GDPR and the look-alike regional data protection regulations we see emerging around the world are so often presented as a simplistic acronym. Oh how I love this softening of the mammoth tasks that lie ahead!
In this, the first in a series of articles outlining global data compliance challenges faced by us all, I will take you on a data-protection-lawyer-eye-view of GDPR and the continuing challenge that lies ahead for us to ensure compliance. Later in the series, I will walk you through the California Consumer Privacy Act.
GDPR. What does it actually mean?
Translating acronyms correctly is vital, because we need to understand, not only what the letters stand for, but the meaning and application of these words in the context of the acronym. A major issue here is that too many people hesitate to ask for the actual interpretation for fear of looking ignorant.
Not knowing or fully understanding is not usually the soul fault of the individual, but down to a lack of vital knowledge transfer within an organization. For those who have rolled out GDPR and planned, informed and delivered the procedures and change managements processes as required, have seen little more than teething problems, if any challenges at all.
Those that have hit the buffers have done so because they didn’t address the basics including understanding what GDPR means to the free flow of data? Let’s stop for a moment and then start with the basics.
What does GDPR stand for?
A. Global Data Privacy Rules
B. General Data Protection Regulation
C. General Data Privacy Rules
D. Get Data Privacy Right
If you answered B, congratulations. You’re one step closer to understanding the GDPR. If you answered A or C, tell no one and do your research. A great starting point is here. If you answered D, you’re at least thinking the right way!
Don’t let an acronym be the cause of your business’ failure
Even when spelled out, General Data Protection Regulation means little to most people and despite being so high profile, has still failed to rally home the importance of compliance. There are many many more regulations too that must be complied with and failure to do so can be equally costly to a business.
Data protection is complicated enough without Brexit
Now, less than six-months away from the first anniversary of the EU Commission ruling that data controllers and data processors must have their data in order to comply with «the complex and changing EU data privacy landscape,» we have the added potential challenge of Brexit to add into the mix. I think we all wish that GDPR was as easy as ABC and not the added acronym meaning ‘Added Brexit Complexity’!
Following I have outlined what we know about GDPR so far.
Your ABC of GDPR
Anyone, like myself, who was involved in a GDPR readiness project and is now responsible for ensuring its compliance will know that this is no simple, stress-free task. There is an ever-present feeling of potential data doom and the possibility of the nightmare scenario that any element fails. This is why lawyers are so important in the compliance assurance mix.
A is for Adequate level of protection
When a non-EU country is deemed “adequate” this non-EU country is deemed to provide an “adequate level of protection” of the personal data records of EU citizens. If you want to transfer data to a non-EU country that is deemed “adequate”, you can without the need for any additional administrative burden, e.g. EU Standard Contractual Clauses.
The EU Commission, the executive arm of the European Union, holds the power to determine the adequacy or not of a country. Existing adequacies, which you can check here, are still based on the requirements of the EU Directive 95/46/EC, the Directive that became defunct as of 24th of May 2018.
How to achieve adequacy
Any country wanting to achieve “adequacy”from now on will need to follow a long and far from straightforward process. Japan and South Korea are close to reaching adequacy, but have had to adapt their countries national legislation to align with the GDPR and this will be the case for all non-EU countries moving forward.
This said, there remains a grey area around non-EU countries that hold adequacy status under the old Directive. While required to update their national legislation to match the GDPR, there has been no announcement from the EU Commission to this affect other than an update on its website to say the adequacy status is according art. 45 GDPR. This is just one example of where the EU has been inconsistent in setting and policing compliance standards.
What follows I wrote literally two days before the Withdrawal Agreement (“the Agreement”) between the UK and the EU was signed. It’s not a quick read and is likely subject to change, but it’s essential because all we know for certain is that post-Brexit that there will be no GDPR get-out clauses, especially for those who continue to hold EU personal data.
As a quick recap, the GDPR was approved in Brussels on 27 April 2016. Two months later on 23 June, UK citizens were called to vote to decide whether or not the UK should remain in the EU. The result was ‘no’. This was not necessarily a final ‘no’. There continues to be discussion as to whether a referendum should be called, making it impossible for any concrete decisions to be made over data.
Be prepared for either scenario
Whatever the outcome of the ongoing discussions, the preparation work must be done. Everyone in the boardroom and beyond are looking at data privacy professionals for answers; what to do and what to expect. The answer every smart lawyer will give is; well, it all depends.
