1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Brexit impact on privacy

On Friday, January 31, 2020, the United Kingdom (UK) left the European Union (EU) after 47 years as part of the union.

While the UK has ceased to be part of the EU when the clock struck midnight in Brussels, the UK and EU have agreed to a transition period until the end of 2020, to allow the UK to continue its current relationship with the EU, while future trading relationships are negotiated.

As part of this transition period, the UK’s Information Commissioner Office has clarified that the EU’s General Data Protection Regulations (GDPR) will remain in effect until the end of 2020.

No changes required at this time, but …

If you or your clients offer goods or services in the UK, and process personal data of UK residents, the GDPR will continue to apply to the treatment and safeguarding of that personal data.

Similarly, the GDPR still applies, and data protection agreements (DPA) are still required as part of an agreement with organizations that process personal data of individuals from the UK.

The UK’s Data Protection Act of 2018 incorporates the GDPR into UK law. It remains to be seen what status the EU will give to personal data transfers to the UK: Will the EU allow such transfers or will it apply the same conditions as for the rest of the world?

Adequacy status for Canada

At the time of this writing, the EU Commission considered Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) adequate to receive and process personal data of EU residents in Canada without further conditions under the GDPR. However, this adequacy status is up for review in 2020 by the EU Commission.  

Even if Canada retains its adequacy status with the EU, it is not clear what regime the UK will adopt in relation to cross-border personal data flows. While it is fair to expect that the UK will look favourably at facilitating cross-border data flows towards North America in support of new trade agreements, UK businesses have recently started to show concern with the UK’s direction in that regard. Indeed, in the months leading up to the UK leaving the EU, organizations from the UK have started to ask for further assurances related to data protection from entities outside the UK, including Canadian businesses processing information of UK residents.

With all these uncertainties at play this year, do not be surprised if a UK business partner asks you to sign the Standard Contractual Clauses with respect to personal data of UK residents being stored or processed in Canada. 

What to expect

Following the transition period, there may be areas of uncertainty around the data protection landscape in the UK. It is likely, however, that the UK will keep its GDPR-based data protection legislation to address any concerns about the flow of personal data between the EU and the UK, and keep its flexibility in negotiating free trade agreements with North America.

Please contact a member of our Privacy and Cybersecurity group if you have any questions on the impact of Brexit and the privacy compliance obligations.

Brexit impact on privacy

Regulating the Internet – Really?

Date and time:
Start: June 11, 2019, 9:00 AM EST
End: June 11, 2019, 4:30 PM EST

Location: 
Shopify
150 Elgin Street
14th floor 
Ottawa, Ontario K2P 1L4
Canada

CPD accreditation
This program is eligible for 5 substantive hours required by the Law Society of Ontario.

On December 11, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) released its final report “Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly”. The Report calls for increased regulation on the Internet.

Dentons and the International Commission of Jurists (ICJ), an international organization created 60 years ago to assert the rule of law as a matter of democracy, invite you to a complimentary all-day  conference that will address the specific challenges and solutions that arise in this context.

Topics will include:

  • Legal disruption: Impact of digital on the existing regulatory framework
  • From lock and key to encryption – Applying privacy law on digital
  • Can data monopolies exist within privacy and competition law?
  • The particular case of e-commerce
  • Are Internet giants the guardians of democracy on the Internet?

Speakers

  • Kevin Chan, Global Director and Head of Public Policy Canada – Facebook
  • Anthony Durocher, Deputy Commissioner – Competition Bureau Monopolistic Practices Directorate
  • Nathaniel Erskine-Smith, Member of Parliament for Beaches –East York, Vice-Chair of the Standing Committee on Access to Information, Privacy and Ethics (ETHI)
  • Joe Frasca, General Counsel – Shopify
  • Jacob Glick, General Counsel – North
  • Tamir Israel, Staff Lawyer – Canadian Internet Policy and Public Interest Clinic (CIPPIC)
  • Janet Lo, VP of Privacy & Consumer Legal Affairs – TekSavvy Solutions
  • Brenda McPhail, Director of Privacy, Technology & Surveillance Project – Canadian Civil Liberties Association
  • Errol Mendes, Professor, University of Ottawa and President, International Commission of Jurists (Canadian Section)
  • Vivek Narayanadas, Associate General Counsel, Privacy & Data Protection Officer – Shopify
  • Marina Pavlovic, Associate Professor – University of Ottawa
  • Mark Schaan, Director General, Marketplace Framework Policy Branch – Innovation, Science and Economic Development Canada (ISED) / Government of Canada
  • Chantal Bernier, Of Counsel and National Practice Leader, Privacy and Cybersecurity– Dentons Canada LLP
  • Monica Song, Partner – Dentons Canada LLP

Click here to view a more detailed agenda. 

