Brexit and other developments such as the Schrems 2.0 judgment have had and will have a significant impact on, in particular, data protection laws that apply and how businesses transfer their data internationally.
What does the EU-UK Trade and Cooperation Agreement say?
Data protection is not dealt with in much detail in the Trade Agreement, although it includes a ‘temporary bridge’ mechanism for the free flow of personal data from the EU/EEA to the UK.
What about the UK data strategy?
The UK’s proposed data strategy is out for consultation at the moment but the UK government intends that data should be treated as an opportunity and not a threat. In due course, the UK’s data protection model is likely to change and may well diverge from that of the EU.
What data protection regimes apply?
After Brexit, there are two regimes, and possibly (temporarily) three regimes depending on whether the EU grants adequacy to the UK:
- UK GDPR regime: this is the UK’s new bespoke version of the GDPR based on the EU GDPR. Under English and Welsh law decisions like the Schrems 2.0 decision still apply. See also the Data Protection Act 2018 (DPA 2018)
- EU GDPR regime: this is the original GDPR which applies to all 27 member states of the European Union and also Norway, Iceland and Liechtenstein
- Adequacy gap or legacy GDPR regime – this will not apply if the UK receives a final EU adequacy decision.
What about eMarketing, the NIS Directive and freedom of information?
- UK eMarketing rules will continue to apply as before. The EU is replacing its current e-privacy law. It remains to be seen if and how it will be applied in the UK. The territoriality provisions are likely to mean that the UK will still effectively need to comply
- The NIS Regulations in the UK will continue to apply as before. For organisations based in the EU offering services in the UK by the end of March 2021 you must appoint a representative in the UK, confirm this with the ICO, and comply with the UK NIS Regulations as well as any local EU interpretations of the Cybersecurity Directive. UK based organisations offering services in the EU must appoint an EU representative
- The Freedom of Information Act 2000 and Environmental Information Regulations will continue to apply.
What about UK adequacy?
The European Commission has produced a draft decision that says the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the EU/EEA that is essentially equivalent to the one guaranteed by the EU GDPR. The decision needs further approval and politics and risks may delay ratification of this decision.
What about safeguards for international data transfers?
Safeguards are often needed for international personal data transfers, depending on the locations involved:
- Binding corporate rules (BCRs) remain the gold standard
- Standard contractual clauses (SCCs) are approved template terms which ensure GDPR standards are met (provided the terms in the SCCs are respected)
- Other exceptions to the rule (see slides and recording below).
What about existing EU SCCs for international transfers and guidance?
EU SCCs entered into prior to 31 December 2020 remain valid for use where needed for transfers into and out of the UK. For new transfers the existing EU SCCs remain valid at present (see below for UK SCCs).
What about new UK SCCs for international transfers and guidance?
The ICO intends to publish new UK SCCs in 2021. It has produced an amended version of the existing EU SCCs to make sense in a UK context. At some point EU SCCs may be invalid for transfers from the UK.
What about new EU SCCs for international transfers and guidance?
These are currently under consultation and there is a one-year transition period for their use after they are approved. It is likely they will be valid where the EU GDPR applies. It remains to be seen whether the UK will approve them, but they will be invalid for transfers out of the UK under UK GDPR otherwise.
What about BCRs?
- BCRs are designed to allow multinational companies to transfer personal data from the EEA to their group companies located outside of the EEA (including the UK since 31 December 2020)
- For multinationals they are by far the safest option
- A BCR-holder with EU operations and the ICO as lead authority will need to have transferred to a new lead authority (otherwise the EU BCRs will be invalid)
- Changes will be needed as per the EDPB checklist dated 22 July 2020
- ICO-approved BCRs may need a UK BCR document suite
- EU BCRs will need to put a UK BCR in place (with or without formal approval)
What about UK representatives?
