The UK is coming to the end of the Brexit transition period with a resolution on the future relationship with the EU seemingly very far away. While a wide-ranging deal seems increasingly unlikely, it is still possible we will get a number of hastily organised last-minute sectoral agreements and in many ways, data protection would be a prime candidate for this kind of deal given that the UK has already made provision to continue with the current regime, at least in the short term. If, however, no deal is forthcoming, the UK will become a third country for GDPR purposes on 1 January 2021 (implementation day or ID). What does that mean?
The UK has made preparations to adapt the GDPR to work as a piece of UK legislation in conjunction with the Data Protection Act 2018 (DPA18). The draft Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 will come into force on ID.
The Regulations consolidate and amend the EU GDPR and UK DPA18 to create a new UK GDPR. The responsibilities of controllers in the UK will not change and GDPR standards will continue to apply. However, the ICO has not sat on the EDPB nor participated in the GDPR consistency mechanism since the date of the UK's exit from the EU.
The extraterritoriality of the UK's data protection framework will continue to apply. This means controllers or processors based outside the UK processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour, will be caught. Crucially, this includes controllers and processors based in the EEA.
The impact of the UK sitting outside the EEA without an adequacy arrangement will be felt in a number of areas.
From ID, the UK becomes a 'third country' for the purposes of transfers of personal data from the EU.
Under the GDPR, personal data may not be transferred outside the EEA unless there are protections in place to guarantee individuals equivalent rights and protections to those they enjoy in the EU. Those countries which are considered to have a data protection regime which provides an adequate level of protection equivalent to that in the EU, may benefit from a Commission adequacy decision which allows the free flow of personal data from the EU. Currently, 12 jurisdictions (including the Channel Islands), have adequacy decisions. South Korea is currently being assessed.
While the UK will start from a position of alignment with the EEA on data protection, the EU has expressed some reservations which could prove a stumbling block to adequacy. Concerns have been heightened following the publication of the UK's National Data Strategy which hinted the UK might depart from the GDPR in future and followed Boris Johnson's statement in February 2020 that the UK would seek to establish "sovereign controls" in data protection. Scrutiny will focus on the UK's arrangements for sharing data with the USA under the Access to Electronic Data for the purpose of Countering Serious Crime agreement, and on onward transfers to the US more generally. The EU is also concerned about potential access to EU data by UK law enforcement and national security agencies, an issue highlighted in the recent CJEU decision in Privacy International.
If there is no adequacy decision, a number of other data transfer mechanisms can be used, principally the EC's standard contractual clauses (SCCs), or Binding Corporate Rules (BCRs). There are other limited options but these are not usually available for regular transfers.
On ID, the EEA countries will become third countries with regard to exports from the UK. Under the Regulations, the UK government has done what it can to preserve the free flow of personal data from the UK to the EEA. The UK will transitionally recognise all EEA States, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data, allowing personal data to flow freely to them from the UK.
The UK has confirmed that it has secured agreements with twelve of the thirteen EU-adequate countries to preserve the free flow of personal data from them to the UK. This covers Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Negotiations with Andorra are ongoing.
Again, the Regulations provide reassurance in this area by essentially preserving the effect of existing mechanisms:
Onward transfers of data originating in the EEA could be more problematic as flow-down of EEA protections will be required.
The Regulations provide for the effect of the EU-US Privacy Shield to be preserved with respect to UK personal data flowing to the US. However, the CJEU struck down the Privacy Shield in July 2020, a decision which applies to the UK under the terms of the transition period.
The UK will, in theory, be able to re-instate the Privacy Shield after ID, but if it does, it puts a future adequacy arrangement with the EU at risk given the concern about onward transfers. It is currently unclear whether or not the UK is likely to reach its own agreement with the US.
In the meantime, the Schrems II judgment cast doubt on all methods of data transfer from the EEA to the US and, by extension, from the UK to the US. This is a complex and developing area. See our article for more on data transfers to the US.
The UK cannot unilaterally provide for free flow of personal data from the EEA into the UK so these are the data flows most at risk. Those relying on such transfers will need to enter into one of the approved data transfer mechanisms in the absence of an adequacy decision. The most likely candidate being the easiest to arrange, is Standard Contractual Clauses (SCCs) which should be in place by ID.
