The UK has now left the EU and the transition period for leaving ended on 1 January 2021; however, the EU-UK Trade and Cooperation Agreement (“Trade Agreement”) has extended the transition period for data protection requirements for up to six months (“Specified Period”). This article has been updated to account for the extension.
This blog considers what Brexit means for data protection, highlights some of the key changes to the General Data Protection Regulations (“GDPR”) following Brexit and suggests practical considerations for businesses that process personal data. The biggest impact will be felt by those who transfer data from the EEA into the UK as we will describe below.
There are two versions of the GDPR following 1 January 2021: the GDPR, which will continue to apply to those operating within the EU (“EU GDPR”), and the UK GDPR. Therefore, businesses that operate within both the UK and the EU will be subject to a dual regime and must consider their obligations under both sets of regulations.
As the UK diverges from the EU data controllers and data processors should be particularly alert to the fact that the UK GDPR will not automatically incorporate changes made to the EU GDPR after Brexit; these will need to be specifically incorporated by the UK, if they are incorporated at all.
The first port of call should be to consider whether your business processes personal data within the UK, the EU, or both, and consider the appropriate regulations. The most obvious changes will be to terminology in existing (and future) contracts; for example, where the GDPR was referred to should refer instead to the UK GDPR, references to the supervisory authority will become the Information Commissioner and those to member state law should become domestic law.
There is little material difference between the UK GDPR and the EU GDPR in terms of the responsibilities of processors of personal data. The ICO has advised that the key principles, rights and obligations will remain the same as before so if you already comply with the current GDPR then the transition should not have much effect. The biggest impact will be felt by those who transfer data from the EEA into the UK.
We had hoped that by the end of the transition period, the UK would be approved by the EU Commission as being ‘adequate’ in data protection terms. However, this has not yet happened. From the end of the transition period the UK’s reclassification as a ‘third country’ will take effect. This has important consequences for the transfer of personal data from the EEA into the UK. Transfers to third countries are only permitted in certain circumstances, the most important of which are where:
An adequacy decision means that the EC is satisfied that the third country has an adequate level of data protection and issues a formal decision to that effect. The effect of this is that no further safeguards are necessary for transfer of personal data from an EEA state to that country.
There has still been no adequacy decision made nor relevant codes agreed between the EU and the UK; the EU is in the process of conducting a data adequacy assessment of the UK. In order to be passed, the third country’s data protection standards must be ‘essentially equivalent’ to those of the EU. Such a decision in favour of the UK is not guaranteed, particularly following recent criticism by the CJEU of the UK’s Regulation of Investigatory Powers Act. Meanwhile, the UK Government has already stated that transfers from the UK to the EEA will be permitted.
Please also note that organisations operating in the EU will need to appoint an EU representative under Article 27 of the EU GDPR, and vice versa for EU companies operating in the UK.
For those businesses who operate with other third countries that have already been deemed adequate by the EU, eleven of those twelve countries have so far agreed to maintain unrestricted personal data flows to the UK (the exception being Andorra). There are no changes whatsoever to personal data transfers from the UK to any other country as the UK Government has decided to retain the adequacy decisions made by the EC.
The effect of the Trade Agreement is that personal data transfers from the EU and EEA to the UK can continue without additional safeguards during the Specified Period. This extended transition period is an initial four month period from 1 January 2021, which will be automatically extended by two months unless one of the parties objects or the EC makes an adequacy decision. If no adequacy decision has been reached by the end of the Specified Period, then appropriate safeguards must be in place for data transfers from the EU or EEA into the UK.
Standard contractual clauses (“SCCs”) are the most common way to put in place safeguards to protect personal data transferred to third countries with no adequacy decision. This mechanism will usually be the best option for transfers of personal data from the EEA to the UK until the UK receives an adequacy decision. SCCs are terms and conditions that the transferor and receiver enter into in order to ensure that the transferor complies with its EU GDPR obligations. The ICO has been given the power to produce SCCs and has already made guidance and templates available which are aimed at micro, small and medium sized businesses: controller to processor; controller to controller.
Larger businesses that transfer personal data between group companies in different countries may instead decide to consider creating binding corporate rules (BCRs) for their intra-group transfers. They must apply to a data protection authority within the EU who will assess the BCRs to ensure that adequate safeguards for protecting the personal data are in place throughout the organisation.
Every business should review their UK GDPR obligations. The following summaries highlight the differences for cross-border personal data transfers.
If you would like to discuss this blog or any other commercial contract query, please contact a member of the Commercial team and we will be delighted to assist you.
SIGN UP to receive email notification when our dedicated Brexit hub is updated with the current legal position on Brexit and how it may affect your business.