GDPR and the lookalike regional data protection regulations emerging around the world are so often presented as a simplistic acronym.
This is the first in a series of articles outlining global data compliance challenges we face. I’ll take you on a tour of GDPR through the eyes of a data protection lawyer. I’ll highlight the challenges that lie ahead to maintain compliance.
Later in the series, I will walk you through the California Consumer Privacy Act.
Translating acronyms correctly is vital, because we need to understand, not only what the letters stand for, but the meaning and application of these words.
A major issue here is that too many people hesitate to question the actual interpretation for fear of looking ignorant. Not knowing or fully understanding is not usually the sole fault of the individual, but down to a lack of vital knowledge transfer within an organization.
Companies that thoroughly planned, delivered procedures and change management processes for GDPR, they have seen only a few teething troubles.
Those that have had problems, it’s because they didn’t address the basics. Including understanding what GDPR means to the free flow of data?
Let’s pause for a moment and start with the basics. What does GDPR stand for?
A. Global Data Privacy Rules
B. General Data Protection Regulation
C. General Data Privacy Rules
D. Get Data Privacy Right
If you answered B, congratulations. You’re one step closer to understanding the GDPR. If you answered A or C, don’t tell anyone and do your research. A great starting point is here. If you answered D, you’re at least thinking the right way!
Even when spelled out, General Data Protection Regulation means little to most people. Despite being high profile, it has still failed to hammer home the importance of compliance.
There are many more regulations that must also be adhered to. Failure to do so can be equally costly to a business.
It’s less than six-months from the first anniversary of a major EU Commission ruling on data. This ruling states that data controllers and data processors must have their data in order, to comply with “the complex and changing EU data privacy landscape”.
There is also the challenge of Brexit added to the mix. We all wish that GDPR was as easy as ABC and not the added acronym meaning ‘Added Brexit Complexity’.
Anyone who involved in a GDPR readiness project and now responsible for ensuring its compliance, will know it is not a simple, stress-free task.
There is an ever-present feeling of potential data doom. Mainly due to the possibility of an element failing. This is why lawyers are so important in the compliance assurance mix.
When a non-EU country is deemed “adequate”. This non-EU country is deemed to provide an “adequate level of protection” of EU citizens’ personal data records.
Data can be transferred to a non-EU country that is deemed “adequate”, without the need for any additional administration (e.g. EU Standard Contractual Clauses).
The EU Commission holds the power to determine the adequacy or not of a country. You can check existing adequate countries here. They are based on the requirements of the EU Directive 95/46/EC. However, this Directive was defunct as of 24th of May 2018.
Any country wanting to achieve “adequacy”from now on will need to follow a long and far from straightforward process.
Japan and South Korea are close to reaching adequacy. They have however had to adapt their national legislation to align with the GDPR. This will be the case for all non-EU countries in the future.
There is still a grey area around non-EU countries that hold adequacy status under the old Directive. While they are required to update their national legislation to match the GDPR. The EU Commission has not announced anything to this effect other than updating its website stating adequacy status is according art. 45 GDPR.
This is just one example of where the EU has been inconsistent in setting and policing compliance standards.
What follows was written two days before the UK and EU signed the Withdrawal Agreement (“the Agreement”). It’s not a quick read and is likely subject to change. However, it’s essential because all we know for certain is that post-Brexit, there will be no GDPR get-out clauses. Especially for those who continue holding EU personal data.
A quick recap, the GDPR was approved in Brussels on 27 April 2016. Two months later on 23 June, UK citizens voted on whether or not the UK should remain in the EU. The result was ‘no’. There continues to be discussions as to whether a second referendum should be called. This makes it impossible for any concrete decisions to be made over data.
Whatever the outcome of the ongoing discussions, preparation work must be done. Everyone in the boardroom and beyond is looking at data privacy professionals for answers on what to do and what to expect.
The answer every smart lawyer will give is; well, it all depends. It was the same with the GDPR. Everyone wanted answers to questions the moment the GDPR was first mentioned in 2012. Would there be unlimited fines? Mandatory DPOs? Forbidden data transfers?
