UK Government postpones crunch Brexit vote

At 11 pm 29 March 2019, the UK is scheduled to leave the European Union. A date now looming in the minds of business owners after the Prime Minister postponed the crucial Brexit vote in Parliament.

Theresa May’s Brexit deal had been widely anticipated to be voted down by MP’s, most of whom reject the deal but for a variety of different reasons.

The risk of a no-deal Brexit has suddenly increased with the postponement of the vote. DMA members must plan for every eventuality, including a no-deal Brexit.

What does the Draft Withdrawal Agreement, proposed by Theresa May, aim to do and how does it compare with a no-deal Brexit?

Theresa May’s Brexit deal would limit the cost for the creative industries as it would maintain the free flow of data between the EU and UK.

Data underpins the work of the creative industries, especially advertising and marketing, and the frictionless trade in data between companies working across Europe is crucial to the success of the sector.

The Withdrawal Agreement commits the UK to align with the EU on data protection law during the transition period and to begin discussions for adequacy status, with a view to concluding the process by the end of the transition period.

Adequacy status certifies that a country outside the EU or EEA adheres to data protection standards that are essentially equivalent to the EU’s. Once concluded, data transfers between the country with adequacy status and EU member states can take place freely.

Adequacy decision

The European Commission can make a determination that a country outside the EU has equivalent data protection standards to the GDPR and that individuals have equivalent protection and rights as they would do under the GDPR. The European Commission has given adequacy status currently to a number of countries. However, the EU has stated that it will not consider an application from the UK for data protection adequacy status until the UK leaves the EU at the end of March 2019.

The role of the Information Commissioner’s Office

The DMA had been lobbying for a continued role for the ICO in the European Data Protection Board (EDPB) with full voting rights. The ICO is more pragmatic than some other data protection authorities in Europe and so the UK’s pro-business voice will be sorely missed.

The ICO had taken on a leading role within the EU as the most well-resourced data protection authority in Europe. The ICO was responsible for leading on more briefs and guidance notes than other regulators helping to project UK soft power.

That said, it was always a big ask for the ICO to have voting rights after Brexit. The Government now need to focus on working towards a new cooperative model for future relations between the ICO and the EDPB so the UK can continue to advise and assist European partners on data protection policy.

No-deal Brexit

A no-deal scenario would seriously put at risk the success of the UK’s creative industries. It would lead to data centres being moved from the UK to the EU. As well as placing an administrative burden on UK companies that would need to use different legal solutions to transfer data. These are not necessarily easy to do and come with an associated cost.

Aside from adequacy status, there are the other legal options that an organisation can put in place to facilitate data transfers.

Legal solutions

Standard contractual clauses

The EU Commission allows data to be transferred internationally if an organisation puts in place standard contractual clauses. The Commission has outlined what needs to be included in a contract in order for the data transfer to be valid. Many organisations already use standard contractual clauses, also known as model contractual clauses, to transfer data outside the EU. Using them is relatively easy to do and doesn’t require external legal help in most instances. Members can always come to the DMA for advice on how to use this option.

However, there is one major drawback to this option. Standard contract clauses are currently being challenged in the courts by privacy activist, Max Schrems, who successfully led a case against the US Government, accusing them of breaching EU data protection standards. The legal challenge to contract clauses is on-going. If Max Schrems wins the case it is almost certain that the European Commission will produce a revised and updated version of the standard contractual clauses to take account of the court’s decision. An organisation will simply have to update their standard contractual clauses to take account of the revised and updated version

See the Commission judgement about what you need to include in your contracts.

Binding corporate rules

This is for international data transfers within a corporate company. Abiding by binding corporate rules allows a global company to transfer data across its various brands across national borders. In essence, it is equivalent to adhering to a code of conduct, as all parts of the organisation agree to uphold strong data protection safeguards, therefore, facilitating the flow of data. However, it is by no means a timely option, as it takes on average 12-18 months to complete and a European regulator, like the Information Commissioner’s Office, must approve it. No one knows post-Brexit whether the UK ICO will be able to approve binding corporate rules from UK organisations without reference to other regulators in the EU Member States.

To date, it has been mainly large multinational corporations that have subscribed to binding corporate rules. It is not an option for SME’s nor is it an option available at short notice due to the amount of preparatory work required, how long it takes and the cost of getting legal support to draft the binding corporate rules. Organisations will likely only have a minimal amount of time between learning of a no-deal Brexit and requiring a new way to transfer data from the EU.

Certified codes of conduct

The GDPR allows international transfers to take place if an organisation abides by a certified code of conduct. The DMA Code, for example, could become a certified code of conduct, meaning it would need to follow certain requirements contained in GDPR and be approved by the European Data Protection Board. The EDPB are the supreme data protection authority in the EU.

FEDMA is the body that represents Europe’s DMA’s and their current code, which was based on the 1995 Data Protection Directive was approved at an EU level. However, it was a lengthy process and took a few years to conclude. Therefore, it is likely that the process will again be drawn out under GDPR, which makes this solution unsuitable in the event of a no-deal Brexit. If and when the new FEDMA Code of Conduct is approved by the EU it will only be able to be used for the transfer of personal data in relation to direct marketing activities.