The transfer of personal data out of the EEA is governed by the EU General Data Protection Regulation (GDPR). This provides that personal data cannot be transferred out of the EEA unless adequate protection of the data is provided. Personal data can flow freely within the EEA and from the EEA to countries benefitting from European Commission Adequacy Decisions. The GDPR provides for additional data export mechanisms to allow personal data to flow to other (or third) countries.
In the absence of an Adequacy Decision When the UK leaves the EU, it will become a third country for EEA purposes (outside any transitional arrangements). Similarly, there will be rules around exporting personal data from the UK to the EEA under what will become the UK GDPR (see our article for more).
The initial intention of the UK government and the EU was to negotiate an Adequacy Decision for the UK during the transition period. That presumed there would be a deal. In a no deal situation though, it may be some time before adequacy is determined.
EEA and UK organisations relying on cross-border data flows need, therefore, to ensure that the proper protections are in place before 29 March 2019, the earliest date on which the UK will leave the EU. Going forward, they may also need to data transfer solutions in situations where they would not have been required before Brexit.
The UK is doing what it can to ensure that personal data can continue to flow from the UK to the EEA and countries which currently benefit from EU Adequacy Decisions, but issues will arise with data flows from the EEA to the UK.
In some cases (for example Adequacy Decisions), solutions will be provided at UK or EU level. In others, it will be up to organisations to select and enter into the most appropriate data export mechanism. In order to make the best decision, it is important to understand the pros and cons of available protections.
UK Adequacy Decisions
The UK has confirmed that in the event of a no deal Brexit, it will preserve the effect of existing EU Adequacy Decisions on a transitional basis. This means there will be no restrictions on personal data flowing from the UK to Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan.
The UK will also recognise all EEA states, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data. This will preserve the free flow of data from the UK to the EEA on a transitional basis.
US Privacy Shield
The EU-US Privacy Shield is a data transfer solution for personal data flowing from the EU to the USA. US organisations importing EU data (whether data controllers or processors) can self-certify under the Privacy Shield that they comply with EU data protection requirements, provided they are regulated by the FTC or DoT.
The effect of the Privacy Shield will be preserved with respect to data flows from the UK after Brexit. US organisations importing UK personal data will need to specify this in their statement and, if importing UK HR data, may need to update their HR privacy policies.
- Particularly useful for data processors and international businesses.
- A single certification will cover an organisation for all EEA/UK data imports.
- No need to sign individual contracts.
- The certification process is relatively straightforward and inexpensive.
- Only the data importer can self-certify but can extend to all affiliates in the USA.
- EU regulators continue to have concerns about the effectiveness of the Privacy Shield so there is a risk it may not survive although it recently passed its second annual review.
- There is a requirement to engage directly with EU/UK regulators if handling HR data as well as with US regulators.
- Only open to organisations regulated by the FTC or DoT.
- Not available for financial services providers.
Find out more about self-certification under the Privacy Shield from the Privacy Shield website.
See our article for more detail on the Privacy Shield.
Standard Contractual Clauses
The European Commission has approved standard contractual clauses (known as SCCs or model clauses) as providing an adequate level of protection to personal data which they cover.
If you use these model clauses in their entirety in your contract, you will not have to make your own assessment of adequacy. The clauses are either controller to controller or controller to processor but can't be used between processors and sub-processors.
SCCs are likely to prove the most suitable data export solution for EEA organisations seeking to export personal data to the UK after Brexit. Post Brexit, SCCs can be used when exporting data from the UK to third countries outside the EEA, and when importing data into the UK from the EEA. The UK government will continue to recognise the effect of SCCs entered into before Brexit.
- For data flows between controller to controller or controller to processor, whether importers or exporters.
- Quick to put in place.
- Provide certainty.
- Low cost.
- Can be integrated into commercial arrangements.
- Liability will follow fault so the party in breach will be held liable for that breach.
- Can be incorporated into a dynamic intra-group agreement for data exports (which can also be shaped as an interoperable data transfer instrument).
- Limited flexibility – if the clauses are altered, they may not be effective.
- Contracts can be directly enforced by data subjects against both controllers and processors.
- Importer subject to local EU law.
- Terms are not business-friendly.
- Cannot be used between data processors.
- Open to legal challenges when used to export personal data from the EEA to the USA (see here for more on this issue).
See our article for more on SCCs.
Binding Corporate Rules
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside the EEA. They have to be pre-approved by a lead EU regulator (to be determined under set rules). Applicants for approval must demonstrate that their BCRs put in place adequate safeguards for protecting personal data throughout the organisation.
After Brexit, the UK government has said the ICO will continue to recognise BCRs entered into before Brexit. It is less clear whether EU regulators will do so, especially where they are ICO-approved. This means fresh regulator approval may be needed for existing BCRs.
- Provides a single solution for group companies (between intra-group importers and exporters and controllers and processors).
- Can be tailored towards the needs of the particular business.
- Flexibility to accommodate changes in group structure and data flows provided these don't go beyond the scope of the BCRs.
- Avoids the need for numerous contracts within the corporate group covering different transfers of data.
- One national authority can be used who will clear the BCRs with all the other national data protection authorities.
- Only a select few entities have achieved BCR approval, although interest is growing stronger.
- The time period taken to obtain clearance from all the authorities can be considerable.
- If BCRs are used, there is a requirement that they are underpinned by a detailed compliance and audit programme which includes regular audits and a requirement to maintain a training programme for staff handling personal data, particularly for those outside the EEA.
- In some Member States BCRs are not currently enforceable although the GDPR will change that (please check with us).
- If the group structure or data flows change beyond the scope of the BCRs, fresh clearance will be required.
See our article for more on BCRs.