The ICO’s General Counsel, Ms. Emma Bate, has then apparently explained this guidance to mean that “a transfer of personal data outside the EEA is not restricted by Chapter V of the GDPR, if the data, when held by the non-EEA recipient, is still protected by the extra-territorial scope of the GDPR. The rationale being that no additional protection is needed as the GDPR still applies, so this is not a transfer outside the protection of the GDPR.
Now, this was an odd thing to say, even then, given that it would effectively authorise data transfers from inside the EU to any big non-EEA internet provider qua the extra-territorial provisions of Article 3 of the GDPR without any need of those providers to either be established in a country that provides adequate protection, or use one of the appropriate safeguards, or rely on one of the derogations in Article 49.
Which sounds like absolute nonsense if you take into account the wording of Article 3 of the GDPR, which quite clearly states that its territorial application only extends in this way where the processing activities themselves are related to either the offering of goods or services or the monitoring of data subjects behaviour. The territorial scope provisions does not therefore create a "mini-safe harbour" in those controllers for all manner of other processing and it is unlikely that this was what the legislator likely had in mind when adopting that provision.
TJ duly made an FOI request to the ICO to find out more and was recently bequeathed a reply that explained…absolutely nothing.
As oddities go in these turbulent times, this was maybe not the oddest we have come across, and Matron put it out of her mind until this morning when she had a look at the data protection provisions of the draft EU-UK Withdrawal Agreement.
Which provides in Article 71(1) that:
“Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data
(a) were processed in accordance with Union law in the Union Kingdom before the end of the transition period; or
(b) are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.”
And all of a sudden, everything seems to make so much more sense!
Because, if we take those two things together, the implications for the UK (and EU data subjects) could be highly interesting.
Lets say the ICO’s guidance is accepted by the Commission, the EDPB and/or the DPAs of other member states.
And lets further assume that - at least for the period of the transition period- the GDPR still applies in the UK to the processing of EU data subject's personal data. Which it arguably does under Section 2 and 4 of the Data Protection Act 2018 (with a few exceptions here and there).
So, would this be a way to ensure that, in practice, the UK does not acquire full “third country” status under Article 44 of the GDPR on leaving the EU on 29 March 2019 but that, instead,
- its controller can continue to receive personal data from inside the EU, at least during the transition period, without a need to put in place one of the Chapter V routes (adequacy, appropriate safeguards or one of the derogations);
- those data transfers would be outside the jurisdiction, at least with regard to Chapter V compliance, of the CJEU, which might otherwise want to take a look at the UK's dubious electronic surveillance laws as part of a Schrems-like challenge?
If so, this would be an extraordinary fudge of the EU legislative legislative framework that deserves detailed attention by civil society and the regulators, given that it would not only give the UK and the EU ample time to negotiate an adequacy agreement as part of the final trade deal, but that the repercussions of this fudge would likely be felt way beyond UK borders and well into the future.
Should we be worried?