I have been following this chain with interest and also getting up to speed with development since mid December which do not seem to have been well publicised.
The ICO has updated its guidance relating to data protection if the UK leaves the EU without a deal.
This page link explains the implications:
https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal/
and leads on to revised info on international data transfers (including EEA) providing templates (based on EU standard clauses pre GDPR) for 'controller to controller' and for 'controller to processor': https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal/the-gdpr/international-data-transfers/
Suspect ICO is anxious to avoid approving these on case by case basis.
Also spotted this Gov statement for data protection law if UK leaves EU without a deal https://www.gov.uk/government/publications/data-protection-law-eu-exit/amendments-to-uk-data-protection-law-in-the-event-the-uk-leaves-the-eu-without-a-deal-on-29-march-2019
which explains context for new statutory instrument creating the 'UK GDPR' Ibrahim referred to earlier this week. This is snappily titled:
"New Draft DP UK Regulation: Exiting the European Union Data Protection Electronic Communications - The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019"
http://www.legislation.gov.uk/ukdsi/2019/9780111177594/contents
Lynn
-----Original Message-----
From: This list is for those interested in Data Protection issues <[log in to unmask]> On Behalf Of Phil Bradshaw
Sent: 03 January 2019 15:41
To: [log in to unmask]
Subject: Re: [data-protection] Post Brexit data considerations
I had hoped to do an analysis of this on my blog over Xmas but ended up playing games with the family - much more productive.
The conclusion I have reached for the scenario where a third country controller (which could be UK post-brexit) uses an EU processor is that GDPR almost certainly applies "in full". That seems to be inevitable following Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
Whether Article 44 bites when the processor returns data, or when the controller access the data, depends on whether such activity is regarded as a transfer. If so Article 44 bites but in the first instance none of the mechanisms in Arts 45-46 seems to apply - in particular there are no approved SCC's - which indicates a problem.
On the other hand the fact that there are no SCCs and the Guidelines don't really address this directly may suggest that it is not actually a 'transfer' and looked at "in concreto" as we are urged to do an Art 28 agreement will suffice - noting in passing that so far as EU is concerned GDPR will apply and not the UK GDPR (Art 3).
If it is a transfer the obvious solution is Art 46(3)(a). Draft your own clauses - which should be relatively straightforward using the existing SCCs, transposing the terms and making consequential adjustments, and ask ICO to either (a) approve them or (b) confirm that no needed as no transfer involved.
If I was a cautious type I'd get on with this now
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|