Government Issue Technical Notice On Data Protection
The Government has published the following Technical Notice on Data Protection:
On 31 December 2020, the Transition Period (sometimes also referred to as the “Implementation Period”) under the EU-UK Withdrawal Agreement will come to an end. The end of the Transition Period will bring an end to the current status quo whereby Gibraltar, its citizens and its business, have enjoyed EU rights. Therefore, subject to the outcome of ongoing negotiations concerning the UK and Gibraltar’s future relationship with the EU, the end of the Transition Period will bring about important changes which Gibraltar, as a whole, will need to be ready for.
Purpose.
Gibraltar’s departure from the European Union means that certain processes and procedures will inevitably become more difficult, cumbersome and bureaucratic. It is important that citizens and businesses are aware of this and that, where possible, they plan ahead. The Government can only prepare in areas that are within its control. Even then, there will be certain areas where mitigation is not possible because the new situation simply reflects what it means to be outside the European Union.
The purpose of this Notice is to explain what the effect of those changes are on rules which regulate the transfer of personal data between Gibraltar and the UK, and, separately, Gibraltar and the EU.
If there is no agreement with respect to the UK and Gibraltar’s future relationship with the EU by 31 December 2020.
Position vis-à-vis Gibraltar and the UK
It is important to underline that, after 31 December 2020, and regardless of whether there is an agreement on the future relationship with the EU or not, Gibraltar will be retaining, for the purposes of its domestic legislation, EU data protection laws including Regulation (EU) 2016/679 (commonly referred to as the “GDPR”). The same approach will be taken by the UK.
Against this legislative backdrop, both the UK and Gibraltar have enacted domestic legislation determining that each will consider each other as having an adequate data protection regime. This would allow for the continued free flow of personal data as between the UK and Gibraltar in either direction.
The upshot of the above is that there will be no change, post-31 December, to the manner in which personal data is transferred between the UK and Gibraltar. Nor will there be any changes to the safeguards that are applied to such data transfers. Status quo will be preserved. Whether or not there is a future agreement with the EU will have no bearing on these arrangements.
Position vis-à-vis Gibraltar and the EU
Like the UK has done for itself, Gibraltar has enacted legislation confirming that it considers the EU to have an adequate data protection regime. This would allow entities established in Gibraltar to transfer data with EU Member States post December 2020. This will be the case even if there are no separate arrangements on the UK and Gibraltar’s future relationship with the EU.
The flow of data from Gibraltar to the EU can therefore continue as normal.
However, the same cannot be said with respect to the flow of data from the EU to Gibraltar. After 31 December 2020, any transfer of personal data from the EU to Gibraltar (other than what is referred to as “legacy data” covered by Article 71 of the UK-EU Withdrawal Agreement) will not be treated as having been transferred within the EU.
Therefore, as from 1 January 2021, EU entities will need to comply with relevant EU rules applicable to transfers of personal data to third countries when transferring data to Gibraltar. In the absence of the EU declaring Gibraltar’s data protection regime adequate (see further below), and unless the transfer of data falls within one of the derogations contained in Article 49 of the GDPR, the options for EU entities to be able to transfer personal data to Gibraltar after 31 December 2020 rely on the following “alternative transfer mechanisms”:
- EU entities would need to ensure that personal data that is transferred to Gibraltar is transferred on the basis of Standard Contractual Clauses adopted by the EU Commission (“SCCs”);
- On the basis of “Binding Corporate Rules” pursuant to Article 46(1) and (2)(b) of the GDPR; or
- On the basis of “Codes of Conduct” or “Certifications” approved in accordance with Article 46(2)(e) and (f) of the GDPR provided that such transfers are underpinned by binding and enforceable commitments by the entity receiving the data in Gibraltar.
Gibraltar entities affected by the information contained in this Notice should ensure that they are working with the EU entities which transfer data to them to ensure that alternative transfer mechanisms are put in place. In most cases, the most relevant of these will be SCCs.
Separately, and depending on (i) whether you are a Gibraltar entity with no offices, branches or establishments in the EU; and (ii) whether you offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU, you may have to appoint a representative in the EU to represent you in the EU Member States in which some of the individuals whose personal data you process are located.
Position vis-à-vis the EEA (Norway, Iceland, Liechtenstein)
The guidance outlined in this Notice with respect to the position in EU Member States applies equally to the transfer of data between Gibraltar and the non-EU EEA States, namely Norway, Iceland and Liechtenstein.
The possibility of the EU granting an adequacy decision to the UK and Gibraltar ahead of 31 December 2020
To date, the EU has not decided whether or not to grant an adequacy decision to the UK and Gibraltar. If the EU grants positive adequacy decisions by 1 January 2021, it would mean that personal data can flow freely from the EU/EEA to Gibraltar, as it does now, without entities having to take any further action.
Position vis-à-vis third countries which have been deemed adequate by the EU
The Government is working with the UK Government to ensure that current arrangements with third countries which have been deemed adequate by the EU, such as Switzerland, Canada, New Zealand and Japan amongst others, are rolled-over in a way which would mean that unrestricted data flow can be maintained between Gibraltar and these countries post-31 December 2020.
If there is an agreement with respect to the UK and Gibraltar’s future relationship with the EU by 31 December 2020.
Negotiations with respect to the UK and Gibraltar’s future relationship with the EU are ongoing and Gibraltar’s potential future arrangements with the EU on matters related to data protection are being looked at as part of this process. That having been said, it should be underlined that the EU’s capacity to adopt data adequacy decisions with respect to the UK and Gibraltar does not rely on an agreement on the future relationship with the EU being reached.
Guidance offered by the Gibraltar Regulatory Authority.
The public will be aware that the Gibraltar Regulatory Authority (the “GRA”) has embarked on a public information campaign aimed at ensuring that entities established in Gibraltar are ready for the changes which may come at the end of the Transition Period. Workshops were held in September 2020 to offer Gibraltar-based operators further guidance on any pending concerns regarding EU exit. In light of the interest which may be generated by the publication of this Notice, the GRA have offered to host a further online workshop on 9 December 2020 at a time to be confirmed. Those who wish to attend should send an email to the following email address to register their interest:
This email address is being protected from spambots. You need JavaScript enabled to view it.
The Government would also recommend that businesses affected by the matters covered by this Notice should familiarise themselves with the information published by the GRA on the EU exit section of their website, including the related documents linked at the bottom of their webpage:
www.gra.gi/data-protection/brexit
The website of the UK Information Commissioner’s Office also contains useful information on these matters.
