The end of the Brexit transition period brings some important changes to data protection laws. If your business transfers personal data to or from Europe, targets European customers or does business within the European Economic Area (EEA), we’ve outlined below what you should be aware of.
In particular, as we await an adequacy decision from the EU, we’ve set out the steps that business should take now to have processes and documentation in place to address EEA/UK data transfers in case an adequacy decision is not made by April 2021.
(1) enter into standard contractual clauses with your suppliers/customers
(2) appoint a representative in the EEA (if required)
(4) check whether your processing is “cross-border processing”
Does the European GDPR still apply in the UK?
From 1 January 2021 the European General Data Protection Regulation (the EU GDPR) ceased to be directly applicable to the UK.
The EU GDPR is already part of UK law by the Data Protection Act 2018 (UK Data Protection Act). However, as part of the UK’s exit from the EU, the UK Data Protection Act has been modified.
The rights and obligations under the UK version of the EU GDPR, along with its key principles, remain broadly the same as during the transition period. However, there are some important changes which mainly concern the rules on transfers of personal data between the UK and the EEA.
Brexit’s effect on transfers of personal data from EEA to UK
The UK is now considered a “third country”, meaning transfers are not permitted unless one of the transfer conditions as listed below are complied with.
The UK has applied to the European Commission for an adequacy decision (that an adequate level protection for personal data is in place) and this is currently under consideration. If the UK receives an adequacy decision, then UK businesses may continue to process personal data in the usual way.
Under the EU, GDPR transfer of personal data from the European Economic Area to a third country is only permitted if one of the transfer conditions laid down in the EU GDPR is met. Broadly speaking, these conditions are:
- the European Commission must decide that the third country has an adequate level of protection for personal data – an “adequacy decision”;
- binding corporate rules must be in place; or
- the transfer is subject to standard European Commission-approved data-protection clauses.
Exceptions exist for specific situations which may apply on a case-by-case basis, including where the transfer is necessary to establish, exercise or defend legal claims, and where the transfer is necessary for important reasons of public interest.
To ensure the free flow of personal data between the UK and the EEA the new Trade and Co-operation Agreement (entered into by the EU and the UK) delays the transfer restrictions and allows for the continued flow of personal data between the UK and the EEA for a period of up to six months (four months plus an extension of a further two months) from 1 January 2021. This delay period is known as the “bridge”.
If there’s no adequacy decision by the end of the bridge then transfers of personal data from the European Economic Area to the UK will need to comply with the transfer restrictions in the EU GDPR. The simplest way of ensuring that the transfer conditions are met is to use the standard European Commission-approved data-protection clauses.
For companies already relying on binding corporate rules, these will need to be updated to reflect the fact that the UK is now a “third country” for the purposes of the EU GDPR.
Whilst an adequacy decision is clearly the hoped-for outcome, the UK Information Commissioner recommends that businesses in the UK put alternative safeguards in place before the end of April 2021.
UK businesses that process personal data on behalf of customers who are controllers of personal data within the European Economic Area should be aware that customers must decide how to comply with their local laws on international transfers. Your customers may want to update the contractual terms that cover the processing of their personal data, and may request you enter into the standard contractual clauses for controllers and processors. Businesses should take steps now to deal with these requests.
The European Commission is producing new draft standard contractual clauses which are expected to be issued this year.
My business uses sub-contractors outside the UK. Can I transfer personal data from the UK?
The UK Data Protection Act (which incorporates the UK GDPR) will apply to transfers of personal data to countries outside the UK.
Similar principles to those outlined above regarding EEA data transfers apply to transfers of personal data from the UK. For the transfer to be permitted it must meet one of several permitted transfer conditions, including:
- the territory is covered by an adequacy regulation;
- binding corporate rules are in place; or
- the transfer is subject to standard UK-approved contractual clauses.
The Government has said that it is going to recognise the European Commission-approved standard contractual clauses.
The most appropriate safeguard for most businesses will be to use these standard contractual clauses – current EU standard contractual clauses can continue to be used for transfers from the UK. The legal meaning of these standard contractual clauses shouldn’t be changed, but businesses can change EU GDPR terminology to terminology that reflects the UK data-protection law.
The Information Commissioner’s Office has created a UK version of the standard contractual clauses, with further guidance, on the Information Commissioner’s Office website at www.ico.org.uk.
I’m based in the UK and do business in the EEA. Do I need to appoint a representative in the EEA?