There are a number of potential issues with SCCs. They do not always match the data flow situation and cannot be used for processor to processor transfers (although the EC hopes to have new SCCs in place by the end of the year). Another concern is that, following the CJEU judgment in Schrems II, exporters and importers are now required to assess whether or not the importing country allows its intelligence and law enforcement agencies access to EU data which would not adequately protect it by comparison with EU standards. In theory, as the UK was, until recently, an EU Member State, the level of protection should be adequate, but concerns have been raised that the UK regime is too intrusive and puts EU data at risk – something often cited as a potential stumbling block to the UK getting an adequacy arrangement and reinforced by the recent CJEU decision in Privacy International.
Whatever the pros and cons of the various transfer mechanisms, the message to take away is that something needs to be in place from ID in order to preserve the free flow of personal data from the EEA to the UK unless there is a last minute deal on personal data flows.
The EDPB produced an information note on the impact of a no-deal Brexit on BCRs which have the ICO as their Lead SA. As the ICO will no longer play a part in the BCR community in the event of a no-deal/no adequacy ID, organisations headquartered in the UK will need to identify the most appropriate SA for BCRs under the Article 29 Working Party Opinion 263. Groups which currently have an application for BCRs pending with the ICO will also need go through the exercise and the new nominated SA will take over the application from the ICO. Where the ICO has approved an application which is before the EDPB for approval on ID, a new lead SA will have to be identified and will re-submit the application to the EDPB for approval. An organisation relying on EEA regulator-approved BCRs covering the UK will need to update them so that the UK is listed as a third country outside the EEA.
All Brexit-related changes to existing BCRs need to be made before the end of the transition period in order for data flows to be able to continue without interruption from 1 January 2021.
It's not just data exports/imports which are an issue. Businesses will also need to consider whether they have to appoint a representative in a third country jurisdiction. Under Article 27 GDPR, controllers and processors not established in the EU are required to appoint a representative unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale. With the UK outside the EU, businesses with establishments in the UK but not in the EU may be caught by Article 27 from ID.
Similarly, the UK GDPR replicates Article 27 so that controllers and processors not established in the UK (including those in the EEA) will be required to appoint a representative in the UK unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale. Read more about the role of the representative here.
One of the long-heralded advantages of the GDPR is the 'one stop shop' regulatory regime for organisations processing personal data across the EU. The UK will no longer be able to participate in this after ID (which means that businesses which currently have their Lead SA in the UK will need to consider the location of a Lead SA in the EU). They may also want to consider whether they need a DPO based in the EU.
However you decide to handle the issue of Brexit, it is important to check that any existing contracts and terms and conditions match your intentions. This is particularly the case for data transfer agreements or data processing agreements.
Don't forget that whatever lawful basis you rely on to export and/or import personal data, you may also need a data transfer agreement or data processing agreement. For example, for data exports to a processor or sub-processor, the GDPR sets out detailed requirements that an agreement must include in addition to addressing the transfer (see here for more).
Existing agreements, policies and terms and conditions may need to be amended or replaced if, for example, you decide to change the location of your DPO or your Lead SA, or, perhaps the law under which the contract is governed (to a jurisdiction in the EU). You will also need to ensure that there is appropriate provision made for the initial and onward transfers in accordance with GDPR and UK GDPR requirements, especially as the first transfer may no longer be one envisaged by the relevant contract or terms and conditions.
The UK's ICO has published guidance for businesses and SMEs on preparing for a no deal Brexit ID. This includes a 'six step' plan, broader guidance, FAQs, and an interactive tool to help assess whether SCCs are an appropriate data transfer solution. It also covers methods of preserving data flows and looks at when a business might need to appoint a representative in the EU.
We have published a number of articles to help deal with the impact of Brexit on data flows and general data protection compliance. These are available on our Global Data Hub.
Axel von dem Bussche and Paul Voigt look at the requirement on non-EU established organisations to appoint an EU representative under the GDPR.
2 of 4 Insights
Vin Bange and Debbie Heywood look at the impact of the Schrems II decision on the future of international data transfers, particularly from the EEA and the UK to the USA.
3 of 4 Insights
We re-examine the benefits of BCRs in the aftermath of Schrems II and ahead of the end of the Brexit transition period.
4 of 4 Insights