Ce post a pour objectif de démontrer pourquoi et comment les règles du règlement de la protection des données à caractère personnel (RGPD) sont susceptibles de continuer s’appliquer au Royaume-Uni après le Brexit. D’une part, le RGPD a élargit son champ d’application territorial aux responsables de traitement et sous-traitant situés dans des Etats tiers. D’autre part, la responsabilisation des acteurs privés les incitera à développer les outils mis à leurs disposition pour attester de leur confirmité au RGPD tels que l’utilisation de clauses contractuelles, la mise en place de code de conduite et de règles contraignantes d’entreprises, voire la certification de certains traitements.

The purpose of this post is to set out legal arguments in order to demonstrate why and how the rules of the General Data Protection Regulation (herein after GDPR) rules will apply to the UK after the Brexit. A previous post demonstrated that is highly likely that the GDPR rules will be transformed into British Law after Brexit. Being a third country could reveal to the UK the potential of what Anu Bradford in another context called the « Brussels effect« . This expression characterises ‘the unprecedented and deeply underestimated global power that the European Union is exercising through its legal institutions and standards, and how it successfully exports that influence to the rest of the world… including without the need to seek other nations cooperation. » This post will give some illustration of this arguing that the GDPR itself takes into account that important data processing of European citizens are made outside of the EU territory, and that the private sector may be have an interest in applying the rules of the GDPR after the Brexit even if the UK government tries to secure the crossborder data transfer through an adequacy decision. *

The application of the GDPR to the UK Data processings

Article 3 clearly provides that the GDPR applies to:

all the processing activities related to the offering of goods or services to data subject of the EU
the monitoring of EU data subject behavior taking place in the EU.

In other words, having an EU establishment or the localization of the processing in the EU is not required for the application of the GDPR. Under this targeting criterion any personal data processing in the UK , will have to be in line with the GDPR after Brexit.

Furthermore, the GDPR provides a shared responsability between the data controllers (including joint controller (article 26)) and the processors which could be installed in the UK. (art.28). Finally the GDPR put strong obligations for the controllers and the processors for the transfer of personal data to third countries including for « onward transfers » (art. 44). These rules will lead the controllers to a form of contractualisation of their compliance to the GDPR with the processors. Apart from these binding rules, it is most likely that the GDPR rules will apply to the UK through more voluntary private regulation.

The application of the GDPR rules through private regulation

The UK government has committed itself « to maintaining the stability of data transfer between the EU Member States and the UK » after Brexit, in its White paper. (see point 8.40) This could occur with an adequacy decision of the Commission which agrees that UK ensures an adequate level of protection i.e. « the third country in fact… ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union » (ECJ Schrems Case point.73). This issue will not be discussed here for three reasons:

First, there are some doubts regarding the adequacy of the UK data protection regime. (for more information see the blog posts by Karen Mac Cullagh on Brexit: Implications for data protection in the UK
Secondly, the negotiation of this adequacy decision could take more time than expected.
Thirdly, the adequacy decision made under the GDPR is temporary (maximum 4 years) and may be suspended or repealed. Thus, businesses cannot rely only on adequacy decisions in the long-term

For all these reasons, this post will instead consider how the private sector could or should choose to benefit from compliance with the GDPR rules in order to secure their transfers. This power of the private sector to lead to the effective application of the GDPR rules can be seen as the counterpart of the new accountability requirement (5§2). « In contrast to the current EU-Data Protection Directive the GDPR requires that businesses take a pro-active, systematic and answerable attitude toward data protection compliance » as Andrew Dunlop said.

In particular, controller and processor could take appropriate safeguards for data transfers in the absence of a decision of adequacy. (Article 46 GDPR) such as the certification, the contractual Clauses the Binding Corporate Rules (BCRs) and the code of conduct. Most of those tools already exist in praxis. However, the GDPR has developed them, taking into account the needs expressed by the relevant stakeholders for securing their cross border data transfers.

The use of European certifications

The GDRP introduces certification as a new lawful mechanism for Cross-Border Data Transfers. After Brexit, UK controllers and processors could use certification. Thus, their processing will be presumed to comply with the GDPR. However, this will not lessen their responsibility in case there’s an established violation. In addition, it should be noted that certification will only last for a period of three years. After this time, a renewal will be necessary.

The development of certification is one of the priorities of the work program of several European bodies. A joint Committee of the European committees for standardization, the JW8 joint committee, was set up in order to adopt an European standard. The European Commission recently agreed the work program of this joint Committee. The future European standard should define privacy requirements for the implementation of Privacy-by design principles, for security product/services lifecycle in any business domain. This may in particular include pseudonymisation, as defined by the GDPR. This European standard should allow the compliance with the GDPR.

This European standardization should be available before May 2018. The future European Data protection Board (EDPB) could used it to create a European data protection seal. The organization could also refer to national certification issued by certification bodies or Data Protection Authorities (DPAs). The EDPB should provide some coordination by facilitating the mutual recognition of national certifications.

The DPAs will have an important role to play regarding certification. DPAs will have the power:

to issue and renew certification,
to approve criterion for the accreditation of the certification bodies.
Last but not least, DPA will have the power to withdraw a certification or to request the certification body to withdraw a certification (article 58.2 h)

The use of contractual clauses

The GDPR expands the type of contractual clauses that may make cross-border data transfers lawful. DPA clauses have been introduced. These Clauses will be adopted by one or more DPAs, in accordance with the GDPR. These DPA Clauses will need to be approved by the Commission. These DPA clauses will offer a national alternative to the still-existing Commission-approved Model Clauses. The novelty introduced by the GDPR is that DPA authorization of transfers made under the Model Clauses will not be required anymore.

The use of Binding Corporate Rules (BCR)

The GDPR explicitly recognizes Binding Corporates Rules (BCR). The GDPR provides: BCRs “means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”; ( article 4) It also provides clear provisions such as specific guidance for the list of criteria that BCRs must cover and procedures for the adoption of BCRs.

The use of Codes of Conduct

Finally, the GDPR allows Cross-Border Data Transfers to be made on the basis of a Code of Conduct, which was not provided by the Directive. It may also facilitate compliance for organizations that frequently exchange data with other organizations in the same sector.

To sump up, GDPR rules will apply after the Brexit in particular to:

UK controllers and processors doing business with the EU or having an establishment in the EU
cross border data transfers from the EU to the UK.

Thus, these actors should take into account the new private regulation tools such as the certification, BCRs, code of conducts and contractual clauses in order to secure their processing.

Much needs to be done before May 25th, 2018 for all stakeholders to be compliant. The WP29 announced that it plans to publish guidance on certification, on data transfers based on binding corporate rules and contractual clauses in 2017. This could give some useful clarification. We have also seen through various examples the importance of the DPAs in the implementation of the GDPR. The future relation of the Information Commissioner Office (ICO) with the European data protection Board and the national DPAs will certainly need to be imagined.

As the French dramatist Jean Giraudoux said « There is no better way of exercising the imagination than the study of Law »

Olivia Tambou, Associate professor at the Université Paris-Dauphine, PSL Research University,

* Theses posts are adapted from a presentation made at the Computers, Privacy and Data Protection Conference 2017 in a roundtable called « Data protection after Brexit ». An academic paper will be available later in the University Paris-Dauphine institutional repository. I will very much welcome and value comments, suggested readings you consider revelant at : olivia.tambou@dauphine.fr