Decision time: Brexit options for EU Institutions

| Joost Krapels | Privacy

The European Data Protection Supervisor, or EDPS for short, supervises the compliance of EU Institutions and bodies to the GDPR. For this reason, most of the EDPS’ publications are not that interesting for most private parties. Lately, however, the EDPS published a statement that, given the current chaos surrounding Brexit is an interesting and perhaps even useful document to read. In this article we summarize this statmentement, and explain in what ways legal transfers of personal data between EU Institutions and Private and Public UK parties may take place after a Brexit.

EU Institutions and bodies, such as the European Parliament, European Commission, European Central Bank, and Court of Justice of the EU, sometimes transfer personal data to private or public parties. This can be, for example, the case during mission trips or IT outsourcing. When this processing currently takes place by a processor in the UK, a Brexit could complicate the situation significantly.

The easiest option

By far the easiest and least-impactful way (for personal data protection) of leaving the EU would be for the UK to sign some form of withdrawal agreement. The current withdrawal agreement, which is over 600 pages long, contains a section of 5 articles on data protection law. This section, title 7, spans a whopping 5 pages, making it about 0.8% of the entire proposed Brexit deal. It focuses on a transition period between the moment the UK leaves the EU and the moment it has own data protection legislation that can be considered “adequate” by the European Commission. The chapter, in itself, is quite reasonable and will buy both the EU and UK a lot of time to “sort it out”.

In the withdrawal agreement, data protection legislation is summarized to be: The GDPR, the Law Enforcement Data Protection Directive, the E-privacy Directive, and “any other provisions of Union law governing the protection of personal data.”. The article that sums up Title 7 the best, would be article 73:

The problem for the UK is that Title 7 is not the only thing they agree to when signing the withdrawal agreement. At the moment of writing, it does not seem likely the full agreement will be signed. Time for EU institutions and bodies (EUI’s) to look at other options for data protection.

Options in case of a no-deal Brexit

Adequacy decision

The European Commission may judge a third country (non EU/EER country) to have an adequate level of personal data protection. So far, the countries that have received the status of adequate are Andorra, Argentina, Canada Faroe Islands, Guernsey, the Isle of Man, Isreal, Jersey, New Zealand, Switzerland, Uruguay, and organizations in the United States of America that have joined the Privacy Shield initiative. Personal data exchange with the US is currently, again, under scrutiny, but that is a story for another time. Should the Commission decide the UK to have an adequate level of data protection, that can only take place once the UK has already left the EU. How much time the UK will be a third country in between is anyone’s guess. The EDPS discourages EUI’s to preemptively rely on an adequacy decision.

Under the GDPR, there are several other safeguards one can rely on to exchange personal data with third countries:

Exclusive EUI instruments

European Union Institutions and bodies have a trick up their sleeve that private European parties can only dream of: diplomatic agreements. In this, they have two options: legally binding and enforceable agreements, such as administrative agreements or bi/multilateral international agreements, or administrative arrangements. The difference is that the former set is legally binding by itself, and the latter only safeguards the rights of data subjects. Due to this, administrative agreements need to be greenlit by the EDPS.

Standard data protection clauses

Even for EUI’s cross-border data exchange is not solely with foreign government bodies and institutions. In cases where EUI’s plan to exchange personal data with a third country, standard contractual clauses drawn up by the European Comission may be used. As long as these clauses are not altered in any way (though they may be part of a larger contract), personal data is regarded to be safeguarded. The EDPS has the right to draft their own set of standard contractual clauses, which also have to be approved by the Commission, but so far they have not done this.

Binding corporate rules

Large multinationals can have Binding Corporate Rules in place, which allows for free safe transfer of personal data between members of the group. EUI’s may use a procesor in a third country that is part of such a group, since the BCR safeguards the protection of personal data. BCR are notoriously difficult, expensive, and time consuming to establish. Once they are in place, however, it makes the exchange of personal data a lot easier.

Codes of conduct

In theory, private and public parties may be certified to safeguard personal data, or proven adhere to certain codes of conduct. So far, no codes of conduct or certification mechanisms are approved by either the European Data Protection Board (European data protection advisory group) or Data Protection Supervisory Authorities.

Ad hoc contractual clauses

Similar to, but slightly different from, the previously mentioned standard contractual clauses, custom contractual clauses may be used for the exchange of personal data with a third country. These clauses, however, have to be approved by both the Supervisory Authority involved and the EDPB. As you can imagine, this might take a while too.


Derogations are a sort of “final escape” options, when all the previously mentioned options are not suitable. They may only be used occasionally, since the data subjects involved cannot be effectively protected by the GDPR. Data may be send to third countries when:

  • Explicit consent has been given by the data subject (person who’s personal data is processed)
  • The transfer is needed to fulfill or engage in a contract with a data subject
  • The transfer is needed to fulfill or engage in a contract with another party than the data subject, for the latter’s interest
  • There is a high public interest to fulfill
  • There is a need for the controller to establish, exercise, or defend against a legal claim
  • When the vital interests of a person need to be defended, and this person cannot give valid consent.
  • A transfer is made from a public register.

This set of derogations is, in some parts, similar to the lawfal bases for processing from article 6 GDPR. The most important difference is that derogations may only be used in case of exceptions, where the lawful bases always need to apply.

Steps advised by the EDPS

The European Supervisor concludes its information note with a list of steps EUI’s should take to prepare for a possible no-deal Brexit:

  1. Map your processing activities
  2. Check what data transfer mechanisms best suit your different processing activities
  3. Implement these mechanisms before November 1st
  4. Update your internal documentation
  5. Update your data protection notice (e.g. privacy statement)

This 5-step plan marks the end of the EDPS’s information note. Should you be interested, then you can find the full note here.

Image credit: @vladsargu via Unsplash

Author: Joost Krapels
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.