- If you are a private sector business with no physical presence in the UK, then under the UK GDPR you need to appoint a UK representative if you target your goods or services at UK individuals, or if you monitor the behaviour of UK individuals
- This new legal requirement since 1 January 2021 is mandatory, and failure to comply with it can result in large fines of up to £8.7M or (if higher) 2% of worldwide turnover
- The UK Representative Service, provided by Shoosmiths Privacy Services Limited (a wholly owned subsidiary of Shoosmiths LLP), provides a simple, online solution to this requirement, at a fixed annual or monthly fee. By subscribing to the Service, you can appoint us as your representative and ensure you remain compliant with this GDPR requirement.
For more information, visit www.shoosmiths.co.uk/dataprivacyrep.
What about Data Protection Officers (DPOs)?
- If you are currently required to have a DPO, that requirement will continue, whether under the UK GDPR, or EU GDPR. You may continue to have a DPO who covers the UK and EEA. The DPO can continue to be located in the UK
- However, the UK and EU GDPRs will both require that your DPO is easily accessible from each establishment in the EEA and UK, and has expert knowledge of both regimes.
What about the One-Stop-Shop?
- If your UK business carries out any cross-border processing involving the EU/EEA, it used to benefit from the One-Stop-Shop system under the GDPR. This meant a single data protection authority acted as the lead on behalf of the other EEA data protection authorities. If you continue any cross-border processing, your lead authority will need to change if it is currently the ICO
- Companies can face investigation by EU and UK regulators and potential fines from each of them.
What should you be doing now? (Assuming there will be an adequacy decision for the UK by the EU)
- Comply with the relevant GDPR regime(s)
- Understand your data flows and locations involved (you need to distinguish UK processing from EU processing. Prioritise flows containing large volumes, special category data or criminal convictions and offences data, business-critical transfers, and those involving key higher risk areas such as the US)
- Appoint EU, UK and NIS representatives if necessary
- Assess your appropriate lead supervisory authority
- Update your BCRs and apply for UK BCRs as needed
- Keep track of privacy law changes
- Review your privacy notices, DPIAs, SCCs and other documentation to update references to EU law, UK-EU transfers and your UK and/or EU representative
- Ensure your DPO will be easily accessible from any UK and EEA establishments and has expertise in all regimes.
International Data Flows
Between the EEA and the UK and all other “adequate” locations data likely to flow freely (see transfer table in the slide deck to the webinar, some review is needed)
Between the rest of the world and the EEA and UK where safeguards are needed: (see transfer table earlier in the slide deck to the webinar)
- For medium to large companies consider:
- BCRs controller and processor which address processing internally and with customers
- Hybrid DTA, and
- SCC+ mini DPIA (post consultation and over 12-month transition)
- For smaller companies, consider:
- Hybrid DTA, and
- SCC+ mini DPIA (post consultation and over 12-month transition)
What is SCC+?
- No contract will achieve compliance on its own. SCC+ involves supplementary measures as well as adding SCCs into a contract to justify transfers
- Understand your data flows!
- Understand the existing SCC obligations
- Bear in mind the industry involved, categories and volume of personal data transferred, purposes of the processing by the importer, and duration of data retention in the third country
- Undertake and record a transfer risk assessment both within the company group but also externally with existing third-party vendors and suppliers looking for anything in the law or practice of the locations involved that may affect the SCC safeguards. Specifically:
- prohibitions on transfers or guidance by location. We have tracked this globally;
- law enforcement implications and processes and the rules for disclosure to and access by governmental agencies. Our location analysis questionnaire can be used;
- conflicts with GDPR data protection standards;
- an independent oversight mechanism and enforceability of rights and claims including in a court or tribunal
- Consider technical measures such as encryption (there is technical complexity to this), pseudonymisation and split or multi-party processing
- Create additional clauses within your Hybrid DTA or GDPR-compliant contract to supplement the SCCs to address specific risks such as importer transparency, enhanced audits, challenging government access requests, notification requirements about being unable to comply with SCC clauses and enhanced data subject rights
- Update/review your due diligence processes for new vendors and suppliers especially in the US and risky locations. Our location questionnaire can be used
- Consider your data protection compliance assessment generally including internal policies for governance of transfers, and dealing with government access requests, staff training, data minimization processes, internationally recognized security standards, and commitments not to make onward transfers to countries that do not offer essentially equivalent protections.