Brexit, your business and data: personal data transfers

Since this article was written, the European Commission has released a draft data adequacy decision in favour of the UK which once formally approved will govern personal data transfers from the EEA to the UK, for more information please click here.

This briefing was updated in January 2021, to take account of the UK-EU Brexit trade deal, in particular, the temporary 'data bridge' provisions of that agreement.

Organisations have had to take a number of measures to ensure that they are prepared to deal with the fallout from Brexit. One of these has been reviewing the impact that Brexit will have on the processing of personal data and the steps which an organisation will need to put in place to address that impact.

This briefing is one of two in which we explore the implications of Brexit for UK businesses and their use of personal data. In this briefing we look at how transfers of personal data between the UK and the EU are regulated, now that the transition period has come to an end, and taking into account the temporary 'data bridge' which formed part of the UK-EU Brexit trade deal.

Our second briefing looks at how:

UK businesses operating within the EU will need to adjust to having a new regulator; and
UK businesses dealing with EU citizens and their personal data will need to have appointed a representative in the EU.

At the time of writing, the UK has formally left the EU (on 31 January 2020), and the transition period came to an end on 31 December 2020.

Has the UK's data protection standard changed?

The UK's data protection standard did not change during the transition period. The European Union (Withdrawal) Act 2018 transposed the General Data Protection Regulation 2016/679 (GDPR) onto the UK statute book so that it could continue to apply in the UK during the transition period. Additional legislation came into effect at the end of the transition period, which 'anglocised' certain aspects of GDPR (and the Data Protection Act 2018) so that it would make sense when applied as part of UK domestic law, effectively creating a 'UK GDPR' which now applies, essentially, to the processing of personal data by UK based controllers and processors (in the context of activities related to their UK bases), and to the processing of personal data about UK data subjects as a result of the offering of goods and services to them, or the monitoring of their behaviour.

Although the standard is largely the same, difficulties arise when considering the implications of the status change of the UK now that it is a "third country", in particular in relation to data flows. The issue has not been helped by last summer's ruling of the Court of Justice of the European Union (CJEU) in Schrems II.

Now Reading

What is the problem with data flows?

The GDPR allows for unrestricted personal data flows between EU and EEA member states. However, problems potentially arise with data transfers to third countries outside the club, as they may not have the same high standards as GDPR to ensure the continued safety of personal data leaving the EEA and within scope of GDPR protection.

The GDPR treats such transfers as restricted transfers and requires organisations to only transfer personal data in these circumstances using a GDPR compliant safeguarding mechanism, or in reliance on an GDPR sanctioned derogation – unless the destination country has had an adequacy decision made in favour of it by the European Commission (essentially, confirmation by the EU that it considers that country to be a safe destination for personal data caught by GDPR). Safeguarding mechanisms include EU approved standard contractual clauses, also known as 'model clauses', which oblige the transferor and the recipient in the destination country to comply with contractual obligations to keep the data safe; and there are other derogations which we refer to briefly later on in this briefing.

So, the question is, what will happen to data flows as between the UK and the EEA, once the UK becomes a third country?

UK data flows to the EEA

The Data Protection Act 2018 includes a new schedule which deems the EU and the EEA adequate for the purpose of transferring personal data from the UK, so that transfers of personal data within scope of UK GDPR, from the UK to the EEA continue to be permitted, without the need for organisations to put additional measures in place.

UK data flows to other third countries (outside the EEA)

The EEA has passed adequacy decisions with respect to a number of third countries (at the time of writing, 12 countries including Canada and Japan). Legislation which came into effect at the end of the transition period states that the UK will continue to recognise these adequacy decisions when it comes to transferring UK personal data to recipients based in those countries. Data transfers from the UK to the US are more tricky, since the CJEU in Schrems II found that the EU-US Privacy Shield which governed data transfers between the EEA and the US, could no longer be relied on as a valid mechanism for transferring personal data from the EEA to the US (please see our recent briefing for further details about this judgment), which means that EEA and UK based organisations transferring personal data will have to rely on a safeguarding mechanism or derogation, to the extent available in the particular circumstances.

The same legislation states that EU model clauses will continue to be recognised as a valid safeguarding mechanism (where appropriate) under which organisations in the UK can transfer personal data. Similarly, existing model clause contracts which are in place to govern the export of data out of the UK will continue to be recognised, though for the reasons outlined below, Schrems II might well have created difficulties on this front, particularly in relation to onward transfers of data which originated in the EEA.

