Tag Archives: GDPR

Red Alert: Hard Brexit and Data Protection

After the House of Commons rejected the text of the treaty negotiated between the European Commission and the British Government on the withdrawal of Great Britain from the European Union (https://ec.europa.eu/commission/sites/beta-political/files/draft_withdrawal_agreement_0.pdf), a “hard brexit” – the dissolution of the relationship without a divorce contract – has become more likely. This also has serious implications for data protection and the companies subject to it.

In its statement issued more than a year ago (http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=611943), the European Commission had already pointed out the serious consequences for data protection resulting from the departure of Great Britain. The Commission pointed out that after the Brexit, Great Britain would become a “third country” to which the corresponding rules of the European General Data Protection Regulation (GDPR) for data transfer to countries outside the EU would apply (Art. 44 ff GDPR). 

While the cross border transfer of personal data between the member states of the European Union is permissible without restrictions under data protection law, an adequate level of data protection must be demonstrated if the data are to be transferred to third countries. The GDPR provides various instruments for this purpose.

The silver bullet would be a so-called “adequacy decision” of the Commission (Art. 45 GDPR). On the base of such decision a transfer shall not require any specific authorisation. But it would be an unrealistic presumption such a decision can be implemented in the short term, as it is not only a question of assessing the data protection law as amended last year, but also the entire legal system, including the highly controversial Investigations Powers Act (IPA), which grants the British security authorities comprehensive powers over personal data.

Appropriate safeguards to demonstrate the adequacy of data protection at the recipient (Art. 46 GDPR) are “standard data protection clauses”, approved binding corporate rules (BCR), approved codes of conduct (CoC) and certification mechanisms.

However, until recently, it looked as if companies could take their time looking for alternatives. The text of the agreement negotiated between the Commission and the British government provides in Art. 70 ff that the GDPR (with the exception of the provisions of the seventh section governing supervisory cooperation) should continue to apply in Great Britain for the planned transitional period of two years. It was also agreed that an adequacy decision should be prepared within the transitional period.

Now that the text of the agreement is out of date, there is an urgent need for action by companies exchanging personal data between the EU 27 and business partners in the UK. By the end of March 2019, they must fulfill the requirements of the GDPR for third country transfers by means of one of the above-mentioned instruments or by means of individual contractual arrangements and, if necessary, corresponding authorisation from the competent supervisory authorities. Otherwise, the corresponding transfer transactions would be illegal. 

It is to be hoped that the European data protection supervisory authorities will assist the companies in an advisory capacity in this difficult matter.


Peter Schaar

Translated with www.DeepL.com/Translator

Brexit and Data Protection: Out Is Out

By Peter Schaar, Chairman, European Academy for Freedom of Information and Data Protection, Berlin


What the consequences of the the UK Brexit referendum are for data protection currently cannot be said conclusively. Considerable uncertainties remain until the end of the upcoming exit negotiations at least. Unless specific arrangements on data protection are made between the EU and the UK, the United Kingdom will be seen from the EU perspective as a regular third country like any other non-member state, such as Japan or South Africa.


At best, the country gets a status like Norway, which belongs to the European Economic Area and is thus largely obliged to apply EU law, without, however – as the EU member states – to have effective decision power and participation rights, in particular in the European Data Protection Board set up by the EU General Data Protection Regulation (GDPR).


I am sceptical that the UK Parliament will implement the GDPR completely by changing the British law by May 2018 when the GDPR starts to be applicable. This seems to be very unlikely, especially since the United Kingdom has already struggled with the adoption of the new EU privacy rules. For example the British Government “opted out” from Art. 48 of the GDPR, the so-called “NSA clause” that is to protect European citizens against third country government access to personal data. Nevertheless the provisions of Art. 48 would probably apply in future to the United Kingdom after the leave from the EU. The transmission of personal data to government authorities protected by the GDPR based on British court rulings or administrative orders will be legal then only within the framework of mutual legal assistance agreements between the UK and the EU or its member states. This is particularly important because the British Parliament has recently stepped up drastically the already strong surveillance powers of security agencies and its corresponding obligations of companies with the amended “Investigatory Powers Bill”. The “national security exemption” of article 4 TFEU will not longer be applicable for the UK. The practices of GCHQ and other government agencies will have to be taken into account even in the assessment of the EU Commission about a possible adequacy decision for the UK (see below).


It seems likely to me that the very requirements of the GDPR provisions on transfer of personal data to third countries (art. 44 and following) will apply in the future on the UK. Thereafter, any transfer of personal data will be permissible only if the data controller and the data processor comply with the conditions laid down in the GDPR. This also concerns the possible onward transfer of personal data to another third country or to an international organization. The GDPR allows the transmission on the basis of “adequacy decisions” of the European Union or other appropriate safeguards, in particular on the basis of standard contractual clauses or under a system of binding corporate rules(BCR).


