On February 12, 2019, the European Data Protection Board (“EDPB”) published two information notes to highlight the impact of a so-called “No-deal Brexit” on data transfers under the EU General Data Protection Regulation (“GDPR”), as well as the impact on organizations that have selected the UK Information Commissioner (“ICO”) as their “lead supervisory authority” for their “Binding Corporate Rules” (“BCRs”).
In the “No-deal” scenario, the United Kingdom would leave the European Union on March 29, 2019 without having agreed the terms for the departure with the latter, a contingency that increasingly appears likely as attempts by the UK Government to secure consensus in the UK Parliament on the Withdrawal Agreement continue to falter.
Information note on data transfers under the GDPR in the event of a “No-deal Brexit”
In its first note, the EDPB reminds organizations that in the event of a “No-deal Brexit”, transfers to the UK from the EU will need to involve the use of one of the traditional data transfer mechanisms arising under the GDPR, at least until such time as the UK receives a formal adequacy determination from the EU. The EDPB use the note to walk through the various options, including use of standard (or ad hoc) data protection clauses, “Binding Corporate Rules” and derogations, stopping only to note that the use of derogations should be a last resort. Public authorities, unlike private enterprises, can avail themselves of additional options, including administrative, bilateral or multilateral agreements, where those are legally binding and enforceable, as well as “administrative arrangements” meeting certain requirements. The EDPB is not the only EU regulatory body concerning itself with the prospect of a No-deal Brexit. The ICO itself has released extensive guidance for organizations to help plan ahead for such a contingency, discussing data transfer considerations among others.
Information note on BCRs for companies which have the ICO as BCR “lead supervisory authority”
In its second note, the EDPB recommends that organizations take certain measures in the event that the ICO can no longer serve as a “lead,” which is one consequence of a “No-deal Brexit.” As background, BCRS are a mechanism by which organizations may lawfully convey personal data from the EU to affiliates outside the EU, provided those affiliates agree to comply with a set of privacy principles and rules now codified under Article 47 of the EU General Data Protection Regulation (“GDPR”).
Organizations seeking to adopt BCRs must submit to an process that begins with designating a “lead supervisory authority,” identified on the basis of particular criteria, and then proceeds to negotiations with the authority (potentially aided by additional authorities) over the content of the BCRs. Once the BCR terms are agreed, a “consistency mechanism” is triggered, whereby the EDPB will issue an opinion on the BCRs within a stipulated period of time. If favorable, it will result in the BCRs being approved for use in the EU.
Meanwhile, organizations that secured approval for their BCRs under the EU’s pre-GDPR regime have been updating their BCRs over the past year to bring them into compliance with recent regulatory guidance papers, notably WP 256 (Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules). The Article 29 Working Party, now superseded by the EDPB, issued its guidance to align these legacy BCRs with the changes brought about by the GDPR. Further complicating matters, a number of organizations whose BCRs are supervised by the ICO as lead authority have been motivated by the prospects of a “No-deal Brexit” to transition their BCRs to another EU lead authority, presenting their BCRs to regulators in other EU Member States, with Ireland a clear favorite.
What are the EDPB’s recommendations?
In its information note, the EDPB observe that in the event of a “No-deal Brexit,” the ICO can no longer serve as a “lead,” or even backstop reviewer, for EU BCRs. The EDPB distinguish between two scenarios: where an ICO-led BCR application is pending and where an ICO-led application has been approved.
In the first scenario, organizations that have submitted their BCRs to the ICO for review, but have not yet completed the review process, will need to identify a new “lead supervisory authority,” applying criteria set forth in Working Document 263, adopted by the Article 29 Working Party in April 2018. This includes assessing:
- where the organization maintains its European headquarters or which EU affiliate has delegated its data protection responsibilities;
- which EU affiliates could oversee and enforce the BCRs or issue decisions in relation to EU data processing; or
- which affiliates are involved in data transfers from the EU.
This “new” lead authority will then assume responsibility for the organization’s BCRs, “initiate a new procedure” with the organization, and ultimately submit the BCRs to the EDPB under the GDPR’s “consistency mechanism.” If, however, the BCR application is already before the EDPB when a “No-deal Brexit” occurs, the organization still will need to designate a new “lead authority” to replace the ICO. This authority then will “resubmit” the application to the EDPB, seemingly resetting the EDPB’s 8-week deadline for evaluating the application.
Finally, where organizations already have BCRs that have been approved by the ICO, under the pre-GDPR regime, the EDPB cryptically states that they will need to identify a new lead supervisory authority in order to maintain the effectiveness of their BCRs as a data transfer mechanism. This undoubtedly will spur many organizations to proceed apace in transitioning their BCRs to a new “lead” authority ahead of March 29, 2019.