As we covered in part 1 of this blog, the data protection framework in the UK remains broadly in line with EU data protection regime (currently). This doesn’t mean there aren’t real-world considerations that organisations need to address, however, following Brexit.
Last time out we addressed the implementation of the UK GDPR and the potential need for EU and UK representatives following the end of the Brexit transition period. In this part 2, we are turning our attention to the impact of Brexit on international transfers of personal data.
Data transfers have been a hot topic over the last year. We have had the Schrems II decision by the European Court of Justice (“CJEU”), and the publication of draft new Standard Contractual Clauses (“SCCs”) by the European Commission.
Alongside these considerations, we have had the big question of whether the UK would be granted adequacy status before the end of the Brexit extension period. This created a lot of uncertainty for organisations in the UK and the EU, who were trying to find the right balance between waiting to see what the outcome would be versus incurring the cost of implementing Standard contractual Clauses.
Thankfully this uncertainty appears to have been resolved now, but it is still important to understand the detail; and organisations should monitor for ongoing developments as the UK data protection regime appears likely to diverge with the EU framework over time, as covered in the first part of this blog.
International transfers from the EEA to the UK
As part of the EU-UK Trade and Cooperation Agreement, the EU agreed to delay transfer restrictions for a period of up to six months, running from 1 January 2021 (known as the “bridging period”).
The bridging period initially lasts until an adequacy decision is granted, or (if earlier) until 1 May 2021. If no adequacy decision has been issued by that date, then there is a further automatic extension for two months, until 1 July 2021, unless the EU or the UK object to the extension.
During the bridging period, transfers of data can be made from the EEA to the UK without any need for appropriate safeguards, such as SCCs or Binding Corporate Rules (“BCRs”), to be put in place. In essence, appropriate safeguards seek to ensure that both the sender and the receiver of the data are legally required to protect individuals’ rights in respect of their personal data. For more information on SCCs and BCRs, please review our previous blog post on Brexit.
On February 2021, the European Commission (“EC”) published its draft decisions on the UK’s adequacy under the EU GDPR and Law Enforcement Directive. In both cases, the EC found the UK to be adequate. The draft decisions were reviewed and approved by the European Data Protection Board on 14th April 2021. All that remains now is for the 27 EU member states to approve the decision, following which the EC can adopt the final decision.
It, therefore, appears that the UK will receive an adequacy decision by the end of the bridging period, which will mean that transfers of data can still be made from the EEA to the UK without any additional safeguards in place.
International transfers from the UK to the EEA
As with the EU GDPR, the UK GDPR restricts international transfers of personal data, unless the country or international organisation where data is being transferred provides an adequate level of protection. If not, transfers are only permitted where appropriate safeguards are put in place or if one of the limited exceptions contemplated in the UK GDPR applies.
The UK Government has transitionally recognised the EEA as having adequate protection. This allows for the continued free flow of data to these countries, without needing appropriate safeguards in place. The UK intends to review these adequacy decisions (which are now called “adequacy regulations” in the UK) over time.
In practice, this means that if you are a UK organisation that sends personal data to the EEA, you do not need to put any appropriate safeguards in place because at this stage the UK Government has recognised EEA countries as continuing to offer adequate protection.
International transfers from the UK to other jurisdictions outside the EEA
The UK Government has transitionally recognised existing adequacy decisions granted by the EC valid as at 31 December 2020. The EC has recognised Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (only private sector organisations), Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.
This allows for the continued free flow of data from the UK to any of these countries, without any need for appropriate safeguards to be put in place. The UK intends to review these adequacy decisions over time and to issue its own adequacy regulations.
Earlier this year the ICO and the Secretary of State for the Department for Digital, Culture, Media, and Sport entered into a Memorandum of Understanding which reaffirmed that the Secretary of State held the power to agree adequacy arrangements with other countries.
A recent piece by the Secretary of State in the Financial Times (paywall) suggests that we’ll see the UK agreeing adequacy arrangement with other countries which are currently not adequate in the eyes of the EU. If and when this happens, organisations will need to think about the onward transfer of EU personal data to countries deemed adequate by the UK but not the EU.
When making transfers of personal data from the UK to non-adequate countries (such as the US after the Privacy Shield was declared invalid) there will still be a need to put appropriate safeguards in place. The most obvious route for most organisations will be SCCs, but these will also need some thought.
For a start, the EC has published draft new SCCs as mentioned above (which have long been needed). The ICO has made it clear, however, that these will not be suitable for making transfers from the UK to third countries. They state that the existing EU SCCs should continue to be used until the UK produces its own SCCs. The ICO has said it will consult on and publish UK SCCs in 2021.
Another consideration is Schrems II, which we wrote about in this blog. The UK had left the EU when the Schrems II decision was reached by the CJEU but we were still in the Brexit transition period during which we were subject to the EU GDPR and the jurisdiction of the CJEU. As such, the ICO suggests that the Schrems II decision applies to data transfers to third countries that existed at the end of the Brexit transition period on 31st December 2020. Further guidance is expected from the ICO on the Schrems II implications in due course.
The good news is that UK adequacy is all but agreed meaning flows of personal data to the UK from the EU will remain uninterrupted. In theory, adequacy lasts for four years and is then reviewed and could theoretically be revoked if the UK diverges from the EU GDPR too far.
There remain some grey areas, however, and we await additional guidance from the ICO on matters including the application Schrems II in the UK and publication of UK SCCs. There will also the potential onward transfers issue if the UK grants adequacy status to territories that the EU considers to be third countries.
As such, it will be important for organisations to monitor developments, especially if receiving personal data from EU organisations.
As a specialist data protection consultancy, Evalian is well placed to assist you with any queries you might have on the data protection Brexit implications and international transfers. If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.