Organisations are having to take a number of measures to ensure that they are prepared to deal with the fallout from Brexit. One of these includes reviewing the impact that Brexit will have on the processing of personal data and the steps which an organisation will need to put in place to address that impact.
This briefing is one of two in which we explore some of the implications of Brexit for UK businesses and their use of personal data, namely:
- how transfers of personal data between the UK and the EU will be regulated post Brexit;
- that UK businesses operating within the EU will need to adjust to having a new regulator; and
- that UK businesses dealing with EU citizens and their personal data will need to appoint a representative in the EU.
At the time of writing, the UK has formally left the EU (on 31 January 2020). We are in a transition period which is expected to end on 31 December 2020.
In this briefing we focus on data flows, and look at whether organisations will have to put additional measures in place in respect of their data flows from the UK to the EEA, and vice versa, once the UK becomes a third country. But before we do, we turn our attention briefly to the question that we know has been on your minds since the very first suggestion that we might be heading for a European exit.
Will the UK's data protection standard change?
The UK's data protection standard will not change during the transition period. The European Union (Withdrawal) Act 2018 has transposed the EU General Data Protection Regulation 2016/679 (EU GDPR) onto the UK statute book so that it will continue to apply in the UK. Therefore, reassuringly, the time and money that businesses have invested in becoming GDPR compliant will not be wasted. Additional legislation is also proposed, to take effect at the end of the transition period, which will "anglocise" certain aspects of GDPR so that it makes sense when applied as part of UK domestic law.
However, whether an 'anglocised' version of EU GDPR will actually apply in the UK after the expiry of the transition period, is still somewhat up in the air, and our expectations could change, depending on the way negotiations with the EU develop over the coming months.
In addition, difficulties arise when considering the implications of the status change of the UK now it is no longer a member state, and at the end of the transition period, in particular in relation to data flows.
What is the problem with data flows?
The GDPR allows for unrestricted personal data flows between EU and EEA member states, the theory being, that personal data can be considered to be in 'safe' hands in those states which have adopted the GDPR. However, problems potentially arise with third countries outside the club, as they may not have such high standards to ensure the continued safety of personal data leaving the EEA and within scope of GDPR protection, to such destinations. The GDPR treats such transfers as restricted transfers and requires organisations to only transfer personal data in these circumstances using a GDPR compliant safeguarding mechanism. One of these mechanisms is that the destination country has had an adequacy decision made in favour of it by the European Commission (essentially, confirmation by the EU that it considers that country to be a safe destination for personal data caught by GDPR); other mechanisms include EU approved standard contractual clauses, known as 'model clauses', which oblige the recipient in the destination country to sign up to contractual obligations to keep any data it receives safe; and there are other derogations which we refer to briefly later on in this briefing.
So, the big question is, what will happen to data flows as between the UK and the EEA?
UK data flows to the EEA
Current proposals are that transfers of personal data from the UK to the EEA will continue to be permitted, without the need for organisations to put additional measures in place. In theory, this should mean that no further action is necessary in order to send personal data to EEA-based third parties. As a matter of good practice however, it will be worth keeping an eye on any changes to the domestic laws of relevant Member States in the event that new laws create further hoops for the UK to jump through in the future. Also, the UK Government's position on this could well change, depending on the outcome of negotiations during the transition period in respect of a trade deal with the EU.
UK data flows to other third countries (outside the EEA)
The EEA has passed adequacy decisions with respect to a number of third countries (at the time of writing, 12 countries including Canada and Japan), and agreed the Privacy Shield mechanism for those organisations in the United States that wish to sign up and commit to it. Proposed draft legislation which will come into effect at the end of the transition period, states that the UK will continue to recognise these adequacy decisions when it comes to transferring UK personal data to recipients based in those countries. Data transfers from the UK to the US which rely on the Privacy Shield mechanism can also continue, provided that the relevant Privacy Shield participant has updated its commitments to state specifically that they extend to personal data received from the UK in reliance on the Privacy Shield, and that its privacy policies include similar wording.
The same draft legislation states that EU model clauses will continue to be recognised as a valid safeguarding mechanism (where appropriate) under which organisations in the UK can transfer personal data. Similarly, existing model clause contracts which are in place to govern the export of data out of the UK will continue to be recognised.
So far so good – provided that the UK Government does not deviate from these proposals.
EEA data flows to the UK
However, transfers of personal data within GDPR scope from the EEA into the UK are unfortunately, not quite as simple. Unless such matter is addressed in any trade deal that is struck, or the EU passes an adequacy decision in respect of the UK in time (see below for our thoughts on this), at the end of the transition period, organisations which act as data controllers and which transfer personal data from the EEA to the UK, will need to do so using a GDPR compliant safeguarding mechanism in the same way as they do for any other third country.
What can businesses do?
EU model clauses are for now, the obvious answer for many businesses based in the EEA seeking to transfer personal data to the UK, though this will create an extra layer of administration which will not be appreciated. In addition, the model clauses are currently being examined by the CJEU for their validity as a safeguarding mechanism (a decision is widely expected to be made in the first half of 2020) as part of Max Schrems' ongoing efforts against Facebook, although initial indications suggest that they will remain intact as a safeguarding mechanism. For now, they are the most practical and widely available solution for businesses which rely on the inflow of data from the EEA, and the existence of a transition period at least buys some extra time for organisations to wait and see the outcome of the CJEU litigation (and whether an adequacy decision in favour of the UK will materialise).
Are there any other options?
It may be possible for businesses to rely on the derogations set out in the GDPR for specific situations, which allow for the transfer of data from the EEA to a third country in the absence of an adequacy decision, model clauses or binding corporate rules (a complex mechanism which could provide a solution for some corporate groups but would need a longer period to implement, and therefore require some thought early on in the transition period). Examples include explicit consent, contractual necessity and cases relating to legal claims. However, use of these derogations was intended to be limited hence only being permitted if they are used in specific situations and if certain conditions are satisfied. For example, not only will explicit consent need to be GDPR compliant, but the information made known to the data subject must include the possible risks of the transfer.
Moreover, many of the derogations under Article 49 GDPR - including the contractual necessity and legal claim derogations - can only be used occasionally and when necessary ("requiring a close and substantial connection between the data transfer and the purposes of the contract"). This means that in practice, whilst the derogations could be useful for occasional transfers in particular circumstances, they are unlikely to be an effective solution in the long term.
Will the EU pass an adequacy decision in respect of the UK?
According to the Political Declaration that accompanied the Withdrawal Agreement with the EU, the European Commission and the UK hope to assess then formally recognise each others' data protection rules as providing 'adequate' protection for data sent from one territory to the other. However, whether this can be achieved in the short time frame that is the transition period is a matter of great scepticism. It is also worth bearing in mind that:
- adequacy decisions have historically not been particularly forthcoming. Adopting an adequacy decision involves a multi-stage procedure including obtaining the approval of the remainder of the EU, which is likely to be time consuming. Depending on the manner of negotiations around a trade deal, it is also possible that Member States may be reluctant to agree to this solution, which would further prolong the process;
- adequacy decisions are not indefinite. These decisions are subject to ongoing review and therefore are capable of being withdrawn at any time, which would bring UK businesses back to square one regarding their ability to process data from the