This briefing was updated on 24 September 2020.
Organisations are having to take a number of measures to ensure that they are prepared to deal with the fallout from Brexit. One of these includes reviewing the impact that Brexit will have on the processing of personal data and the steps which an organisation will need to put in place to address that impact.
This briefing is one of two in which we explore some of the implications of Brexit for UK businesses and their use of personal data, namely:
- how transfers of personal data between the UK and the EU will be regulated post Brexit;
- that UK businesses operating within the EU will need to adjust to having a new regulator; and
- that UK businesses dealing with EU citizens and their personal data will need to appoint a representative in the EU.
At the time of writing, the UK has formally left the EU (on 31 January 2020). We are in a transition period which will end on 31 December 2020.
In this briefing we focus on data flows, and look at whether organisations will have to put additional measures in place in respect of their data flows from the UK to the EEA, and vice versa, once the transition period comes to an end. But before we do, we turn our attention briefly to the question that has been on many minds since the very first suggestion that we might be heading for a European exit.
Will the UK's data protection standard change?
The UK's data protection standard has not changed during the transition period. The European Union (Withdrawal) Act 2018 has transposed the EU General Data Protection Regulation 2016/679 (EU GDPR) onto the UK statute book so that it will continue to apply in the UK. Additional legislation is also proposed, to take effect at the end of the transition period, which will "anglocise" certain aspects of GDPR so that it makes sense when applied, together with the Data Protection Act 2018, as part of UK domestic law, effectively creating a 'UK GDPR' which will apply to the processing of personal data about UK data subjects. Therefore, reassuringly, the time and money that businesses have invested in becoming GDPR compliant have not been wasted.
However, difficulties arise when considering the implications of the status change of the UK now it is no longer a member state, and when it becomes a third country at the end of the transition period, in particular in relation to data flows. The issue has not been helped by the recent ruling of the Court of Justice of the European Union (CJEU) in Schrems II.
What is the problem with data flows?
The GDPR allows for unrestricted personal data flows between EU and EEA member states, the theory being, that personal data can be considered to be in 'safe' hands in those states which have adopted the GDPR. However, problems potentially arise with third countries outside the club, as they may not have such high standards to ensure the continued safety of personal data leaving the EEA and within scope of GDPR protection, to such destinations. The GDPR treats such transfers as restricted transfers and requires organisations to only transfer personal data in these circumstances using a GDPR compliant safeguarding mechanism, or in reliance on a GDPR sanctioned derogation. One of these safeguarding mechanisms is that the destination country has had an adequacy decision made in favour of it by the European Commission (essentially, confirmation by the EU that it considers that country to be a safe destination for personal data caught by GDPR); other mechanisms include EU approved standard contractual clauses, known as 'model clauses', which oblige the recipient in the destination country to sign up to contractual obligations to keep any data it receives safe; and there are other derogations which we refer to briefly later on in this briefing.
So, the question is, what will happen to data flows as between the UK and the EEA?
UK data flows to the EEA
Current proposals are that transfers of personal data from the UK to the EEA will continue to be permitted, without the need for organisations to put additional measures in place. In theory, this should mean that no further action is necessary in order to send personal data to EEA-based third parties. As a matter of good practice however, it will be worth keeping an eye on any changes to the domestic laws of relevant Member States in the event that new laws create further hoops for the UK to jump through in the future. Also, the UK Government's position on this could well change, depending on the outcome of negotiations during the transition period in respect of a trade deal with the EU.
UK data flows to other third countries (outside the EEA)
The EEA has passed adequacy decisions with respect to a number of third countries (at the time of writing, 12 countries including Canada and Japan). Legislation which will come into effect at the end of the transition period, states that the UK will continue to recognise these adequacy decisions when it comes to transferring UK personal data to recipients based in those countries. Data transfers from the UK to the US are more tricky, since the CJEU in Schrems II found that the EU-US Privacy Shield which governed data transfers between the EEA and the US, could no longer be relied on as a valid mechanism for transferring personal data from the EEA to the US (please see our recent briefing for further details about this judgment).
