Staying protected, no matter what happens with Brexit
With UK having left the EU on 31 January 2020, data protection remains an important concern for organisations. Dr Sam De Silva explains the steps needed to ensure you’re on top of things.
At the time of writing the UK is in the transition period – we have left the EU but are still subject to EU law – but this ends on 31 December 2020 .Organisations need to prepare for what happens next but there are a variety of scenarios to consider.
Why take action?
Under existing law, data can flow freely within the EU. However, when the transition period end on 31 December 2020the UK will become, for the purposes of data protection law, a ‘third country’ and be subject to restrictions on the transfer of personal data outside the European Economic Area (EEA). This scenario is similar to the restrictions UK organisations currently face for data transfers to non-EEA countries.
A restricted international transfer is permitted if one of the following three conditions is met:
- The recipient country is judged suitable on the basis of an adequacy decision of the European Commission (EC)
- The establishment of ‘appropriate safeguards’ by the recipient, such as standard contractual clauses (SCCs) adopted by the EC or binding corporate rules (BCRs).
- The ‘Derogations for specific situations’ provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried out if one of the listed conditions (for example, if the transfer is necessary for important reasons of public interest) is fulfilled.
What is adequacy?
This is a mechanism that allows the EC to assess the level of data protection provided in third countries to see if these are essentially of an equivalent level to that of the EU. If a country passes such an assessment, the EC can make an adequacy decision. To date, the EC has recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
The EC’s assessment of adequacy for the US was only in respect of personal data covered by the EU-US Privacy Shield, and therefore is only limited to organisations in the US that sign up to the Privacy Shield framework. However the CJEU ruled in July 2020 that the Privacy Shield was invalid
The UK government has stated that it intends to seek an adequacy decision, but the EC has made it clear that its adequacy assessment will not commence until Brexit is complete. Some commentators consider that this should be a relatively quick process, while others say that it could take years. Some commentators have also suggested that the powers of the UK security services – and, in particular, its bulk interception capability – could stand in the way of an adequacy finding for the UK.
Issues with no deal and GDPR
There are two key issues concerning no deal and GDPR. The first relates to personal data transfers to the UK from the EEA. Here, the key question that needs to be asked is whether any of the EEA-based organisations that process data on your behalf will need to transfer such personal data back to the UK.
If the response is yes, then such a transfer needs to be addressed by an appropriate safeguard or derogation. Unfortunately, most of the derogations listed in the GDPR in relation to international transfers will not be applicable in this business transaction. Under existing law, ‘processor to controller’ SCCs do not exist, so the UK controller cannot simply enter into such clauses with its EU-based processor to ensure compliance.
It would be extremely challenging to ensure compliance in this scenario in the absence of any solution being provided by the privacy regulators. The following, although not providing solutions to this, are some of the matters that will need to be considered:
- Your organisation could enter into ‘controller to processor’ SCCs, which you sign as ‘data exporter’ with your EU processor as ‘data importer’. However, they will not add much in this very particular circumstance, as Article 28 terms go over and above the protections in the SCCs (which pre-date GDPR).
- Your organisation could ask the processor whether its local privacy regulator would be concerned about these transfers. If so, can the processor address such concerns
- Investigate whether your EU processor is making other EU to UK transfers (post-Brexit), such as to its own local branches or other companies in its group. If such transfers are being made (and in the absence of BCRs) explore with the processor why the UK is ‘safe’ for those intra-group transfers, and not for transfers of your data back to your organisation.
- The second issue regarding no deal and GDPR relates to personal data transfers to the UK from ‘adequate’ countries. The key question here is whether any of the organisations that process data on your behalf are based in a country with an adequate assessment and the need to transfer personal data back to the UK. Such countries are likely to have their own local law restrictions on making international transfers of personal data to countries outside the EEA.
The Privacy Shiel
The one-stop shop
Organisations based in the UK are likely to lose the benefit of the one-stop-shop mechanism after Brexit is complete. What this means in practice is that if there is a personal data breach, notification will not only need to be made to the Information Commissioner’s Office but also, if EU citizens’ data is affected, each relevant supervisory authority. The risk is the potential for multiple enforcement actions.
If your organisation is within the territorial scope of the GDPR it will be required to nominate an EU representative under Article 27.
Practical steps for no deal
- Reconsider your data records required under Article 30 and review each of your data processing operations in isolation to identify any affected activities.
- To determine which data protection laws apply, assess the location(s) of your business establishments and the data subjects for each of your processing operations.
- Map any transfers of personal data to/from the UK and assess whether an ‘appropriate safeguard’ is required under GDPR and whether any updates are required for your safeguard(s) to work effectively. Review any contracts governing your data processing and sharing activities to assess whether they need to be amended in order to ensure GDPR compliance.
- Consider whether you need to appoint an EU-based or UK-based representative under GDPR or UK data protection laws.
- Reconsider the requirements to appoint a data protection officer under GDPR and UK law.
This article is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from any action in relation to the matters mentioned in this article.
About the author
Dr Sam De Silva, partner, CMS Cameron McKenna Nabarro Olswang and IT Faculty board member