What will UK data protection look like after Brexit 2.0 on 31 December 2020?
Regime 1: the 'UK GDPR': the UK's new bespoke version together with the Data Protection Act 2018
- The UK GDPR will be the UK data protection regime based on the 'EU GDPR' (see below). In a sense the EU GDPR will be ‘onshored’
- It will enter into force at 11pm (GMT) on 31 December 2020
- The ICO will be the supervisory authority
- UK controllers or processors wherever their processing takes place
- Controllers and processors based outside the UK if their processing activities relate to offering goods or services to individuals in the UK, or monitoring the behaviour of individuals taking place in the UK
Regime 2: the 'adequacy gap’ or ‘legacy’ regime. This adequacy gap or legacy data protection regime, set out in Article 71 of the Withdrawal Agreement, is designed for the period after 11pm on 31 December 2020 and before the date of adequacy decision (if one is made)
- Personal data of EEA data subjects outside the UK but processed in the UK subject to EU GDPR before the transition period which must remain subject to EU GDPR post 31 December 2020
Regime 3: the 'EU GDPR': the original GDPR
- The EU GDPR is the current EU data protection regime
- After 11pm on 31 December 2020 the EU may amend the EU GDPR so that it starts to vary from the UK GDPR (see above)
- The ICO will not be the supervisory authority, there could be multiple supervisory authorities involved depending on your establishments, locations of data subjects involved and the rules relating to cross-border processing.
- UK controllers who have an establishment in the EEA, or who have customers in the EEA, or monitor individuals in the EEA
- As before, any controllers and processors who have an establishment in the EEA, or who have customers in the EEA, or monitor individuals in the EEA eg EEA controllers sending personal data to the UK or elsewhere
- What about other data protection laws?
- PECR’ rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They will continue to apply in the UK at the end of the transition period
- The NIS Directive covers network and information systems. They derive from EU law but are set out in UK law. They will continue to apply at the end of the transition period
- The Freedom of Information Act 2000 forms part of UK law and will continue to apply
- The Environmental Information Regulations 2004 derive from EU law but are set out in UK law. The UK has also independently signed up to the underlying international treaty on access to environmental information (the Aarhus Convention).
Will the UK obtain an adequacy decision?
Our view is that it is unlikely the UK will obtain an adequacy decision from the EU before 31 December 2020. If it obtains one, it would effectively mean the UK is regarded as a ‘safe pair of hands’ from a data protection perspective. However, acquiring adequacy is a lengthy process; typically it takes three to five years. This will have a major impact on EEA to UK transfers in particular.
The third countries deemed adequate by the EU which currently share data with the UK will have to decide about the UK status. The UK government has said it intends for the EEA and EU-recognised adequate locations to be recognised by the UK (but this has to be implemented).
The UK Department for Culture, Media & Sport (DCMS) has indicated it is confident that the UK's data protection standards will gain a finding of adequacy status from the EC before 1 January 2021. However, others are not so sure that this is achievable, particularly given well-publicised risk factors.
What happens if there is no adequacy decision?
- For transfers of data from the EEA to the UK: you need to act now to maintain data flows (external and internal) via permitted safeguards. Consider using BCRs and SCCs. See the bullet points on BCRs and SCCs below
- Consider using binding corporate rules (BCRs). This ‘gold standard’ framework is designed to allow multinational companies to transfer personal data from the EEA to their group companies located outside of the EEA (including the UK after 31 December 2020). You may also need to update your BCRs to make them GDPR compliant
- Consider using Standard contractual clauses (SCCs), as enhanced as a result of the Schrems 2.0 judgment (known as SCCs+):
- Update your records of processing activities (ROPA):
- Understand the existing SCC obligations. They require significant vigilance, legal advice, ongoing monitoring and action
- Undertake and record a mini-DPIA to justify the adequacy internally, externally about any specific transfer:
- Risk assess locations both within the company group but also externally with existing third-party vendors and suppliers
- Where appropriate, create additional clauses within your hybrid DTA or GDPR-compliant contract to supplement the SCCs to address specific risks
- Update/review your due diligence processes for new vendors and suppliers especially in the US and risky locations. Our location questionnaire can be used
- Consider your data protection compliance assessment generally
- Monitor developments. New versions of SCCs are expected shortly
What about UK and EU representatives?
You may need to appoint a UK or EU representative (or both). This requirement applies whether or not an adequacy decision is made.
As for UK representatives:
- The UK representative requirement is analogous to EU representative requirement
- It applies to any business outside the UK, which must appoint a UK representative if it is caught by extra-territorial rules, namely which:
- has no UK physical footprint
- either monitors UK individuals or targets goods/services in UK
- It excludes public sector entities and excludes occasional processing
Key responsibilities of the UK representative are:
- Maintaining ROPA (as provided to it by the appointing controller/processor)
- Facilitating communications between individuals and the controller/processor, and between the ICO and the controller/processor
- Cooperating with & providing information (including ROPA) to ICO
- Being the point of contact for UK data subjects on privacy notices
Responsibilities do not include:
- Fulfilling data subject rights
- Advising the controller/processor on commercial strategies, or legal rights or obligations
Can Shoosmiths be appointed as your UK representative?
Yes. In response to demand, Shoosmiths will be launching a UK Representative Service next week:
- This will be a fixed price, platform-based service, and available to any business
- It will be provided by Shoosmiths Privacy Services (a subsidiary of Shoosmiths LLP)
- We are also likely to be launching an EU Representative Service within the next month for clients based in the UK which offer goods and services to, or monitor the behaviour of, individuals in the EEA, after 31 December 2020. Watch this space.
What about data protection officers?
If you are currently required to have a DPO, that requirement will continue, whether under the UK GDPR, EU GDPR or legacy data regime:
- You may continue to have a DPO who covers the UK and EEA
- The DPO can continue to be located in the UK
- The UK and EU GDPRs will both require that your DPO is easily accessible from each establishment in the EEA and UK, and has expert knowledge of both regimes
What about, for example, cookies?
In situations where the EU GDPR applies, organisations will be bound by EU member state laws and ongoing guidance. The European Data Protection Board has issued guidance on consent, and the French data protection authority, CNIL, has recently updated its guidance on cookies. The ICO has yet to clarify its position.
In situations where sites can be accessed around the world, this could be a complex legal area to navigate after 31 December 2020. It is still very much the case that many sites are not compliant.
What are your next steps?
- Comply with the GDPR
- Understand what GDPR regime applies to your business (UK GDPR, EU GDPR). If there is no adequacy decision, consider the legacy data regime
- Understand what supervisory authorities are involved
- Understand your data flows (ROPA) and locations involved
- If there is no adequacy decision, for the legacy data regime, distinguish between personal data collected before 31 December 2020 and whether it was of UK data subjects and processing in the UK or not
- Appoint EU and UK representatives if necessary
- Check whether the UK has recognised the adequacy of the EEA and relevant global locations
- Review your privacy notices, DPIAs and other documentation to update references to EU law, UK-EU transfers and your UK and/or EU representative (if you need one)
- Ensure your DPO will be easily accessible from both your UK and any EEA establishments and has expertise in all regimes
- Consider international data flows (including from EEA to UK, if there is no adequacy decision): medium to large companies:
- BCRs controller and processor which address processing internally and with customers
- Hybrid data transfer agreement (DTA), and
- Consider international data flows (including from EEA to UK, if there is no adequacy decision): smaller companies:
For more information on Brexit generally see the Shoosmiths Brexit Hub.