The end of the Brexit transition period on 31 December 2020 is rapidly approaching. It's unclear whether a deal between the UK and EU will be agreed, but it's unlikely in any event that any deal will affect UK data protection law, or the transfer of data between the UK and EEA.
UK data protection law will remain aligned with EU GDPR, at least in the short term. The treatment of UK-EEA data transfers will depend on whether the UK receives an 'adequacy decision' from the EU, a process which is independent of the ongoing negotiations but which has a similarly uncertain outcome.
- What should organisations do now?
- In depth
What should organisations do now?
During the transition period, there is no need to take immediate action from a data protection perspective.
However, it would be prudent to use the remaining time to put in place measures to address the potential post-transition data protection implications.
In particular, organisations should:
- Review current international data transfer arrangements and identify any transfers of personal data from the EEA to the UK, and prepare to put standard contractual clauses and/or alternative safeguards in place where necessary, bearing in mind the additional complexity introduced by the CJEU's recent judgment in Schrems II.
- Consider whether there is any alternative EEA supervisory authority that could act as Lead Supervisory Authority (LSA) where the organisation has identified the UK data protection authority, the ICO, as their LSA for any of their processing activities (though remember that this is not a 'forum shopping' exercise and an LSA cannot be artificially selected).
- Consider any other steps which may be required after the transition period, such as appointments of representatives, updates to privacy notices, records of processing, Data Protection Impact Assessments or Data Protection Officer appointments.
What is the position during the transition period?
The transition period established by the Withdrawal Agreement agreed between the EU and UK runs from 31 January 2020 (the date the UK formally left the EU) until 31 December 2020.
During the transition period, the GDPR continues to apply in the UK. The UK Data Protection Act 2018, which supplements the GDPR, also continues to apply, as does the UK’s implementation of the E-Privacy Directive (the Privacy and Electronic Communications (EC Directive) Regulations 2003).
Transfers of personal data between the EEA and the UK will not be restricted during the transition period. However, the position may change at the end of transition – see further below.
UK organisations whose processing is subject to the GDPR do not need to appoint a representative in the EEA during the transition period – though again, the position will change at the end of transition.
The ICO will also continue to act as a lead supervisory authority and engage in the co-operation and consistency mechanism under the GDPR during the transition period.
Therefore, the practical impact from a data protection perspective during the transition period is minimal.
What will happen to UK data protection law and regulation after the transition period?
Although the data protection landscape in the UK following the transition period is not certain, it is likely the UK data protection regime will remain closely aligned to the GDPR, at least in the short term.
The default position following the end of the transition period is that the GDPR will be incorporated into UK domestic law, known as the 'UK GDPR'. The UK Data Protection Act 2018 will be updated and sit alongside the UK GDPR.
The ICO will no longer be able to act as LSA under the GDPR after the transition period, and organisations that currently consider the ICO to be their LSA for certain processing activities will need to consider whether they can designate an alternative EEA LSA. In particular, these organisations will need to satisfy themselves that their presence in a particular EEA Member State meets certain substantive thresholds before they can designate that Member State's supervisory authority as their LSA.
Organisations in the UK subject to the extra-territorial scope of the GDPR (such as UK companies with no offices, branches or establishments in the EEA, but which offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA) will be required to appoint a representative in the EEA under the GDPR.
In addition, organisations outside the UK whose processing is subject to the UK GDPR (which will mirror the territorial scope provisions in Article 3 of the EU GDPR) will be required to appoint a UK representative.
Organisations that have appointed a Data Protection Officer (DPO) will also need to ensure that the DPO is accessible from both their EEA and UK establishments (if established in both the EEA and the UK). Where designating a new LSA, organisations should also consider whether they need to notify the new LSA about their DPO.
What about international data transfers?
Data transfers to the EEA from the UK and from the UK to the EEA will continue as normal during the transition period, without further steps being required.
The European Commission is currently undertaking an assessment of the UK's data protection regime, in order to determine whether the UK can be granted an 'adequacy decision' before the end of the transition period. However, despite the UK's membership of the EU and its implementation of GDPR, the grant of an adequacy decision is not guaranteed, either in time for the end of the transition period or at all. As the CJEU's recent judgment in the Schrems II case (discussed further below) demonstrates, law and practice around government surveillance is a key factor in the EU's assessment of third country data protection regimes. In view of the broad powers of the UK authorities to intercept communications and require access to data under the Investigatory Powers Act 2016, there is a real risk that the UK may not be successful in securing an adequacy finding. Companies should, therefore, start to prepare for this possibility and begin to consider alternative mechanisms to legitimise transfers to the UK from the EEA, as discussed in more detail below.
Transfers from the EEA to the UK
If an adequacy decision is in place for the UK by the end of the transition period, data transfers from the EEA to the UK will be able to continue freely.
If no adequacy decision is in place for the UK by the end of transition, the UK will then be treated as a third country for the purposes of the GDPR restrictions on ex-EEA data transfers. Transfers of personal data from the EEA to the UK will need to be legitimised by appropriate safeguards: the most practical option is likely to be the use of standard contractual clauses (SCCs) in contracts with UK data importers, although the adoption of binding corporate rules is an option for intragroup transfers.
The CJEU's recent judgment in the Schrems II case (discussed in more detail in a series of posts on our Connect on Tech blog here) adds a further layer of complexity to those safeguards.
The CJEU upheld the validity of the SCCs in Schrems II, so the good news is that the SCCs remain an option for transfers from the EEA to the UK.
However, the judgment places a burden on data exporters relying on SCCs to carry out case-by-case assessments of the extent to which personal data will be protected in the destination country, including in the UK, particularly with regard to the legal regime in that country and access to that data by the national public authorities. Data exporters may also have to consider what supplementary measures might be put in place to ensure the data transferred is sufficiently protected. The European Data Protection Board is currently considering the Schrems II decision to determine the kind of supplementary measures that could be provided in addition to SCCs.
In addition, companies should be mindful that any SCCs could be vulnerable to regulatory scrutiny from EU data protection authorities if in practice it would be impossible for a UK-based data importer to comply with the SCCs. Given the emphasis which Schrems II places on the U.S. authorities' powers of surveillance and access to data, similar arguments could well come up in relation to the powers of the UK authorities in this respect.
As such, given the increased uncertainty that now surrounds reliance on the SCCs, companies transferring data from the EEA to the UK should also begin to consider any alternative mechanisms that might be relied on in their stead (such as binding corporate rules or Article 49 derogations).
It's worth noting that the Schrems II decision remains binding on UK courts (at least until the UK courts depart from it - the extent of the power of the UK courts to depart from EU case law has been the subject of an ongoing consultation and the UK Government has recently indicated its intention to extend this power to the Court of Appeal and similar appellate courts). The above is therefore relevant to transfers of personal data from the UK in reliance on SCCs, both during and after the transition period.
In addition, if no adequacy decision is in place for the UK by the end of transition, organisations should consider whether their existing privacy notices and records of processing need to be updated to reflect the position as to data transfers to the UK.
Transfers from the UK to the EEA
For transfers of personal data from the UK to the EEA, the UK government has indicated its intention to ensure that personal data can continue to flow freely from the UK to the EEA following the transition period and intends to recognise the EEA and jurisdictions subject to an adequacy decision by the European Commission as 'adequate' for the purposes of UK data protection law. This will allow personal data to continue being transferred from the UK to the EEA without needing to put additional safeguards in place.