9 January 2018
NOTICE TO STAKEHOLDERS
DATA PROTECTION
The United Kingdom submitted on 29 March 2017 the notification of its intention to withdraw from the Union pursuant to Article 50 of the Treaty on European Union. This means that unless a ratified withdrawal agreement1 establishes another date, all Union primary and secondary law will cease to apply to the United Kingdom from 30 March 2019, 00:00h (CET) (‘the withdrawal date’). 2 The United Kingdom will then become a ‘third country’.3 In view of the considerable uncertainties, in particular concerning the content of a possible withdrawal agreement, all stakeholders processing personal data are reminded of legal repercussions, which need to be considered when the United Kingdom becomes a third country.4 Subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date, the EU rules for transfer of personal data to third countries apply. Aside from an “adequacy decision”, which allows the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions, the EU’s data protection rules (both under the current Directive 95/46 and under the new General Data Protection Regulation 2016/679, “GDPR” – which will apply as from 25 May 2018) allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may be provided for by:
1 Negotiations are ongoing with the United Kingdom with a view to reaching a withdrawal agreement.
2 Furthermore, in accordance with Article 50(3) of the Treaty on European Union, the European
Council, in agreement with the United Kingdom, may unanimously decide that the Treaties cease to
apply at a later date.
3 A third country is a country not member of the EU.
4 For the continued application of EU safeguards of personal data processed while the United Kingdom
was a Member State, the Commission has published an essential principles paper here:
https://ec.europa.eu/commission/publications/position-paper-use-data-and-protection-informationobtained-or-processed-withdrawal-date_en.
Standard data protection clauses: the Commission has adopted three sets of model clauses which are available on the Commission’s website;5
Binding corporate rules: legally binding data protection rules approved by the competent data protection authority which apply within a corporate group;
Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country;
Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country. In the absence of an “adequacy decision” or of “appropriate safeguards” a transfer or a set of transfers may take place on the basis of so-called “derogations”: they allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest. These tools are well-known to business operators in the Member States, as they are already being used today for the transfers of personal data to non-EU countries. The GDPR has simplified the use of these tools by cutting red tape compared to the current Directive 95/46. Transfers based on approved standard data protection clauses or on binding corporate rules will not be subject to a further, specific authorisation from a supervisory authority. In addition, the GDPR has, subject to further conditions, introduced codes of conduct and certification mechanisms as new tools for the transfer of personal data. Preparing for the withdrawal is not just a matter for EU and national authorities but also for private parties. As regards the implementation of the GDPR, and in particular the new tools for transfers to third countries (e.g. approved Codes of Conduct and approved certification mechanisms entailing binding commitments by the controllers and processors receiving the data in the third country), the Commission (DG JUST) is working with interested parties and data protection authorities to make the best use of these new instruments. Moreover, the Commission has set up a stakeholder group comprised of industry, civil society and academics, in which this topic will be discussed.
European Commission Directorate-General Justice and Consumers
5 https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection/data-transfersoutside-eu/model-contracts-transfer-personal-data-third-countries_en
The Legal Materials contain European Union public sector information. EU public information is reproduced pursuant to Commission Decision of 12 December 2011 on the reuse of Commission documents (2011/833/EU) (the EU Decision)