In November, the European Union and the United Kingdom concluded the terms of an agreement for the orderly departure of the UK from the European Union. Gibraltar was part of that agreement. The Withdrawal Agreement includes a transitional phase until the end of 2020 which also covers Gibraltar.
This agreement is subject to ratification by the UK Parliament and by the European Parliament.
In the meantime, planning continues for the eventuality that the UK and Gibraltar leave the European Union without this agreement.
The guidance to the public below covers that eventuality in respect of data issues.
Introduction
In the event that the UK and Gibraltar leave the EU on 29 March 2019 without a deal, Gibraltar businesses will need to ensure they continue to be compliant with data protection law.
For Gibraltar businesses that operate only within Gibraltar there will be no immediate change.
For Gibraltar businesses that operate internationally or exchange personal data with partners in other countries there may be changes that need to be made ahead of the UK/Gibraltar leaving the EU to ensure minimal risk of disruption.
It is important for businesses to review whether they would be affected. For those that would be affected, early action is advised as changes may take some time to implement.
This notice provides more detail about how our data protection law will work in the unlikely event that weleave the EU without a deal and includes six stepguidance from the Information Commissioner.
Amendments to Gibraltar’s data protection law in the event that the UK/Gibraltar leave the EU without a deal on 29 March 2019
The Government will soon be publishing a Bill for a European Union (Withdrawal) Act (EUWA), which, if passed by the Gibraltar Parliament, will retain the GDPR in Gibraltar law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.
To ensure the Gibraltar data protection framework continues to operate effectively when the UK is no longer an EU Member State, the Government will make appropriate changes to the GDPR and the Data Protection Act 2004 using regulation-making powers under the EUWA.
The regulations and more detailed guidance will be published in due course.
These regulations would:
- Preserve EU GDPR standards in domestic law
- Transitionally recognise all EEA countries (including EU Member States) and the UK as ‘adequate’ to allow data flows from Gibraltar to the UK and to Europe to continue
- Preserve the effect of existing EU adequacy decisions on a transitional basis
- Recognise EU Standard Contractual Clauses (SCCs) in Gibraltar law and give the Information Commissioner the power to issue new clauses
- Recognise binding Corporate Rules (BCRs) authorised before Exit day
- Maintain the extraterritorial scope of the Gibraltar data protection framework
- Oblige non-Gibraltar controllers who are subject to the Gibraltar data protection framework to appoint representatives in Gibraltar if they are processing Gibraltar data on a large scale
1. Introduction
The free flow of personal data between Gibraltar, the UK and the EU is critical in underpinning an ambitious economic relationship and ongoing security cooperation, and Gibraltar is committed to high data protection standards. The EU will assess Gibraltar’s regime with a view to adopting Adequacy Decisions to ensure continuity of data flows. Likewise, Gibraltar will take steps to facilitate the flow of personal data to the UK and the EU.
In May 2018 the EU’s General Data Protection Regulation (GDPR) came into force and Gibraltar’s amended Data Protection Act 2004 also came into force.
The EUWA will retain the GDPR in Gibraltar law and gives the government the power to make appropriate amendments to ensure that it works effectively in a Gibraltar context.
The Government intends to use these powers to make the necessary amendments to the GDPR and other data protection legislation prior to Exit Day. The vast majority of the changes will involve removing references to EU institutions and procedures that will not be directly relevant when Gibraltar is outside the EU. They will be replaced with terms that make sense in a Gibraltar context.
For example, in general, references to “Union or Member State law” will instead be read as “domestic law”, references to some decisions made by the EU Commission will be replaced with references to decisions made by the Gibraltar Government and so on.
2. Key components of the ‘No Deal’ framework
2.1 Data controllers and data subjects
In a ‘No Deal’ scenario, responsibilities of data controllers in Gibraltar will not change. Data subjects will continue to benefit from the same high levels of data protection as they do now. The same GDPR standards will continue to apply in Gibraltar and the Information Commissioner will remain Gibraltar’s independent regulator for data protection.
2.2 Transfers to EEA countries (including EU Member States) and the UK
Gibraltar will transitionally recognise all EEA states, EU and EEA institutions, and the UK as providing an adequate level of protection for personal data. This means that personal data can continue to flow freely from Gibraltar to these destinations following the UK’s exit from the EU. Gibraltar would keep all of these decisions under review.
Gibraltar cannot provide for free flow of data into Gibraltar; jurisdictions outside of Gibraltar will provide their own rules on the transfer of data internationally. For those that rely on data transfers from the EU, alternative mechanisms for such transfers are available. Gibraltar organisations will need to work with their EU counterparts to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place.
2.3 Existing EU adequacy decisions
Where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to Exit day, the Gibraltar government intends to preserve the effect of these decisions on a transitional basis. This will mean that transfers from Gibraltar organisations to those adequate countries can continue uninterrupted.
As set out on the European Commission’s website, the Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework).
2.4 Recognising EU Standard Contractual Clauses
Provision will be made so that the use of Standard Contractual Clauses (SCCs) that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from Gibraltar in a ‘No Deal’ scenario. In practice this means that organisations that transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. Under the proposed regulations, the Information Commissioner will have the power to issue new SCCs after Exit day.
2.5 BCRs
Existing authorisations of Binding Corporate Rules (BCRs) made by the Information Commissioner will continue to be recognised in domestic law. After Exit day the Information Commissioner will continue to be able to authorise new BCRs under domestic law.
2.6 Maintaining extraterritorial scope
The EU GDPR applies to controllers or processors who are based outside of the EEA where they are processing personal data about individuals in the EEA in connection with offering them goods and services, or monitoring their behaviour.
The Gibraltar Government intends to retain the extraterritoriality of Gibraltar’s data protection framework. This will mean that that the Gibraltar framework will apply to controllers or processors who are based outside of Gibraltar where they are processing personal data about individuals in Gibraltar in connection with offering them goods and services, or monitoring their behaviour. This includes controllers and processors based in the EU.
2.7 Gibraltar representation for controllers
Where article 3(2) of the EU GDPR applies, article 27 of the EU GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
The Gibraltar Government intends to replicate this provision to require controllers based outside of Gibraltar to appoint a representative in Gibraltar.
Data Protection and Data Flows - No deal Brexit Information Commissioner - 6 Steps to Take
1.Continue to comply
Continue to apply GDPR standards and follow current guidance from the Information Commissioner. If you have a Data Protection Officer, they can continue in the same role for both Gibraltar and Europe.
2.Transfers to Gibraltar
Review your data flows and identify where you receive data into Gibraltar from the European Economic Area (EEA). Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU.
3.Transfers from Gibraltar
Review your data flows and identify where you transfer data from Gibraltar to any country outside Gibraltar, as these will fall under new Gibraltar transfer and documentation provisions.
4.European operations
If you operate across Europe, review your structure, processing operations and data flows to assess how Gibraltar’s exit from the EU will affect the data protection regimes that apply to you.
5.Documentation
This will need updating when the UK and Gibraltar leave the EU.
6.Organisational awareness
Make sure key people in your organisation are aware of these key issues. Include these steps in any internal circular. Review your privacy information and your internal documentation to identify any details that will assist planning for leaving the EU, and keep up to date with the latest information and guidance.
For the full guidance please visit the GRA’s website https://www.gra.gi/data-protection