Even though we left the EU on the 31st January 2020, we are still in the transition period and so not much has changed with our relationship with the EU. However, the relationship is set for a significant change when the transition period ends on 31 December 2020.
The UK and the EU have been engaging in negotiating a trade deal to cover the arrangements that will apply and an area of concern is the regime that will apply to Data Protection. In particular, there will be implications arising from the General Data Protection Regulations (GDPR), which was incorporated into UK law in May 2018 pursuant to Data Protection Act 2018 (DPA). GDPR introduced greater protections for the transfer and processing of data and gave individuals more control over when and in what context their data could be used. Brexit has an impact on cross border transfers and processing of personal data.
What is changing?
This depends on negotiations during the transition period and the final position on any deal.
We do know that from 1 January 2021, the GDPR, will be retained as EU retained law and brought into UK law as the ‘UK GDPR’. However, the UK will become a “Third Country” for the purposes of EU GDPR and this has implications for the transfer of personal data from the EU to the UK and vice versa.
Under EU GDPR the personal data of EU citizens can only be transferred to “Third Countries” if that country has an “Adequacy Decision”. This is effectively a certification by the EU that the Third Country has an appropriate regulatory framework to protect personal data. Without an Adequacy Decision, alternative arrangements need to be put in place to allow the lawful transfer of the personal data of EU citizens outside the EU. These alternative arrangements could include;
Putting in place model terms known as Standard Contractual Clauses (known as “SCC’s”) that have been approved by the EU;
Having approved binding corporate rules (known as BCRs) in place in a cross border group of companies. BCR’s need to be approved by the supervisory authorities in each member state;
Getting express written consent from the individual whose data is being transferred. However, “consent” is not a reliable model because under EU GDPR the consent can be withdrawn which poses operational problems for any organisation that transfer data in large volumes.
The UK has asked for an Adequacy Decision from the EU but it is all wrapped up in the deal negotiations and it may not be issued by the end of the year in both a “deal” and “no deal” scenario.
For data transfers the other way from the UK to the EU, the UK Government has effectively given the EU an Adequacy Decision and so these arrangements will not be necessary.
In addition, any non EU organisation that processes the data of EU Citizens outside the EU and does not have an “establishment” in the EU may need to appoint a “Representative” in one of more EU countries pursuant to Article 27 GDPR. Presently, in the transition phase, UK organisations do not need to do this. However, when the UK becomes a “Third County” and if the requirements are met, UK organisations may need to make such an appointment in the EU.
The UK will have a similar regime and so EU organisations may also need to appoint a “Representative” in the UK if they process the data of UK citizens.
The end of the transition period also has implications where an organisation is required to have a data protection officer (known as a “DPO”). A UK based DPO can cover an operation in the EU but the local operation will need to register the DPO with the supervisory authority in the EU state that is selected as the lead state for data protection purposes. The DPO also needs to be accessible to EU citizens.
What do I need to do?
With only a few weeks to go, the position is very uncertain and so organisations need to prepare for a situation where an “Adequacy Decision” is not issued by the EU. Thus it is advisable that SCCs are built into arrangements between organisations including cross border Groups, where the personal data of EU citizens is being transferred out of the EU to the UK.
UK businesses also need to check if they need to appoint an Article 27 EU Representative in the EU and if required, make an appointment.
Similarly EU businesses transferring data to the UK may need to put in place SCC’s and if they process the personal data of UK Citizens, they may also need to appoint a “Representative” in the UK.
UK businesses should also decide whether they need to register with a supervisory authority in the EU and more generally update privacy policies and procedures to recognised the changed circumstances.