It was only when the GDPR was approved that it was possible to give any answers. Here are the answers: There are no unlimited fines. DPOs are only mandatory under certain circumstances and data transfers are not forbidden. Hardly clear cut!
What we do know about Brexit and GDPR (under art. 50 of the Treaty of the EU) is that after a 2-year transition period the UK will effectively cease to be a Member State of the EU.
Even with the 29 March 2019 deadline there remains a lot of “ifs and buts”. I won’t go into the details here myself because there are far smarter people than me to comment on this subject. I will though list the two potential scenarios.
A “deal” will basically create another transition period. Currently, this is set for 31 December 2020. But this could be extended by mutual agreement. During this period the EU and the UK will implement the measures agreed. The UK will no longer be a Member State of the EU. However, it will still technically be subject to EU law, but without the option to participate in its creation.
If there is no deal, i.e. the EU and UK fail to reach an agreement on the framework of their future relationship, there will be no transition phase. The UK will cease, practically and technically, to be a Member State of the EU. But, don’t panic!
If this is the scenario, the UK will implement current EU legislation into UK law. So, even though the UK is no longer part of the EU, it will still have EU law implemented within UK legislation. This ensures operations don’t hard-stop on 30 March 2019.
Scenario 1 is likely to have less impact on governments and organizations if a formal agreement is reached. So far the UK and EU have agreed on the content of the Withdrawal Agreement, but the UK government must still agree on this.
The political “hurricane” that commenced just hours after the presentation of the Agreement means the possibility of a “no deal” scenario still looms large over Europe.
The agreement is 585 pages long and details on the relationship between the UK and EU until 31 December 2020 unless mutually extended. There is no final date applied to this extension, conveniently enough.
Title VII of the Agreement covers “data and information processed or obtained before the end of the transition period. Or on the basis of this agreement” and specifically references Regulation (EU) 2016/679 (the GDPR) and Directive (EU) 2016/680ii.
The Agreement specifically states that for the “purpose of this Title Union law on the protection of personal data” means the GDPR “with the exception of Chapter VII thereof.”
Put simply, this means that it excludes the “Cooperation and Consistency” chapter of the GDPR. Making it clear, if it was not before, that the UK Information Commissioners Office (ICO) will not participate in a one-stop-shop scenario or act as a “cooperating Supervisory Authority” with other EU DPAs under the GDPR.
For EU countries that established the ICO as their “primary Supervisory Authority” (per Recital 124 GDPR), they will likely have to establish a different EU data protection authority. Unless a separate agreement on this topic is achieved. This won’t have to happen until the end of the transition period because the UK will still be subject to EU law until then.
However, The Agreement specifies that the UK must apply for an “adequacy status”. The EU will start analyzing the UK’s data protection framework and this must be concluded before the end of the transition period.
Interestingly, paragraph 82 of the “Explainer for the agreement on the withdrawal of the UK and Northern Ireland from the EU” document states that “EU law will continue to apply to the “stock” of personal data until Adequacy Decisions have been granted, after which time UK domestic rules on personal data protection will apply.”
This leads to the understanding that EU law and the GDPR will therefore continue to apply. Specifically, to the protection of EU personal data in the UK. This will be until the EU reaches an adequacy decision. The same document notes that the EU will begin this assessment “with a view of adapting the same” by the end of the implementation period.
The same understanding is underlined in article 7.1.b of the Agreement. It states that all personal data processed in the UK after the transition period “on the basis of the agreement” will be subject to EU data protection law.
Should an adequacy decision be given before the end of the transition period. EU data protection law will cease to apply and UK data protection law will apply to the processing of EU personal data.
As you can see, not all the pieces of this puzzle fit nicely together. Only after both sides sign the Agreement can we discuss the exact details. This will be far from light reading. It will be essential however, to ensure your organization remains compliant following Brexit, whichever way this pans out.
I will continue the conversation about data protection and the impact of Brexit over the next few months. These months promise to be interesting for us all. I look forward to hearing from you any thoughts that you might have on this topic.