Businesses which don’t risk being denied access, writes Jim McLean
EU harmonisation of data protection law means that transfers of personal data between states within the European Union can be made without breaching national privacy rights.
Safeguards in the receiving state will be just as good as in the transferring state. Transfers to non-EU states in the European Economic Area (EEA), such as Norway, are straightforward too. European data protection law has been adopted in those states via the institutions of the EEA.
It will be interpreted by the EFTA Court, in the light of the case law of the Court of Justice of the European Union. With effect from 25 May 2018, the EU Data Protection Directive 95/46/EC is repealed and replaced by Regulation (EU) 2016/679 (currently under review by the EEA with a view to adoption for non-EU EEA, too).
This has constitutional significance. Unlike a Directive, a Regulation has direct application in EU states (and, if adopted by the EEA, in non-EU EEA states too).
If the UK is still in the single market on 25 May 2018, the repeal of Directive 95/46/EC and its replacement by the new Regulation will make the Data Protection Act 1998 redundant.
The UK Government has stated that it does not intend to give notice of withdrawal from the EU under Article 50 earlier than the end of 2016. This means that a notice cannot take effect before the end of 2018, which is more than six months after Regulation 2016/679 will have replaced the old law. Once Article 50 takes effect (and unless there is an EU/UK deal along EEA lines), post-Brexit UK will be a third country so far as EU/EEA law is concerned. A transfer of personal data from the EU/EEA to post-Brexit UK will need to comply with one of the regimes set up by the European Commission.
These regimes are: Adequacy – the European Commission determines that the law in the third country (which will also include rules about re-export of personal data to other third countries) meets EU standards; Binding Corporate Rules – procedures approved by a lead EU member state data protection authority, for use where the law in the transferee country does not necessarily meet EU standards; Model Contracts – contracts between data controllers in terms specified by the EU Commission, for use where the law in the transferee country does not necessarily meet EU standards; and EU - US Privacy Shield (for transfers to the USA only) – compliance with procedures agreed in July 2016.
The easiest way to demonstrate ‘adequacy’ is to enact national legislation closely tracking the text of Regulation EU 2016/679 and any further EU legislation.
This technique is well-established. It is used by Denmark to plug gaps left by its opt-out from the EU’s ‘freedom, security and justice’ pillar, by Norway for co-operation in matters outwith EEA obligations and by Switzerland in relation to matters outwith its obligations under its agreements with the EU. The European Commission could hardly deny the ‘adequacy’ of national UK legislation that tracked the EU’s own texts. Or the UK could submit an updated Data Protection Act 1998 and hope this would be considered ‘adequate’. Failing that, the UK could leave it to businesses to explore the Binding Corporate Rules or Model Contracts approaches.
Even the UK chose not to keep up with EU developments after Brexit, the likelihood is that business and institutions will find it necessary to comply with EU data protection law – otherwise they risk being denied access to personal data from the EU.
• Jim McLean is a consultant with Balfour + Manson LLP