Preparing for EU Exit: Data Protection

Following the signing of the Trade and Cooperation Agreement (‘TCA’) there are some key changes to the UK’s data protection regime that organisations must be aware of.

Although the UK formally left the EU on 31 January 2020, it subsequently entered into a transition period until 31 December 2020. During the transition period, the UK’s data protection regime remained unchanged. However, following the signing of the Trade and Cooperation Agreement (‘TCA’) on 24 December 2020 and subsequent expiry of the transition period, there are some key changes to the UK’s data protection regime that organisations must be aware of.

By virtue of the European Union (Withdrawal) Act 2018, the EU GDPR has been incorporated into the UK’s domestic law as the ‘UK GDPR’. As a result, the Information Commissioners Office (ICO) has stated that following our EU Exit, the key data protection principles and obligations will remain the same.  It is worth taking time to read the ICO Guidance.

Data transfers from the UK to EEA

The UK Government has confirmed that it will continue to recognise the protection offered in EU member states by virtue of the EU GDPR. This means that personal data transfers from the UK to the EU can still continue as normal.

Data transfers from the EEA to UK

Prior to the TCA being agreed, it was anticipated that the UK would become a ‘third country’ for the purposes of the EU GDPR meaning that transfers of personal data from the EEA into the UK would require an additional safeguard e.g. standard contractual clauses or binding corporate rules under article 46 of the EU GDPR or, failing that, a derogation under article 49 of the EU GDPR.

Fortunately, the TCA contains a ‘bridging mechanism’ enabling personal data to continue to flow freely from the EEA to the UK for an initial period of four months (with the possibility to extend for a further two months).

The ICO has confirmed that in reality most organisations will only have the option of relying on the SCCs. This is because binding corporate rules, which are essentially an internal code of conduct, only cover data transfers within a corporate group and are subject to a lengthy approval process.

In a nutshell, the bridging mechanism has prevented the widespread disruption that transfers of personal data from the EEA to the UK would have suffered if the UK had become a ‘third country’ (i.e. a country not offered sufficient data protection).

The bridging mechanism aims to provide a grace period during which it is hoped that the UK will have received an adequacy decision from the EU Commission. An adequacy decision would formally document that the EU deems the UK to provide an equivalent level of data protection.

The bridging mechanism enables organisations in NI to freely receive personal data from the EEA until the end of April 2021 (subject to a further two-month extension) or until the UK obtains an adequacy decision. This means that organisations in NI are not currently required to implement an additional transfer mechanism/safeguard in order to lawfully process personal data pertaining to EU data subjects. However, this is something that should be kept on the radar given that an adequacy decision may not be reached within six months. During this extension, if you receive personal data from the EU you still should consider putting alternative safeguards in place as a sensible precaution.

The position is currently the same for personal data transfers between NI and ROI as it is for transfers between NI and the rest of the EEA.

If the UK does not obtain an adequacy decision, organisations based in the UK that are receiving personal data from the EEA will need to ensure that an additional transfer mechanism is in place:

The ICO has confirmed that in reality most organisations will only have the option of relying on SCCs. This is because binding corporate rules only cover data transfers within a corporate group and have a lengthy approval process.

The ICO recommends that organisations receiving personal data from the EEA should have additional safeguards in place prior to the end of April 2021. This will ensure that they can lawfully receive personal data from the EEA in the absence of an adequacy decision.

SCCs are model contractual clauses currently available for the following scenarios;

SCCs are quick and easy to implement because they cannot be amended and must be used in their entirety.

On 12 November 2020, the EU Commission published draft updated SCCs (“New SCCs”). The New SCCs aim to address the gaps from the previous SCCs and will also cover the following transfer scenarios:

The New SCCs reinforce the additional obligation that data controllers sending personal data outside the EEA should assess whether the recipient country offers adequate protection, as highlighted by the European Court of Justice in Schrems II. In practice this could mean carrying out a review of the specific circumstances of the data transfer and the legal regime of the recipient country.

It is hoped that the New SCCs will be finalised at the beginning of 2021. Organisations will then have a one year timeframe to put the New SCCs in place.

There are also derogations under Article 49 of the GDPR, albeit these are narrowly drafted and only intended to apply if the additional safeguards under Article 46 of the GDPR are not feasible.  

If organisations wish to rely on a derogation, they must document this decision in their records of processing activities in accordance with Article 30 of the GDPR.

Top tips for NI organisations

Watch our Webinar on EU Data Transfers here. View Chapter 1 below.