Preparing for EU Exit: Data Protection
Following the signing of the Trade and Cooperation Agreement (‘TCA’) there are some key changes to the UK’s data protection regime that organisations must be aware of.
Although the UK formally left the EU on 31 January 2020, it subsequently entered into a transition period until 31 December 2020. During the transition period, the UK’s data protection regime remained unchanged. However, following the signing of the Trade and Cooperation Agreement (‘TCA’) on 24 December 2020 and subsequent expiry of the transition period, there are some key changes to the UK’s data protection regime that organisations must be aware of.
What happened at the end of the EU Exit transition period?
By virtue of the European Union (Withdrawal) Act 2018, the EU GDPR has been incorporated into the UK’s domestic law as the ‘UK GDPR’. As a result, the Information Commissioners Office (ICO) has stated that following our EU Exit, the key data protection principles and obligations will remain the same. It is worth taking time to read the ICO Guidance.
Data transfers from the UK to EEA
The UK Government has confirmed that it will continue to recognise the protection offered in EU member states by virtue of the EU GDPR. This means that personal data transfers from the UK to the EU can still continue as normal.
Data transfers from the EEA to UK
Prior to the TCA being agreed, it was anticipated that the UK would become a ‘third country’ for the purposes of the EU GDPR meaning that transfers of personal data from the EEA into the UK would require an additional safeguard e.g. standard contractual clauses or binding corporate rules under article 46 of the EU GDPR or, failing that, a derogation under article 49 of the EU GDPR.
Fortunately, the TCA contains a ‘bridging mechanism’ enabling personal data to continue to flow freely from the EEA to the UK for an initial period of four months (with the possibility to extend for a further two months).
The ICO has confirmed that in reality most organisations will only have the option of relying on the SCCs. This is because binding corporate rules, which are essentially an internal code of conduct, only cover data transfers within a corporate group and are subject to a lengthy approval process.
The ‘bridging mechanism’ in more detail
In a nutshell, the bridging mechanism has prevented the widespread disruption that transfers of personal data from the EEA to the UK would have suffered if the UK had become a ‘third country’ (i.e. a country not offered sufficient data protection).
The bridging mechanism aims to provide a grace period during which it is hoped that the UK will have received an adequacy decision from the EU Commission. An adequacy decision would formally document that the EU deems the UK to provide an equivalent level of data protection.
Impact of the bridging mechanism for NI organisations
The bridging mechanism enables organisations in NI to freely receive personal data from the EEA until the end of April 2021 (subject to a further two-month extension) or until the UK obtains an adequacy decision. This means that organisations in NI are not currently required to implement an additional transfer mechanism/safeguard in order to lawfully process personal data pertaining to EU data subjects. However, this is something that should be kept on the radar given that an adequacy decision may not be reached within six months. During this extension, if you receive personal data from the EU you still should consider putting alternative safeguards in place as a sensible precaution.
The position is currently the same for personal data transfers between NI and ROI as it is for transfers between NI and the rest of the EEA.
What happens if the UK has not received an adequacy decision by the end of the six month bridging period?
If the UK does not obtain an adequacy decision, organisations based in the UK that are receiving personal data from the EEA will need to ensure that an additional transfer mechanism is in place:
- EU Standard Contractual Clauses (‘SCCs’); or
- Binding corporate rules.
The ICO has confirmed that in reality most organisations will only have the option of relying on SCCs. This is because binding corporate rules only cover data transfers within a corporate group and have a lengthy approval process.
The ICO recommends that organisations receiving personal data from the EEA should have additional safeguards in place prior to the end of April 2021. This will ensure that they can lawfully receive personal data from the EEA in the absence of an adequacy decision.
What are SCCs?
SCCs are model contractual clauses currently available for the following scenarios;
- EU controller to processor in a third country; and
- EU controller to controller in a third country.
SCCs are quick and easy to implement because they cannot be amended and must be used in their entirety.
On 12 November 2020, the EU Commission published draft updated SCCs (“New SCCs”). The New SCCs aim to address the gaps from the previous SCCs and will also cover the following transfer scenarios:
- EU processor to sub-processor in a third country; and
- EU processor returns personal data to a controller in a third country.
The New SCCs reinforce the additional obligation that data controllers sending personal data outside the EEA should assess whether the recipient country offers adequate protection, as highlighted by the European Court of Justice in Schrems II. In practice this could mean carrying out a review of the specific circumstances of the data transfer and the legal regime of the recipient country.
It is hoped that the New SCCs will be finalised at the beginning of 2021. Organisations will then have a one year timeframe to put the New SCCs in place.
What can you do if a transfer mechanism under Article 46 does not apply?
There are also derogations under Article 49 of the GDPR, albeit these are narrowly drafted and only intended to apply if the additional safeguards under Article 46 of the GDPR are not feasible.
The main derogations are:
(a) The data subject has explicitly consented having been informed of the possible risks of the transfer (this will not be straight-forward for large organisations transferring personal details of many individuals)
(b) The transfer is necessary for:
- Performance of a contract with the data subject;
- The performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- Public interest reasons;
- Exercise, establishment or defence of legal claims; and/or
- Protecting vital interests of data subjects.
If organisations wish to rely on a derogation, they must document this decision in their records of processing activities in accordance with Article 30 of the GDPR.
Top tips for NI organisations
- Review data flows and re-visit data mapping: Knowledge is key to compliance. You need to know where personal data is being sent to and received from to ascertain what additional steps need to be taken, particularly if the UK does not obtain an adequacy decision by the end of the bridging period.
- Check data clauses in contracts: it is possible that international data transfer provisions will need updated to reflect the UK GDPR and the fact that the UK is no longer in the EU.
- Consider whether an appropriate safeguard will need put in place prior to the end of April 2021: This will most likely be SCCs and you will need to determine which set of SCCs will apply.
- Good record keeping: Keep a paper trail of any appropriate safeguards or derogations relied upon. This is in accordance with the accountability principle under Article 5 of the GDPR.
- Keep up to date with official guidance: Keep up to date with updates from the ICO and EU Commission particularly in relation to an adequacy finding and the finalisation of the New SCCs. The European Data Protection Board, Invest NI and UK Government are also useful resources.
- Remember any additional safeguards already put in place are not wasted: These safeguards will ensure that your organisation is well prepared should the UK not obtain an adequacy decision by the end of the bridging grace period under the TCA. This thorough approach is endorsed by the ICO who described organisations that have already implemented additional safeguards as having taken “sensible precautions”.