Questions

Please contact Carla Vasquez, Events Manager, at carla.vasquez@dentons.com or +1 416 361 2377.

Dentons Canada LLP is committed to accessibility for persons with disabilities. Please contact us at toronto.events@dentons.com in advance of the event if you have any particular accommodation requirements. We will work with you to make appropriate arrangements.

Register now

Regulating the Internet – Really?

Impact of the European General Data Protection Regulation (GDPR) on Adequacy and 5 Tips to Weather the Changes

Recent media coverage has brought to light the internal deliberations of the Government of Canada regarding the possible impact of the entry into force in 2018 of the GDPR on Canada’s adequacy status to receive personal data from the European Union (EU).  Ten other countries, and the businesses in those countries, should examine the same question:  Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. The EU-US Privacy Shield, to which U.S. companies may self-certify, has received adequacy status.

Two issues arise: i) since the provisions of the new GDPR are stricter than the current  European regime with which these eleven States have been deemed  adequate,  will adequacy survive the coming into force of the new GDPR? And,  ii) now that adequacy may be repealed, how should governments or business prepare in that regard?

The following seeks to summarize what to watch for and how to weather this significant,  yet still ill-defined legal development.

  1. Why is adequacy status important?

European privacy law prohibits the transfer of personal data outside of the EU, except to states that have been recognized as providing adequate privacy protection (GDPR, Chapter V). “Non-adequate” states may only receive EU data under onerous conditions, namely:

  • Individual consent, and even then this is not valid for employee information as the employer-employee relationship is one of authority which defeats the assurance of “free” consent; or,
  • Standard model clauses, adopted by the European Commission, that bind the parties to the same level as European data protection law and submits the party receiving the data to audits by the party transferring the data; or,
  • Binding Corporate Rules, which apply within “a group of enterprises engaged in a joint economic activity” (Article 43.1) and bind the companies within the group to the European standards of privacy law.

Non-EU states that have been recognized as providing adequate protection for privacy may receive transfers of personal data from Europe without “any specific authorization.” (Article 41.1)

With a European market of 500 million, this is a critical economic advantage.

  1. How is a State considered adequate?

Article 41.2 of the GDPR summarizes the conditions for adequacy:

  • Respect for “the rule of law, human rights and fundamental freedoms, relevant legislation both general and sectoral, data protection rules and  security measures, including rules for onward transfer of personal data to another third country or international organization, as well as the existence of effective and enforceable data subject rights and effective administrative and judicial redress for the concerned data subjects;
  • Existence of an effective data protection authority;
  • International commitment of the State to uphold protection of personal data.
  1. What is the difference between State adequacy and the EU-US Privacy Shield?

Because the U.S. does not have adequacy status for not meeting the criteria above, U.S. companies  require a specific legal instrument to receive EU personal data. That is the EU-US Privacy Shield under which U.S. companies self-certify and commit to:

  • European data protection standards;
  • The new scrutiny of the Ombudsperson to be created in the US as well as of the Department of Commerce and Federal Trade Commission;
  • Stronger requirements on consent ;
  • New Europeans’ access to remedies in the U.S.

It is noteworthy that the EU-US Privacy Shield process is still more burdensome than for companies in States that have adequacy status.

  1. What next for adequacy?

The coming into the force of the GDPR introduces the possibility for an adequacy decision to be “amended, replaced or repealed” (Article 41.3a) by a Commission decision. Moreover, the Commission will “monitor the functioning of decisions”  already adopted in view of adequacy remaining in force, being amended or repealed.

So nothing can be taken for granted.  The maintenance of adequacy will be earned with conformity to European standards on privacy law.

  1. Honing privacy compliance strategies in the context of adequacy

Here are the best practices from our clients transferring or receiving European personal data:

  • Identify legal obligations under the coming GDPR;
  • Perform a gap analysis to address possible compliance issues in advance of the GDPR coming into force;
  • Negotiate with sub-contractors contract clauses compliant with GDPR;
  • Include monitoring provisions in the contract clauses such as the right to audit the sub-contractor to ensure compliance.
  • Establish data centres or hire cloud services in States having adequacy or companies being self- certified under the EU-US Privacy Shield.

Adequacy status is a shared objective by governments and companies.

Impact of the European General Data Protection Regulation (GDPR) on Adequacy and 5 Tips to Weather the Changes