How Brexit affects GDPR
In practice there will be little change to the current core data protection principles, rights and obligations and the UK GDPR will sit alongside the Data Protection Act 2018. However, there are a couple of key changes worth highlighting on which organisations should take action:
Customers in the EU?
If you offer goods or services to individuals in the EU, or monitor the behaviour of individuals in the EU, then Article 27 of the EU GDPR will continue to directly apply to you for those processing activities.
Also, if you do not have a base in the EU, you will need to need to appoint a representative in the EU to comply with the EU GPDR and consider where that representative should be based. Failure to take steps to appoint a representative where required could lead to an organisation becoming unwittingly non-GDPR compliant.
Article 27 is not affected by the EU-UK Trade and Cooperation Agreement.
Receiving personal data from the EU/EEA?
The EU-UK Trade and Cooperation Agreement provides a bridging mechanism for the transfer of personal data from the EU to the UK. This will remain in place for four months (from 1 January 2021) and will be automatically extended for a further two months if neither of the parties objects (the “bridging period”).
The EU Commission has been asked to make an adequacy decision in respect of the UK’s data protection arrangements by the end of the bridging period.
If the EU Commission does not make an adequacy finding for the UK by the end of the bridging period, the UK will be considered a ‘third country’ for the purpose of receiving personal data from the EEA. This means that the transfer of personal data from organisations within the EU to UK organisations will be subject to the appropriate safeguard requirements relating to data transfers that are set out in the EU GDPR (see below).
This will be welcome news for many organisations who have not yet addressed EU/EEA to UK data transfers. It is hoped that the European Commission will grant adequacy to the UK within the period referred to above, but there is no guarantee that this will happen.
Organisations should start looking at which data flows may be affected in case the EU Commission does not make an adequacy finding.
If the EU Commission does not make an adequacy finding before the end of the bridging period it seems, at present, that an organisation needs to continue to transfer personal data from the EU to the UK, the transfer of personal data may need to be covered by Standard Contractual Clauses (SCCs) or other appropriate safeguards. For more on SCCs please see below.
EU-US Privacy Shield declared invalid
In July 2020, the Court of Justice of the European Union (CJEU) decided that the adequacy decision relating to the EU-US Privacy Shield would end with immediate effect in the ruling in the Schrems II case. This means that the most widely used mechanism for EU-based organisations to transfer personal data to US organisations is no longer available. The CJEU invalidated Privacy Shield on the basis that US surveillance laws are not limited to what is strictly necessary and proportionate as required by European data protection law and data subjects lack enforceable rights and judicial remedies under such laws.
What about Standard Contractual Clauses?
The CJEU confirmed that SCCs remain a valid mechanism for transferring personal data to third countries. However, this is not necessarily the magic bullet that it appears to be. SCCs only remain valid where they provide for “essentially equivalent” protection as in the EU. Therefore the same issues regarding access by US intelligence authorities apply to transfers made from the EEA to the US under SCCs. The data importer and exporter will be expected to carry out a decision making process on a case-by-case basis to decide what, if any, enhanced provisions need to be included in SCCs and whether data will be sufficiently protected if transferred. If data transferred to a third country under SCCs is not adequately protected then such transfers may be open to challenge by Supervising Authorities and possible sanctions.
It is not yet clear if the European Commission will have similar concerns in relation to powers granted to UK authorities under the Investigatory Powers Act 2016 now that the UK is longer a member of the EU, particularly in light of the focus in the Schrems II judgment on intelligence and surveillance.
New (draft) SCCs have now been published by the European Commission aiming to address the issues in Schrems II, and these are currently under review by the ICO.
For transfers of data from the UK to third countries outside of the EEA (where the UK GDPR applies), the Secretary of State (and by delegation, the Information Commissioner’s Office) will have the power to approve SCCs where any “adequacy regulation” has not been made. The ICO website confirms that they intend to consult on, and publish, new UK SCCs during the course of 2021.
What should organisations do now?
Given the grey areas around this issue and expectation of change during the course of this year, organisations should be mindful of implementing any specific additional protection safeguards that create significant legal or operational burdens. However, there are certain steps which can be taken now to minimise risk.
- If currently relying on Privacy Shield, then immediate action should be taken to transfer personal data using an alternative basis or stop transferring personal data to the US.
- If relying on SCCs to transfer personal data to any third country, review those SCCs to establish whether data is sufficiently protected.
- Consider whether any further measures can be taken to minimise the amount of data being transferred and enhance protections.
- Keep an eye on updates on an adequacy finding for the UK by the European Commission and plan for the eventuality such a finding will not be forthcoming