Mona Patel Partner
Getting ready for Brexit - Data Protection
With the end of the Brexit transition period approaching on 31 December 2020, we consider what implications this will have for data protection in the UK.
What will happen to UK data protection law and regulation after the Brexit transition period?
On 1 January 2021, the UK will be a third country outside the European Economic Area (EEA). The EU GDPR will be incorporated into UK domestic law as the 'UK GDPR’ and will sit alongside an amended version of Data Protection Act 2018. Whilst the UK GDPR will be kept under review, it is expected that at least in the short term UK data protection law will remain aligned with the EU GDPR.
After the transition period ends, the ICO will no longer be able to act as Lead Safeguarding Authority (LSA) under the EU GDPR, though it will remain the UK’s independent supervisory authority on data protection.
Can we continue to transfer personal data from the UK to the EU/EEA after the Brexit transition period?
The UK Government has indicated that it does not plan to make any changes to the way organisations send personal data from the UK to the EU, EEA, Gibraltar and other countries deemed adequate by the European Commission (although this will be kept under review). This will allow personal data to continue being transferred from the UK to these countries without the need for additional safeguards.
Can we continue to receive data from the EU/EEA after the Brexit transition period?
The future of cross-border data transfers from the EU/EEA to the UK remains unclear. As noted above, the UK will be considered a third country from 1 January 2021, therefore the treatment of such data transfers will depend on whether the European Commission passes an adequacy decision in relation to the UK before 31 December 2020 or some other form of agreement is reached (e.g. as part of a Brexit deal). An adequacy decision will permit personal data transfers from the EU/EEA to the UK, without further authorisation from a national supervisory authority. The European Commission’s adequacy assessment of the UK is currently ongoing. Owing to the decision in Schrems II¹ (see our briefing here), and the recent European Court of Justice decision on government surveillance² – there are some doubts that a favourable adequacy decision will be forthcoming before the end of the transition period (if at all).
If an adequacy decision is not forthcoming before the end of the Brexit transition period, work may need to be done by organisations to ensure that cross-border transfers of personal data can continue without breaching the EU GDPR following the end of the Brexit transition period. Since EU/EEA data exporters to the UK will breach the EU GDPR unless they can rely upon certain exceptions (e.g. the derogations such as explicit consent, contractual necessity and cases relating to legal claims), the ICO has advised that the most appropriate safeguard for most organisations will be entering into contracts using the standard data protection clauses adopted by the European Commission (known as Standard Contractual Clauses (SCCs)). SCCs are agreements containing contractual obligations on the data exporter and the data importer, and rights for the individuals whose personal data is transferred. This solution (despite the recent decision in Schrems II) is likely to remain the fastest solution for organisations to implement between now and the end of the transition period.
Another alternative is the Binding Corporate Rules (BCR) framework. BCRs are internal rules that facilitate cross-border data transfers within a multinational group of companies and international organisations. If organisations have BCRs authorised under the EU process in place before the end of the transition period, the BCRs will continue to provide an appropriate safeguards for personal data transfers from the EU/EEA to the UK, though updates will be required to recognise the UK as a third country for the purposes of the EU GDPR.
How can our organisation prepare for the end of the transition period?
- There is a risk the UK will be treated as a third country without “adequate” data protection rules, and transfers of personal data from the EU/EEA to the UK will be subject to additional restrictions. If data is a key part of your business, consider the cost and process involved in moving data services. Consider using EU model clauses or serving relationships from a different EU/EEA group company if key customers/partners are in the EU/EEA.
- Work through the detailed European Data Protection Board (EDPB) Recommendations (available here, also see our briefing here).
- Keep an eye out for further guidance from the ICO, other supervisory authorities, the EDPB and the European Commission.
- For those that consider the ICO to be their LSA, consider whether an alternative EU/EEA LSA should also be appointed.
- Organisations that have appointed a Data Protection Officer (DPO) should ensure that their DPO is accessible from their EU/EEA and UK establishments (if established in both).
- Consider whether UK or EU/EEA representatives need to be appointed under the UK GDPR or EU GDPR.
- Review current personal data transfer arrangements for any transfers from the EU/EEA to the UK, and prepare to put SCCs in place if necessary.³
- Consider any other post-transition period steps e.g. updates to (or replacement of) privacy notices, records of processing and policies and ensure details of your EU based and/or UK based representatives and DPOs are updated.
- Consider your data protection impact assessments concerning international data transfer processing activities.
The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of the GDPR. Should you have any queries, please do not hesitate to contact the authors of this article or your usual contact at Ince.
¹ Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (Schrems II).
² Privacy International v Secretary of State for Foreign and Commonwealth Affairs, the Secretary for State for the Home Department and the UK security and intelligence agencies (SIAs) (Case C-623/17)
³ The European Commission plans to update the existing SCC for the GDPR before the end of the year so it would be wise to continue checking the ICO website for guidance and updates to ensure you use the latest SCC and/or modify any existing SCC to meet the updated requirements.