The UK has not only left the EU, but the transitional period during which EU laws still applied automatically has now also ended. From the EU’s point of view the UK is now a “third country”. However, it is a special third country as EU laws including the GDPR have been reproduced into UK law.
As a third country, transfers of personal data to the UK should already be subject to the general prohibition under the GDPR – none allowed, unless a safeguard or other justification applies. These can be in particular: (i) an adequacy decision from the European Commission, (ii) binding corporate rules (between companies belonging to the corporate group that they cover); or (iii) standard contractual clauses – at present these can cover controller to processor transfers or controller to controller transfers. Certain limited exceptions apply on an individual and non-repetitive basis, e.g. where specific consent has been given or where necessary for a contract.
In the EU-UK Trade and Cooperation Agreement the EU and the UK did agree provisions maintaining free flows of personal data. The UK has requested “adequacy decisions” and so while these are analysed, it was agreed that initially for up to 4 months (until 30 April 2021), provided that UK legislation does not diverge from EU rules, data flows could continue freely without the transfer rules applying (“the bridge”). The bridge can be extended by an additional 2 months to 30 June 2021.
What do we need to do?
For international transfers of data:
- from the EEA to the UK:
a) during the bridge period: nothing to do
b) after the bridge period, with adequacy decision: nothing to do
c) after the bridge period, no adequacy decision: safeguards required (same as 3 below)
- from the UK to the EEA: nothing to do (the EEA is “adequate”: see Schedule 21, paragraph 4, Data Protection Act 2018)
- from the EEA or UK to elsewhere: an adequacy decision or other safeguard is needed. (The UK has adopted the current European Commission adequacy decisions, including the recent decision for Japan: See Schedule 21, paragraph 5, Data Protection Act 2018).
It seems quite likely that the adequacy decision should be granted – after all the UK GDPR is near identical to the EU GDPR – see the Keeling Schedule of (fairly limited) amendments. If the UK with the UK GDPR is not “adequate” then what chance would other less alligned countries have? However, the European Commission will be examining in particular the ways that UK authorities can override data protection rules to access or intercept data (for example, the EU Court of Justice already cast doubt on the compatibility with EU laws of the UK Telecommunications Act and Regulation of Investigatory Powers Act) and politics is always involved.
So the UK ICO is already alerting businesses to be prepared for the eventuality that the bridge could end without an adequacy decision, and to start to consider safeguards, which may in particular include signing standard contractual clauses.
The current European Commission standard contractual clauses remain valid for transfers commenced before and after Brexit (see Schedule 21, paragraph 7, Data Protection Act 2018). New draft clauses with broader scope are under discussion in the EU, and it remains to be seen when they are adopted and whether the UK follows the EU lead.
Does the bridge apply to other obligations under the UK or EU GDPR?
No. All other obligations under the EU and UK GDPR are already in effect. We need to be aware that we have two GDPR regimes, and one or other or both may apply to our operations depending on where the data subjects are located and where we have a relevant establishment or office. So we may need to duplicate documentation depending on the different scope of each regime that applies to us.
The main changes to consider after Brexit are:
- Contracts and data processing agreements: the main changes relate to the international transfers referred to above.
- Privacy notices: our privacy notice should be updated to reflect changes to international transfers, to ensure the legal references are correct e.g. to the “EU GDPR”, and to identify our UK and EU representatives (if required).
- Records of processing activities (ROPA) and Data Protection Impact Assessments (DPIAs): references to international data flows will need to be reconsidered. We may need two documents, one for each GDPR regime.
- Representatives: if we process data of EEA individuals and don’t have an office in the EEA, then we may need to appoint a representative in an EEA country. If we process data of UK individuals and don’t have an office in the UK, then we may need to appoint a representative in the UK.
- The “one stop shop”: if we have an office in both the UK and the EEA then we will need to deal with the ICO and the local EEA lead supervisory authority (or the authority where we have an office). If we have no establishment in the EEA then we may have to deal with the ICO and the supervisory authorities in all the EEA member states where we have data subjects. There is nothing we can do about this (except to mourn this loss) – although potentially having a local office in the EU/EEA could become more attractive for this reason. Appointing a local representative or registering with a supervisory authority (where this is required) also does not affect this.
- Data protection officers (DPOs): no additional DPO is required – a DPO can be located anywhere (UK, EEA, ROW) as long as they are “easily accessible” from each office in the EEA and UK. However, under the GDPR the DPO’s details should be communicated to an EEA supervisory authority and, if the UK GDPR applies, then also to the UK Information Commissioner.
No particular regulatory action is underway, but any “grace” periods may be short and we would do well to get our documentation and representation updated and in place as soon as possible so that they are in compliance with each GDPR regime that applies to our business. We should also not be fooled by the bridge period – it relates only to international transfers from the EEA to the UK and, given the up and down nature of UK-EU relations, there is no guarantee that any adequacy decision will be granted.
(Picture credit: https://pixy.org/262059/)