Brexit - Data protection after the Brexit transition period
Related People: Alistair Ho, Trainee Solicitor at Mayer Brown
Whilst the UK left the European Union ("EU") on 31 January 2020 ("Exit Day") it remained within the EU's legal framework during the Brexit Transition Period ("Transition Period"). When the Transition Period ends at 11:00 p.m. GMT on 31 December 2020 ("Completion Day"), EU law that was enacted before Exit Day applies in the UK as if it were national law by virtue of Section 3 of the European Union (Withdrawal Agreement) Act 2020 ("Withdrawal Agreement").
The European General Data Protection Regulation ("EU GDPR") will be incorporated directly into UK law as the UK GDPR. The UK GDPR will sit alongside an updated version of the Data Protection Act 2018 ("DPA 2018"). The UK GDPR will be substantially the same as the EU GDPR and the key principles, rights and obligations will remain the same, though there is a possibility for future divergence between them. Businesses will need to review their data protection arrangements and ensure they are compliant with the UK GDPR, and continue to be complaint with the EU GDPR if that remains applicable.
Ahead of Completion Day, businesses which rely on international data flows, target European customers or operate inside the European Economic Area ("EEA") should:
- Consider their international transfers, particularly from the EEA to the UK;
- Consider whether appointing EU / UK representatives is now required; and
- Update agreements, policies and notices to refer to UK GDPR where applicable.
The European Data Protection Board ("EDPB") has recently issued a statement on the main implications of the end of the Transition Period for controllers and processors, and the UK Information Commissioner’s Office ("ICO") has published guidance on the data protection implications. The ICO has confirmed that there would be no formal transition period for companies to adapt to the new rules but it has stated it will "take a pragmatic and proportionate approach" to enforcement.
1. Businesses should consider personal data transfers between the UK and the EEA
Transfers from the EEA to the UK
When the Transition Period ends, the UK will be a third country for the purposes of the EU GDPR. This means that personal data transfers from the EU to the UK will be considered "restricted transfers". Absent a European Commission adequacy decision for the UK, such transfers will require an appropriate safeguard to be in place in line with Article 46 of the EU GDPR, such as the standard contractual clauses ("SCCs") or binding corporate rules ("BCRs"), or a derogation under Article 49 of the EU GDPR.
Where businesses have BCRs in place, for which the ICO is the lead supervisory authority for BCR holders, the EDPB has confirmed that these will need to be amended to refer to the EEA legal order before the end of the Transition Period. Businesses will need to identify a new lead supervisory authority within the EEA, and BCRs approved under the EU GDPR require a new approval decision from the lead supervisory authority before the end of the Transition Period. Similarly, if the lead supervisory authority is not the ICO, businesses will need to notify the ICO before the end of the Transition Period.
The European Commission is currently carrying out an adequacy assessment of the UK and is aiming to make a decision by 31 December 2020, though this now looks like it will slip into the new year. If the UK secures an adequacy decision from the European Commission by Completion Day, then when the Transition Period ends, transfers of personal data from the EU to the UK will be able to continue as they do currently, i.e. as if the UK were still an EU Member State.
New requirements following the Court of Justice of the European Union's ("CJEU") decision in Schrems II and recommendations by the EDPB to conduct due diligence on the laws and powers of authorities in countries that receive personal data from Europe have added to uncertainty around an adequacy decision in favour of the UK due to its national security laws. Recent case law underlined these concerns in directly questioning the compatibility of the Investigatory Powers Act 2016 with the EU ePrivacy Directive.
It has been reported that EU and UK officials are exploring options to continue data flows for a six-month period beyond the end of the Transition Period, leaving more time for an adequacy assessment to be carried out. However, the ICO and the UK Minister of State for Media and Data continue to advise businesses to prepare for a no-adequacy end to the Transition Period.
Transfers from the UK to the EEA
Transfers from the UK to the EU will also be a restricted transfer under the UK GDPR, however, the EEA will be subject to a provisional adequacy decision by the UK Government (which is to be kept under review). This should mean that no new arrangements will be needed for transfers from the UK to the EEA.
The UK will also recognise the existing 12 EU adequacy decisions and is preparing to start its own adequacy assessments next year. 11 of the 12 jurisdictions currently recognised by the European Commission as offering an adequate level of data protection (Andorra pending) have confirmed they will allow uninterrupted data transfers to the UK.
2. Businesses should consider if they are required to appoint a UK or EU representative
After the Transition Period ends, the UK will leave the EU GDPR's "one-stop-shop" mechanism, which allows organisations carrying out cross-border personal data processing activities to deal with a single data protection authority (the "lead authority"), being the data protection authority of the organisation's "main establishment" (as defined in the EU GDPR) in the EU. The ICO has confirmed that participation by the UK in the one-stop-shop after the end of the Transition Period is being discussed between the UK and the EU, but they are awaiting further information.
Businesses will need to determine if they have a main establishment in the EU for the purposes of the EU GDPR and where this would be. If an organisation does not have an establishment in the EU, but processes personal data of EU citizens in the context of offering goods or services to or monitoring the behaviour of individuals in the EEA, the appointment of a European representative might be required. Similarly, businesses not established in the UK, but who processes personal data of UK citizens in the context of offering goods or services to or monitoring the behaviour of individuals in the UK may need to appoint a UK representative under the UK GDPR.
Where it is determined a European representative should be appointed, they should be located in the location of the majority of the data subjects whose personal data is being processed and an appropriate written mandate will need to be put in place for them to act on the organisation's behalf.
Each data protection authority has its own nuanced implementation and approach to enforcement of the EU GDPR and organisations should familiarise themselves with the guidance of the data protection authority in the jurisdiction of the representative.
3. Businesses should review their data processing agreements, policies and privacy notices
As the key principles, rights and obligations under the UK GDPR remain substantially the same as the EU GDPR, and CJEU case law will be retained unless challenged by the UK courts, data protection agreements, policies and privacy notices should not need substantial amends except to reflect changes regarding international transfers if applicable. However, where union law, e.g. the EU GDPR is referred to, wording should be updated to refer to the UK GDPR (as well as the EU GDPR where required), and reflect other UK GDPR terminology differences.
If an EU / UK representative is required as a result of the end of the Transition Period, privacy notices should be updated to identify the representative as they will be the point of contact for data subjects and the lead authority in their jurisdiction.