EEA data flows to the UK, and the temporary 'data bridge'

Transfers of personal data within the scope of GDPR, from the EEA into the UK, might not have been simple, now that the UK is formally treated as a third country, but for the data bridge that has been agreed as part of the Trade and Co-operation Agreement which was settled between the EU and the UK on Christmas Eve last year (TCA).

The data bridge provides a grace period lasting until the end of April 2021, with the potential for extension up to the end of June 2021, during which time EEA based controllers may continue to lawfully transfer personal data from the EEA which is within GDPR scope, to their UK counterparts, without the need to put in place additional measures such as model clauses. The bridge is intended to provide a temporary reprieve while the EU reaches a decision about whether to grant an adequacy decision in favour of the UK. It is conditional on the UK not changing its data protection laws or standards or exercising certain designated powers during the period in which the bridge is in place without the EU's consent, including for example, the issuing by the ICO of its own set of model clauses for data transfers.

Ostensibly this provides much needed breathing space for EU based controllers – and those in the UK reliant on data flows from the EEA. This is particularly welcome because the judgment in Schrems II has meant that relying on model clauses as your safeguarding mechanism for data transfers, is not as straightforward as it was once viewed.

The continuing fall out from Schrems II

In Schrems II, the CJEU reiterated that using model clauses as your safeguarding mechanism for data transfers, requires prior consideration of the adequacy of measures in the destination country for keeping the data safe, both those taken by the data importer, and also the wider data protection regime and other relevant laws of the destination country. Subsequent, draft guidance released by the European Data Protection Board (EDPB) in November last year to support the judgment in Schrems II, essentially confirms this notion of a transfer risk assessment, and sets out the supplementary technical, organisational or contractual measures which must be put in place if the local law assessment confirms that the destination country's laws do not reach an essentially equivalent standard of protection to that provided by EU GDPR. If such measures can't be put in place, then the data transfer must be halted.

Further fall out from Schrems II includes the expedited release by the European Commission of a draft set of more modernised standard contractual clauses. These are intended to address some of the issues raised in Schrems II, and also recognise the greater variety of international data transfer scenarios that there now are. The consultation period in respect of the clauses has now closed, and it is expected that they will be adopted early this year. If they are adopted, organisations relying on the current set of model clauses, will have a year to re-paper their arrangements so as to put in place the new clauses.

For a more detailed explanation of the EDPB guidelines and the draft standard contractual clauses, please see our briefing summary from our webinar on International Data Flows that we hosted in November.

However, it is worth bearing in mind that while the data bridge works for now and has bought some time, it only really helps if an adequacy decision materialises in the very near future. If the EU takes its time in reaching a decision, then organisations will very soon find themselves in the same situation as they did immediately prior to the end of the transition period, when they were left wondering whether they should go through the expense and burden of putting in place post Schrems II style standard contractual clauses (exacerbated by the timing of the new draft clauses and the requirement, once they are adopted, to re-paper existing arrangements with them), or risk waiting to see if the issue would be addressed by the TCA. For those controllers which export a lot of personal data to many different recipients based in the UK, the process of putting in place standard contractual clauses and carrying out the requisite transfer risk assessment will take time and needs to be initiated sooner rather than later.

What should businesses do?

The data bridge provides a welcome reprieve – for now – but four/potentially six months is not a great deal of time for putting in place any necessary safeguarding mechanisms if an adequacy decision fails to materialise.

Therefore, to the extent that businesses did not undertake this exercise prior to the end of the transition period, they should now use the additional time to map out their data transfers – in particular, identifying those transfers from the EEA to the UK which are materially important to their businesses, and consider the safeguarding mechanism or derogation (and how they would put them in place) that they would rely on in the event that the EU declines to grant an adequacy decision, so that they are ready to put the wheels in motion if needs be.

Are there any other options?

It may be possible for businesses to rely on the derogations set out in the GDPR for specific situations, which allow for the transfer of data from the EEA to a third country in the absence of an adequacy decision, model clauses or binding corporate rules (see below for an explanation of what these are). Examples include explicit consent, contractual necessity and cases relating to legal claims. However, use of these derogations was intended to be limited hence only being permitted for very specific situations and if certain conditions are satisfied.