It was the same with the GDPR. Everyone wanted impossible answers to questions the moment the GDPR was first mentioned in 2012. Would there be… unlimited fines? mandatory DPOs? forbidden data transfers? It was only when the GDPR was approved that it was possible to give any answers and these are; there are no unlimited fines, DPOs are only mandatory under certain circumstances and data transfers are not forbidden. Hardly clear cut!
What we do know about Brexit and GDPR (under art. 50 of the Treaty of the EU) is that after a 2-year transition period the UK will effectively cease to be a Member State of the EU. Even with this 29 March 2019 date in place there remain a lot of “ifs and buts”.
I won’t go into the details here myself because there are far smarter people than me to comment on this subject. I will though list the two potential scenarios.
Scenario 1 “Deal”
A “deal” will basically create another transition period. Currently, this is said to be set for 31 December 2020, but could be extended upon mutual agreement. During this period the EU and the UK will implement the measures agreed. The UK will no longer be a Member State of the EU, but will still technically be subject to EU law, but without the option to participate in its creation.
Scenario 2 “No deal”
If there is no deal, i.e. the EU and UK fail to reach an agreement on the framework of their future relationship, there will be no transition phase and the UK will cease, practically and technically, to be a Member State of the EU.
Don’t panic! If this is the scenario, the UK will implement current EU legislation into UK law and so, even though the UK is no longer be part of the EU, it will still have EU law implemented within UK legislation to ensure operations don’t hard-stop on 30 March 2019.
Scenario 1 is likely to have less impact on governments and organizations when a formal agreement is reached. So far the UK and EU have agreed on the content of the Withdrawal Agreement, but this must still be agreed by the UK government. The political “hurricane” that commenced just hours after the presentation of the Agreement means the possibility of a “no deal” scenario still looms large over Europe.
This agreement is 585 pages long and details on the relationship between the UK and EU until 31 December 2020 unless mutually extended. There is no final date applied to this extension, conveniently enough.
The data elements of the Brexit Agreement
Title VII of the Agreement covers “data and information processed or obtained before the end of the transition period, or on the basis of this agreement” and specifically references Regulation (EU) 2016/679 (the GDPR) and Directive (EU) 2016/680ii. The Agreement specifically states that for the “purpose of this Title Union law on the protection of personal data” means the GDPR “with the exception of Chapter VII thereof.”
More simply this means that it excludes the “Cooperation and Consistency” chapter of the GDPR making it clear, if it was not before, that the UK Information Commissioners Office (ICO) will not participate in a one-stop-shop scenario nor act as a “cooperating Supervisory Authority” with other EU DPAs under the GDPR. For EU countries that have established the ICO as their “primary Supervisory Authority” (per Recital 124 GDPR) will likely have to establish a different EU data protection authority, unless a separate agreement on this topic is achieved. This won’t have to happen until the end of the transition period, because the UK will still be fully subject to EU law until then.
However, The Agreement specifies that the UK must apply for an “adequacy status” sooner and the EU will start analyzing the UK’s data protection framework and this must be concluded before the end of the transition period.
Interestingly, paragraph 82 of the “Explainer for the agreement on the withdrawal of the UK and Northern Ireland from the EU” document states that “EU law will continue to apply to the “stock” of personal data until Adequacy Decisions have been granted, after which time UK domestic rules on personal data protection will apply.”
This leads to the understanding that EU law and the GDPR, therefore, will continue to apply to the protection of EU personal data in the UK until an adequacy decision is achieved by the EU. The same document comments that the EU will begin this assessment “with a view” of adapting the same” by the end of the implementation period”.
The same understanding is underlined by art. 7.1.b of the Agreement when it states that all personal data processed in the UK after the transition period “on the basis of the agreement” will be subject to EU data protection law. Should an adequacy decision be given before the end of the transition period, EU data protection law will cease to apply and UK data protection law will apply to the processing of EU personal data.
As you can see, not all the pieces of this puzzle fit nicely together and only once both sides have signed the Agreement can we discuss exact details, which we will. This will be far from light reading, but will be essential to ensure your organization remains compliant following Brexit, however this might pan out.
I will continue the conversation about data protection, and the impact of Brexit on this, over the next few month, months that promise to be interesting for us all. I look forward to hearing from you any thoughts that you might have on this topic.