Keeping the data flowing after the UK Brexit transition ends

Written By:
Content Copyright © 2020 Bloor. All Rights Reserved.
Also posted on: Bloor blogs

Keeping the data flowing after the UK Brexit transition ends banner

Broadly speaking, the EU GDPR as implemented in the UK remains in effect when Transition ends, but the UK then being a Third Country as far as the EU is concerned will have implications for the movement of private and sensitive information across the UK border – a very real, but near, Future of Work.

The Information Commissioners Office (ICO) has just given a Webinar (available here) “Keep data flowing at the end of the UK’s transition out of the EU”. The ICO seems very helpful and on top of the issues, as far as it can be, given Brexit uncertainties. The ICO has, apparently, no formal role in the Brexit or Transition process, however; although it is a good place to go for resources and guidance.

The ICO is also not involved in UK “adequacy” negotiations with the European Commission (EC) – around whether data protection and privacy regimes in 2 different areas adequately provide equivalent protection (in which case movement even of sensitive data across their borders can be friction-free). The UK is recognising existing EC adequacy decisions with various, mostly small, countries and has a new one with Japan, but the EC itself recognising UK adequacy is the big one. Obviously, an adequacy decision by the EC is the best case scenario for free movement of data across EU and UK borders but, with under one month to go, this hasn’t been agreed. The ICO, therefore, still has to recommend that firms transferring data with the European Economic Area (EEA) put in place, probably expensive, alternatives such as Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs), in case we don’t get an adequacy decision in time, or at all.

In a related issue, it was explicitly mentioned in the ICO presentation that firms can no longer rely on Privacy Shield for UK-US transfers. Note that the Schrems II judgement, which invalidated Privacy Shield, also means that a GDPR-related Risk Assessment is now recommended, in order to ensure that any SCCs newly enabling data transfers generally provide an “essentially equivalent” level of protection to GDPR (this is good news for lawyers?). The EU is producing templates (rules) for new, more useful, SCCs but these have not yet been finalised. Old SCCs can remain in force as far as the UK Gov’t is concerned.

BCRs are for multinational groups sending data between their entities (also good news for lawyers) and existing EU ones need to be reauthorised by the ICO for use with the UK GDPR.

“Other appropriate safeguards”, such as codes of conduct or certification; or (for Public Authorities) a “legally binding and enforceable instrument” or an administrative arrangement authorised by the supervisory authority; may also be invoked to satisfy GDPR. We are not sure exactly how this will work yet.

The UK Gov’t has put no special transfer mechanisms or restrictions (beyond existing UK GDPR, which is currently the same as EU GDPR, although this might change) in place for transfers TO the EEA, but transfers FROM the EEA to the UK are subject to the EU GDPR, which we have no control over. In the worst case scenario, in the case of a GDPR enforcement, a company could find itself in the courts in the UK over UK GDPR and also in several different EEA countries over EU GDPR (the UK can no longer take advantage of the automatic EU “one stop shop”).

Any companies that do business with the EEA or its residents really should be getting their house in order now, removing any references to EU GDPR in privacy statements etc. and replacing them with UK GDPR references; putting EEA representatives in place if necessary; looking at whether SCCs will be needed; and checking whether any of the exceptions apply.

There are actually quite a few exceptions – e.g. for “occasional and non-repetitive transfers” – but the meanings of terms such as “occasional” are not yet clear (so, another goldmine for lawyers IMO). Organisations may well feel the need to address worst case scenarios, with formal SCCs etc., in order to be safe, even though some of this work may prove to have been unnecessary, if the UK eventually gets an adequacy decision from the EU.

Summary and key points

If any of this affects you, it is best to review the recording of the presentation on the ICO website. However, here is a summary of what seem to be its key features:

  • Everything stays the same, except when it doesn’t. No changes take effect until 11pm on 31 December 2020 and the main GDPR principles, obligations and rights will not change. You will need to change any documentation to reference UK GDPR instead of EU GDPR where appropriate and provide updated privacy information.
  • After Transition ends, data to EEA countries will be sent under new UK rules but organisations receiving data from the EEA (sent under EU rules) may have to assist with maintaining data flow. Organisations operating in or targetting customers in the EEA will be subject to BOTH UK and EU GDPR and may need to have representatives in the EU.
  • Adequacy agreements. The UK regime will recognise the existing EU adequacy decisions with Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The UK has has agreed adequacy with Japan and can make its own adequacy decisions from 1 January 2021. Note however that the UK does not currently have adequacy decisions with major trading partners such as the USA and the EU – hence the need for SCCs etc. to protect the privacy of sensitive information.
  • There is a list in the presentation, but the sender, not the receiver of the data determines whether the exception applies. They will be interpreted restrictively and seem to apply mostly to occasional, non-repetitive transfers. They may well usefully oil the routine transfer of data but we are concerned that companies relying on exceptions may well not always appreciate the risks involved. If, or when, something goes wrong (a data breach or suchlike) an SCC is a binding contract and should (if properly drawn up) help make responsibility and accountability quite clear. Relying on an exception could, in the event of a dispute, in our opinion, result in expensive legal arguments over interpretation and applicability, at least until “good practice” becomes established over time.

The bottom line is that ignoring the new GDPR and privacy issues when the UK finally ends transition could impact the free flow of data across EU and UK borders and this will probably be bad for commerce. You should start thinking about these issues now – at the very least, sign up to the ICO newsletter; its LinkedIn page;  its Twitter account; its Facebook page; or visit the Keep Data Flowing website.

Remember games of politics in Westeros; and think on “Winter is coming”. If everything mostly goes smoothly, after all, at least you won’t be coping with any nasty surprises.