This means that in practice, whilst the derogations could be useful for occasional transfers in particular circumstances, they are unlikely to be an effective ongoing solution in the long term.

What about binding corporate rules?

Binding corporate rules (BCRs) are another GDPR mandated safeguarding mechanism, which are designed to allow multinational groups of companies to transfer personal data from the EEA to their affiliates located in third countries. As with standard contractual clauses, applicants must demonstrate that their BCRs put in place adequate safeguards for protecting personal data throughout the group, and the rules must be authorised for use by an organisation's lead data protection authority, liaising with the data protection authorities in other EU member states. For many UK based organisations this would, until the end of the transition period, have been the ICO. Going forward, any multinational group which might have relied on the ICO as its lead supervisory authority for the purpose of approving its draft binding corporate rules, will have to identify to the extent possible, a new lead supervisory authority in the EU and apply to it for authorisation.

As well as the fact that BCRs can only be considered for use between entities in the same group of companies, the requirement to identify an appropriate lead supervisory authority (please see our briefing for further information on this) and then apply for approval makes this a rather lengthy and involved process (albeit that the use of standard contractual clauses, particularly in light of Schrems II is also now a rather lengthy and involved process).

In addition, under UK GDPR, corporate groups which had BCRs in place as issued under previous data protection law, and approved by a data protection authority other than the ICO, are required now to resubmit those binding corporate rules to the ICO for specific approval, before 30 June 2021, in order for UK data transfers to be automatically covered by them.

WILL THE EU PASS AN ADEQUACY DECISION IN RESPECT OF THE UK?

It is hoped, from the point of view of business continuity, that an adequacy decision will be granted by the EU, and commentators have pointed out that the fact that a data bridge has been provided in the interim is indicative that a decision in the near future is in the pipeline. That said:

Schrems II has raised the bar on data transfers, and the European Commission must ensure that the UK has essentially equivalent standards of data protection, particularly if any challenges to an adequacy decision are to be successfully defended. The CJEU's decision in a case brought by Privacy International against a number of European countries in October last year, has already highlighted that the UK bulk data collection regime under its mass surveillance laws is incompatible with EU data protection laws.
Adequacy decisions are not indefinite. These decisions are subject to ongoing review and therefore are capable of being withdrawn at any time, which would bring UK businesses back to square one regarding their ability to process data from the EU.
Whilst an adequacy decision would in many ways be the most pragmatic outcome for EU based organisations and their UK counterparts, it does tie the UK Government and the ICO's hands somewhat. The Schrems II case and its fall out, together with other recent developments in EU law, suggest that the EU is getting tougher and more protectionist about its personal data, and there was a hope, as suggested in the UK's National Data Strategy, that the UK might be able to forge a more practical approach towards cross border data sharing which would be of greater benefit in particular to many tech sector based businesses.

Clearly, despite the data bridge in the TCA, there remain a number of factors to consider when evaluating future ability to transfer personal data from the EEA into the UK, and the decision in Schrems II has exacerbated what was already an uncertain situation, creating a somewhat unsatisfactory state of affairs for organisations in terms of their Brexit strategy. Whilst many of us will still be keeping our fingers crossed for a speedy adequacy decision, if you haven't already done so, it would be prudent, pending any such decision, to use the next four to six months to analyse the data transfers into the UK in respect of your business and their current legal basis to identify the data flows which are most at risk and how they can be secured going forward.

        
Organisations should analyse their data flows from the EEA into the UK (together with any onward transfers of such data to other third countries) and the current legal basis, to identify those flows which are most at risk if an adequacy decision does not materialise during the period of the TCA's data bridge.

In spite of all, in the absence of adequacy, the most sensible option to ensure you are able to continue receiving data from the EEA seems to be the implementation of standard contractual clauses, though for the reasons outlined above, it may be wise to wait if possible before putting them in place, to see a) if the new draft standard contractual clauses are approved any time soon (so that you don't have to go through a costly repapering exercise) and b) in case an adequacy decision is forthcoming in the meantime. However, the key is to be prepared so that you are able to respond quickly to developments by:
working out your data flows;

pinpointing your material data transfers (ie those which are business critical, high volume or high risk);

identifying with whom you might need standard contractual clauses to govern the transfer, and the practical supplementary measures that you could put in place to meet Schrems II/EDPB guideline requirements.