hard Brexit.
In the course of such adaptation measures, it is often worthwhile simultaneously subjecting the data processing and data transmissions concerned to a general compliance audit, as in the authors’ experience there is still room for improvement at many companies.
Particular attention should be paid to sensitive areas of work and life. This includes employee data, customer data, health data, but also tracking information.
- Provide appropriate safeguards to ensure an adequate level of data protection for transfers to the UK. This includes the conclusion of EU standard data protection clauses with existing processors in the UK.
- Prepare for information duties. Article 13 of the GDPR regulates the information duties of the data controller at the time of collection of the personal data to be processed or transferred. For example, the data controller must clarify the purposes of the data processing, the legal basis(s) for the processing, the duration of the processing and the various rights of the data subject.
In addition to indicating the recipients or categories of recipients of the data subject’s personal data, information must also be provided on any intention to transfer the data to a third country. In the literature, it is widely held that the specific third country must also be explicitly mentioned. In the case of transfers to third countries, the data subject must also be informed of where they can find a copy of the appropriate guarantees used, e.g. the EU standard data protection clauses.
It is widely held—in apparent contradiction to the wording of the provision—that the data subject must also be notified of subsequent changes to the relevant information. This is of considerable importance for data transfers to the UK after a hard Brexit, especially as data subjects will then have to be informed that their data will be transferred to the UK.
- Complete the list of processing activities. Data transfers to third countries must be designated accordingly and the information required by the GDPR must be added. The data protection statement must also be updated accordingly.
- Carry out or update a data protection impact assessment, if necessary.