What do Convention 108+ Brexit GDPR and Adequacy have in common?

They all form part of a very important question which is “Will Convention 108+ Help Britain with a GDPR Adequacy Ruling Post Brexit?”

Why does this matter you may ask yourself?

GDPR is a Regulation applicable to countries who are part of the EU/EEA and who have therefore signed up to GDPR by default for being in the EU club.

As soon as Britain leaves the EU, it no longer has automatic membership of the GDPR club and is only allowed a guest pass if is has an adequacy ruling. An adequacy ruling is effectively EU agreeing that the data protection rules in a particular country are equivalent to the GDPR and therefore are ‘adequate’ to protect the rights and freedoms of individuals, more importantly (in the EU’s eyes) those who are EU citizens.

Won’t the Data Protection Act 2018 provide us with an adequacy ruling?

Whilst the provisions within the DPA 2018 are equivalent to GDPR in most respects it does not automatically provide for an adequacy ruling

  •  It takes time to reach adequacy status. Japan took two years to achieve this so the UK is unlikely to achieve this by March 2019.
  • The process to declare a country adequate cannot be started until the UK becomes a third country, meaning the clock has not even started yet.
  • In the event of a no-deal Brexit and until the UK is deemed adequate, you may be holding EU citizens’ data illegally – (if you think this may be the case then talk to us)

So, what is Convention 108+ and how is it going to help?

Convention 108+ is a Council of Europe Treaty, official title Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data has been updated to fall in line with the GDPR.

The Council of Europe is an international organisation consisting of 47-member states and it is not as you might think a European Institution.

The UK along with 19 other states signed up on the 10th October 2018.
The EU as a body will also be a party to the Convention 108+.

“The modernized convention will allow states to share a robust set of principles and rules to protect personal data, and will provide a unique forum for co-operation in this field at global level,” explained Council of Europe Secretary General Thorbjørn Jagland.

The basic point being that the European Commission sees the convention as a way of encouraging “Third Countries” to adopt the fundamental tenets of GDPR.

Massively important is this statement in the GDPR recitals

Recital 105 of the GDPR states: “The Commission should take account of obligations arising from the third country’s participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country’s accession to the Council of Europe Convention 108 and its Additional Protocol should be taken into account.”

By a process of induction, we might then be able to come to this conclusion

Premise 1: The Commission encourages accession to Convention 108

Premise 2: Recital 105 recognizes Convention 108 regarding adequacy

Premise 3: The Commission recognises that 108 meets adequacy (equivalence), and it can’t go back on its word.

Premise 4: The U.K. is covered for adequacy by signing up to Convention 108+

You will find other resources on the web that provide similar assertions and indeed even go into more detail as to why 108+ will be good for the UK post Brexit.

Mind the Gap

Finally, even with 108+ there may be a legal gap between getting an adequacy ruling and leaving the GDPR club.

The only real recourse for this will be to implement Standard Contractual Clauses.

Regardless of any adequacy ruling, UK companies may also need representation in the EEA (because Britain won’t be in the EEA).

GDPR Auditing and our legal partners have a wealth of experience creating legal frameworks for the transfer of data outside the EEA, talk to us if you need advice.

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR please contact us at info@gdprauditing.com or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2018.