The same legislation states that EU model clauses will continue to be recognised as a valid safeguarding mechanism (where appropriate) under which organisations in the UK can transfer personal data. Similarly, existing model clause contracts which are in place to govern the export of data out of the UK will continue to be recognised, though for the reasons outlined below, Schrems II might well have created difficulties on this front as well, particularly in relation to onward transfers of data which originated in the EEA.
So far sort of good – provided that the UK Government does not deviate from these proposals.
EEA data flows to the UK
However, transfers of personal data within GDPR scope from the EEA into the UK are unfortunately, not quite as simple. Unless such matter is addressed in any trade deal that is struck, or the EU passes an adequacy decision in respect of the UK in time (see below for our thoughts on this), at the end of the transition period, organisations which act as data controllers and which transfer personal data from the EEA to the UK, will need to do so using a GDPR compliant safeguarding mechanism, or rely on a derogation, in the same way as they do for any other third country.
What can businesses do?
EU model clauses would have been the obvious answer for many businesses based in the EEA seeking to transfer personal data to the UK. However, the CJEU's decision in Schrems II has put a spanner in the works, and it is fair to say that the use of these clauses is currently in a state of flux. Whilst the CJEU found that model clauses could still be used as a safeguarding mechanism for transferring personal data from the EU, it took the opportunity to remind controllers that their use is not simply a papering exercise. Consideration must also be given to the adequacy of the measures in the destination country for keeping the data safe, not only those taken by the data importer, but also the wider data protection regime of the destination country, and if these are not considered up to scratch, the data transfer should be halted.
This would not only create quite a headache, to say the least, for EU based controllers (and their UK counterparts), looking for a practical solution to ensure the ongoing flow of data to the UK, but also raises doubts about whether the model clauses could actually be relied on if the European Commission was to conclude that the UK's data protection regime did not merit an adequacy decision (see the box below) (and putting aside political reasons for holding back a decision).
Additional guidance about model clauses is awaited from the European Data Protection Board, and meanwhile, the European Commission has announced that it is working towards releasing a new, more up to date set of standard contractual clauses before the end of the year.
Are there any other options?
It may be possible for businesses to rely on the derogations set out in the GDPR for specific situations, which allow for the transfer of data from the EEA to a third country in the absence of an adequacy decision, model clauses or binding corporate rules (a complex mechanism which could provide a solution for some corporate groups but would need a longer period to implement, and therefore require some thought early on in the transition period). Examples include explicit consent, contractual necessity and cases relating to legal claims. However, use of these derogations was intended to be limited hence only being permitted if they are used in specific situations and if certain conditions are satisfied. For example, not only will explicit consent need to be GDPR compliant, but the information made known to the data subject must include the possible risks of the transfer.
This means that in practice, whilst the derogations could be useful for occasional transfers in particular circumstances, they are unlikely to be an effective solution in the long term.
Will the EU pass an adequacy decision in respect of the UK?
According to the Political Declaration that accompanied the Withdrawal Agreement with the EU, the European Commission and the UK had hoped to assess then formally recognise each other's data protection rules as providing 'adequate' protection for data sent from one territory to the other. However, whether this can be achieved in what is left of the transition period, and given wider distractions (both on the negotiating front, but also due a certain pandemic) is a matter of great scepticism. It is also worth bearing in mind that:
- adequacy decisions have historically not been particularly forthcoming. Adopting an adequacy decision involves a multi-stage procedure including obtaining the approval of the remainder of the EU, which is likely to be time consuming. Given the manner in which negotiations towards a trade deal have been conducted, it is also possible that Member States may be reluctant to agree to this solution, which would further prolong the process;
- one of the reasons that the EU-US Privacy Shield was judged to be inadequate, was because it did not prevent US surveillance authorities from accessing personal data about EU data subjects; it is feared that a similar conclusion could be reached about aspects of the UK's own surveillance regime;
- adequacy decisions are not indefinite. These decisions are subject to ongoing review and therefore are capable of being withdrawn at any time, which would bring UK businesses back to square one regarding their ability to process data from the EU.