As we all continue to try to grapple with the implications of a no-deal Brexit, the last week or two has seen the publication of a few things of interest from a data protection perspective:
The EDPB’s view of data transfers in a no-deal Brexit scenario
On 12 February 2019, the European Data Protection Board (the “EDPB“) published a general information note on data transfers under the GDPR in the event of a no-deal Brexit (available here). In summary, the information note provides that organisations must comply with the GDPR when transferring personal data from the EU to the UK, which will become a “third country” for GDPR purposes (from 00.00 am CET on 30 March 2019). No new or additional safeguards are contemplated by the EDPB which effectively means that organisations must choose between:
- Standard contractual clauses (which the EDPB acknowledges are “ready to use”);
- Binding corporate rules;
- Codes of conduct or certification mechanisms (although none are yet approved/available under the GDPR); or
- Derogations such as individual explicit consent (although the EDPB emphasises that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive).
For further information regarding the potential impact of a no-deal Brexit on data transfers, including an analysis of worked examples, please see our previous blog post available here.
On 23 November 2018, the European Data Protection Board (the “EDPB“) published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation.
The guidelines are only in draft form and subject to consultation but they do go some way to clarifying key questions regarding the application of the GDPR. That being said, they do not cover every possible permutation of Article 3, meaning that there remain gaps where organisations will need to exercise judgment without any comfort that their interpretation will align with that of the regulators. In particular, there would seem to still be question marks around the application of Article 3(2)(a) and what actually constitutes the offering of goods and services to individuals in the EU. Continue reading
Following a UK Cabinet meeting on 14 November 2018, the UK Government has announced support for the text of a draft Withdrawal Agreement and an outline of the Political Declaration on the Future Relationship agreed with EU negotiators. The Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29 March 2019 and includes a transition period through to 31 December 2020, during which EU law will continue to apply in and to the UK (the “Transition Period”). Data protection features in both the draft Withdrawal Agreement and the outline Political Declaration, reflecting the significance of the data protection rules to both the EU and the UK.