The UK Information Commissioner (ICO) already pointed out that the United Kingdom continues to need clear and effective privacy laws, irrespective of the question of EU membership (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/04/statement-on-the-implications-of-brexit-for-data-protection/). If the British legislator follows this advice, the European Commission could make a decision under article 45 on the existence of an “adequate level of data protection” in the UK. However, such a finding is not supposed to run by itself and it would require negotioations and a thorough examination and assessment of the British data protection system. This could hardly be managed within the available two-year period for the implementation of the EU exit.


In the light of the above companies running business in the UK as well as public bodies of member states and EU institutions have to prepare for the situation that the transmission of personal data from the EU to the UK (including the hosting of personal data on the British soil) will be much more difficult in the future as it is today. This concerns in particular those companies with business processes which are based on combining personal data of various member states or using servers or switching centers located in the UK.


Peter Schaar


The New EU General Data Protection Regulation – A First Assessment

The results of the trilogue of the EU institutions (European Parliament, Commission and Council) on the data protection reform package is an important milestone on the way into the global information society. The General Data Protection Regulation (GDPR) will replace 28 different data protection laws of the Member States.

The reach of the new legal framework extends beyond the European Union. Even companies with headquarters outside the EU will have to comply with the GDPR so far they are doing business in EU Member States and process data generated here (article 3 para. 2). Compliance with the rules is monitored by independent data protection authorities, which all have in future same, effective sanction powers. In cases of serious infringements they may impose fines up to up to 4% of the global annual turnover against the respective companies (art. 79). It has to be highlighted, that a number of last minute attempts have failed to mitigate or weaken the new privacy requirements in central points, such as on scope of the regulation or the purpose limitation rules.

Nevertheless, there are also areas where the result is less positive than hoped for. Thus, the EP has not been completely successful in the requirements on individual consent to the processing of personal data (‘the data subject’s consent’ means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative, signifies agreement to personal data relating to them being processed“ – article 4 para 8). Explicit consent is only required if censent refers to “special categories of personal data” (article 9) – such as health data or genetic information. Also the rules on profiling lag behind the demands of privacy advocates. The relevant provisions are limited to decisions based solely on automated processing, which produce legal effects concerning the data subject or similarly significantly affects him or her (article 20).

During the negotiations critics – in particular from Germany – complained the GDPR would weaken or undermine the data protection requirements defined by national law. Today we can say, this fear did not realize, at least in general. Only in specific areas the new legal requirements are lagging behind the present national laws, for example with regard to the more stringent data protection provisions for Internet services of the German Telemedia Act. On the other hand, the German data protection level is just here high only in theory, but not de facto. This became evident from the example Facebook: German data protection authorities have failed with lawsuits against the company with European headquarters is located in Dublin – to undertake to comply with the German data protection rules. However, every company that does business in Europe in future must comply with the new single European data protection law. This is real progress, even if the GDPR in certain areas lagging behind the national law. In addition, there are other areas – such as the Federal Citizens Registration Act – where data protection requirements of new EU regulation are stricter than the present German legislature. The unconditional dissemination of public register data on request to everybody is not compatible any more with European law and must be terminated.

Light and shadow there is also in the rules on the internal data protection officer (DPO). On the one hand, article 35 obliges public authorities and government agencies – except for courts acting in their judicial capacity – to designate a DPO. Also those private companies have to designate a DPO, whose „core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and stematic monitoring of data subjects on a large scale“ or with core activities consisting „of processing on a large scale of special categories of  data pursuant to Article 9 and data relating to criminal convictions and offences“. However, the significantly more stringent requirements of the German Federal Data Protection Act on DPOs have not completely been included in the GDPR. At least the adopted text allows the national legislators to stick to the mandatory designation of DPO (article 35 (4): “in cases other than those referred to in paragraph 1, the controller or processor … may or, where required by Union or Member State law shall, designate a data protection officer …“) .

Even if, as expected, the provisions now adopted – the GDPR and the Directive on data protection for police and justice – will soon pass the formal EU legislative procedure, a lot of work has to be done at European and at national level prior to their entry into force 2018: At EU level the compatibility of other legal provisions with the GDPR has to be reviewed. This particularly applies to the directive on data protection in electronic communications (“ePrivacy Directive“). Governments and parliaments of the Member States are requested to review their national law. This applies in particular for Germany with its numerous sector specific data protection provisions. Many laws need to be revised, some need to be eliminated. A special mission coming to the national legislators is the processing of personal data in the employment context. Article 82 GDPR provides the national legislators with  competence to regulate the handling of employee data in detail. („Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees‘ personal data in the employment context, …“).
National regulators have also to deal with the question of how far the legal provisions for data processing for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties need to be adapted to the requirements of the new Data Protection Directive for police and justice.

Finally, businesses and public authorities have to adapt their practices to the new rules. New processes and procedures have to be designed, existing procedures need to be changed …

The European Academy for Freedom of Information and Data Protection (EAID), Berlin, will focus in the coming years on the impact of new EU data protection rules. For 2016 we are planning workshops for decision-makers in business, politics and administration on implementation of the new EU rules and on needs for revision of national legislation.