Brexit & Data Protection Update
The deadline for a partnership and trade deal between the UK and the EU is drawing very close. Whilst we remain in the dark, one of the key questions for businesses is whether a deal will be achieved and, if so, whether it will include an ‘adequacy decision’ for the UK to enable flows of personal data from the EU to the UK.
Many UK organisations have been maintaining a watching brief “to wait and see” how matters develop. With time running out, businesses should have a plan in place for managing international transfers if a deal isn’t agreed and/or an adequacy decision is not granted.
What is an adequacy decision?
An adequacy decision is a finding by the European Commission that the legal framework in a country, territory, sector or international organisation provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data. Transfers outside of the EEA are generally restricted under the EU GDPR unless the recipient country has received an adequacy decision or there are appropriate safeguards in place in order to make the transfer.
What is the current state of play?
Currently, the data protection laws in the UK are predominantly the same as those in the EU, with the key privacy legislation applicable in the UK being the GDPR and the Data Protection Act 2018 (“DPA 18”). Largely this will stay the same; at the end of the transition period the GDPR will be retained in domestic law as the “UK GDPR” under which the key principles of the GDPR will remain the same.
The DPA 18 (which largely embeds the GDPR with certain derogations and builds upon it) and the Privacy and Electronic Regulations 2003 (PECR) will continue to apply, with the UK government having the freedom to keep its data protection framework under review. Like the GDPR’s territorial scope, the UK government intends that the UK’s version of the GDPR will apply to controllers and processors based outside of the UK where their processing activities relate to the provision of goods or services to individuals in the UK or monitoring individuals’ behaviour in the UK. The UK GDPR will require organisations to appoint a representative in the UK in such circumstances if they do not have an establishment in the UK (with some exceptions).
The UK is now in a transitional period until the end of 2020 following its decision to leave the EU and is engaged in ongoing negotiations with its EU counterparts to reach agreement on what the data protection landscape will look like in the UK at the end of this year. As such, until these discussions are concluded, save for the above, it is unclear what this new landscape will look like. Irrespective of this, to avoid potential non-compliance, organisations should consider the options which are available now, as without a decision of adequacy applicable from the end of the year, the UK will be classed as a third country under the GDPR and safeguards will be required to transfer personal data from the EU/EEA to the UK.
What safeguards can be implemented?
Standard Contractual Clauses
Generally, the most straightforward way to guarantee an appropriate safeguard for a restricted transfer from the EEA to the UK is for the organisation located in the EU which is sending data outside of the European Economic Area (“EEA”) (the “Data Exporter”) to enter into standard contractual clauses (“SCCs”) with the recipient organisation based outside the EEA (“Data Importer”). SCCs are commonly used contractual agreements, ratified by the EC as guaranteeing appropriate safeguards between EU organisations and international recipients.
Please note, the EC has recently proposed new SCCs which will replace the current SCCs. The EC’s draft implementing decision has provided a one year transition period for parties to enter into these new provisions whereby transfers can still be made be made on the basis of the current SCCs for the duration of this “sunset period”. However, if contracts are changed during this period, the parties must enter into the SCCs at that point and lose the benefit of the sunset provision. Parties can still benefit from the sunset provision if they make changes to existing contracts to reflect the EDPB’s recommendations, following the recent decision in Schrems II.
Binding Corporate Rules
Binding corporate rules (“BCRs”) are also an option. BCRs are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA. They are deemed as another means of demonstrating adequate safeguards under the GDPR. As a result, organisations could look to implement BCRs in order to transfer data from the EU to the UK. If you currently have BCRs in place including a UK entity, you will need to update them to recognise the UK as a third country outside the EEA for the purposes of the EU GDPR from the end of the transition.
It is worth highlighting, BCRs can only be used for intra-group transfers of data outside the EEA and an application must be sent to a data protection authority of your choice to demonstrate that your BCRs guarantee adequate safeguards for protecting personal data throughout your organisation. Consequently, BCRs should not be considered as a “quick fix” solution, as supervisory authority input will be required before you can rely on BCRs. As such, if you haven’t begun the process of seeking regulatory aproval, you won’t have BCRs in place before the end of the Brexit transition preiod.
Multinational corporate groups that are currently using existing EEA-approved BCRs to make transfers into and out of the UK will need to update their BCRs to reflect that the UK becomes a third country under the EU GDPR at the end of the transition period.
Derogations for Specific Situations
In the event there is no adequacy decision for the UK and there are no appropriate safeguards available, organisations may be able to rely on an Article 49 GDPR derogation to make the restricted transfer. The EEA based organisation must determine whether an exception applies. The exceptions are interpreted strictly and are extremely limited. An organisation may be able to rely on the following exceptions:
- the individual’s explicit consent;
- an exceptional transfer for a compelling legitimate interest;
- an occasional transfer for the performance of a contract with an individual;
- an occasional transfer to establish, make or defend legal claims;
- transfers from public registers; or
- an occasional transfer for important reasons of public interest.
What else should be considered?
From 1 January 2021, organisations will need to appoint a UK representative if they are based outside of the UK, they do not have a branch, office or other establishment in the UK and they either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK. Please note, this requirement applies to EEA based organisations too. This representative may be an individual, or a company or organisation established in the UK, and must be able to represent you in respect of your compliance with UK GDPR.
You will need to authorise the representative, in writing, for example, via a service agreement, to act on your behalf regarding your UK GDPR compliance, and to communicate with the ICO and with data subjects.
Similarly, If you are based in the UK and do not have a branch, office or other establishment in any EU or EEA state and you offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA, the EU GDPR requires that you will still need to comply with the EU GDPR regarding this processing even after the end of the transition period.
This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located. For example, if you have customers based in Spain, France and Germany, your EU representative can be located in any of these 3 countries. Whereas if you were processing the data of individuals based in Spain and Germany, your representative should not be located in France, it should be based in Spain or Germany.
Again, you will need to authorise the representative in writing, to act on your behalf in respect of your EU GDPR obligations, and to liaise with any supervisory authorities or data subjects as required. This representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you in relation to your compliance under the EU GDPR.
Where you are required to have a UK or EU representative, you should also provide details of your representative to UK/EEA-based individuals whose personal data you are processing. This could be done by referencing them in your privacy notice or in the information you provide them when you collect their data. This information should also be easily accessible to supervisory authorities, for example, via your online privacy notice.
Under both the UK GDPR and EU GDPR, public authorities are not required to appoint representatives. It is also not necessary to appoint a representative if your processing is only occasional, of low risk to the data protection rights of individuals and does not involve large-scale use of special category or criminal offence data.
What should you do now?
If you are a UK organisation that already complies with the GDPR, you do not have any customers in the EEA and you do not receive any data from individuals in the EEA, your preparation for data protection at the end of the transition period should be minimal, other than the review of your privacy information to identify if any changes are needed and continue to comply with the GDPR.
With the current lack of certainty around the UK gaining adequacy, organisations should act now to ensure they have a plan in place for if the UK does not obtain adequacy and therefore becomes a third country under the EU GDPR.
As a first step, you need to fully understand the nature of your data flows and you should therefore review all of your supplier and customer relationships to see where your data is going. Once this review has been completed it will be a case of aligning any required remediation work to the key requirements outlined above and making sure your privacy information is updated to reflect the impending changes. Organisations should also closely monitor developments in UK data protection law to ensure they keep a pace with any changes.