If your business is not located in the EEA and you offer goods or services to individuals in the EEA or conduct behavioural monitoring of individuals in the EEA, you will need to appoint a representative in the EEA unless the obligation to appoint a representative does not apply. The appointment must be in writing.
The obligation to appoint a representative does not apply where:
- You only occasionally process personal data of individuals in the EEA;
- Your processing does not include large-scale use of special category data (this includes data revealing racial or ethnic origin, political opinions, religious beliefs, data which concerns a person’s health, sex life or orientation, as well as genetic or biometric data);
- Your processing does not include personal data relating to criminal convictions; and
- Taking into account the nature, context, scope and purposes of the processing, your processing is unlikely to result in a risk to the rights and freedoms of individuals.
The obligation to appoint a representative also does not apply to a public authority or body.
The representative should be in an EEA country where some of the individuals whose data you are processing are based. The representative must also have authority to be the direct point of contact for data-protection compliance as well as, or instead of, your business. Details of your representative must be provided to EEA-based individuals and this information must be available to the supervisory authority.
I do business in the UK and am based outside the UK. Do I need to appoint a representative in the UK?
If you do not have an office, branch or other establishment in the UK and you are offering goods or services to individuals in the UK, or are carrying out behavioural monitoring of individuals in the UK, you will need to appoint a representative in the UK (unless the obligation to appoint a representative does not apply). Like the EU GDPR requirements, the appointment of the representative must be in writing. You are not obliged to appoint a UK representative where:
- you only occasionally process personal data of individuals in the UK;
- your processing does not include any large-scale processing of special category data or personal data relating to criminal convictions; or
- you are a public authority or body.
The representative must be authorised to act on your behalf regarding data-protection compliance and must be the point of contact for individuals and the Information Commission. You must also provide details of your representative to UK-based individuals.
Who has regulatory oversight of my business’s processing of personal data?
Depending on your processing of personal data, you’ll need to deal with different data-protection authorities depending on your processing of personal data.
Under EU GDPR each EU member state is required to establish a supervisory authority that exercises the powers conferred on a supervisory authority by the EU GDPR. When dealing with infringements of the EU GDPR, the EU GDPR created a “one-stop-shop” mechanism which allowed the supervisory authorities for EU member states to act as lead supervisory authority in relation to any data-protection complaint or objection which involves “cross-border processing”.
The supervisory authority in the EU member state where a business has its primary place of business has authority to act as the lead supervisory authority for any “cross-border processing” carried out by the business. The lead supervisory authority and other supervisory authorities must co-operate with each other.
“Cross-border processing” is where:
- processing takes place in the context of the activities of establishments in more than one EU member state where the processor or controller of personal data is established in more than one EU member state; or
- processing takes place in the context of the activities of a single establishment where the processor or controller of personal data is established in an EU member state and carries out processing that substantially affects (is likely to substantially affect) individuals in one or more EU member states.
Now that the transition period has ended, processing in the context of a business’s UK establishment is no longer cross-border processing. In relation to its processing in the UK the business will need to deal with the Information Commissioner’s Office (ICO).
UK businesses that also process data in the context of an establishment in the EEA – if for example your business has a head office in the UK which handles its customer data and a distributor, distribution centre or office in the EEA – may find that whilst its processing of data in the UK is not cross-border processing, the business’s establishments in the EEA may still be cross-border processing and your business will need to deal with the appropriate lead supervisory authority in the EEA.
If there’s a security breach that affects your business’s personal data then that breach may need to be reported to, and may be investigated by, both the ICO under the UK Data Protection Act and the relevant lead supervisory authority under the EU GDPR. A business could be fined by both supervisory authorities.
The Information Commissioner has advised that whilst it will no longer be part of the “one-stop-shop” it will continue to co-operate and collaborate with the supervisory authorities in Europe concerning GDPR breaches that affect individuals in the UK and EEA.
Beyond the ‘bridge’
Brexit marks some important changes to data protection law. The four-to-six month “bridge” is helpful as it will allow the free flow of personal data between UK and EEA while the EU considers the UK’s application for an adequacy decision. Whilst we hope that the EU will make an adequacy decision in relation to the UK, businesses should take steps now to have processes and documentation in place to address EEA/UK data transfers in case this decision is not made until April 2021.
If your business transfers personal data to or from Europe, targets European customers or does business within the European Economic Area (EEA), and you would like advice regarding the steps you should be taking now, please do get in touch.