The departure of the United Kingdom from the EU at end of the transition period on 1st January 2021 has resulted in changes to data protection rules. These changes will affect businesses that share personal information about their customers, staff and suppliers between the UK and Europe. In the short term at least, data transfers can continue as before thanks to a ‘bridging mechanism’ agreed in December, however this is not a permanent solution. Further, while data protection law in the UK and the EU is currently aligned, it may diverge in the future. Businesses that share personal data between the United Kingdom and Europe must keep an eye on the potential changes, so that they can prepare.
The General Data Protection Regulation (GDPR) prohibits the transfer of personal data from countries in the European Economic Area (EEA) to ‘third countries’ that do not ensure an adequate level of protection. The EEA consists of the EU Member States, plus Norway, Iceland and Liechtenstein. The UK became a ‘third country’ on the first of January this year, when the transition period ended. Under the GDPR’s data transfer provisions, organisations in the EEA would ordinarily be prevented from sharing personal data with their UK counterparts unless they have implemented appropriate safeguards. Prior to the end of the transition period, there was widespread concern that a ‘no deal’ Brexit could restrict the sharing of personal data between Europe and the United Kingdom. Clearly, this would be problematic for business.
The EU and the United Kingdom concluded a Trade and Cooperation Agreement on 24th December 2020, thereby averting the problem in the short term, at least. Among other things, the Agreement provides a bridging mechanism which enables the continued flow of personal data from the EEA to the UK for up to six months (until June 2021). The bridging mechanism is intended as an interim measure to allow time for the European Commission to finalise its adequacy assessment of the UK. An adequacy finding by the Commission would enable personal data to be freely transferred between the UK and the EU Member States.
It is not a forgone conclusion that the Commission will make such an adequacy finding in favour of the UK. One significant obstacle is the controversial Investigatory Powers Act 2016, aka the ‘Snoopers’ Charter’. A criticism of the Act is that it confers excessive powers on the government to carry out indiscriminate surveillance. Excessive government surveillance powers were essentially what lead the European Court of Justice (CJEU) to declare the EU-US Privacy Shield to be invalid. Accordingly, the UK not being granted an adequacy decision is a genuine possibility. There is also an important proviso regarding the bridging mechanism; if the UK amends its domestic data protection laws without the agreement of the EU, the bridging mechanism will be terminated. In the absence of an adequacy finding by June 2021, or if the UK amends the UK GDPR, thereby terminating the bridging mechanism early, businesses would need to rely on an alternative data transfer solution.
The Standard Contractual Clauses
For most organisations that transfer personal data out of the EEA, the appropriate safeguard would be the Standard Contractual Clauses (SCCs). The SCCs enable the transfer of personal data from the EEA to third countries that do not ensure adequate protection of personal data. However, organisations should consider the impact of the Schrems II decision.
Following Schrems II, the European Data Protection Board (EDPB) published recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. The EDPB is an independent advisory body whose function is to ensure the consistent application of the GDPR in EU Member States and to promote cooperation between the European data protection authorities. In its Recommendations, the EDPB observes that controllers and processors that export personal data to third countries must, in collaboration with the data importer, ensure that personal data remains protected. They must verify, on a case-by-case, basis that the law or practice of the third country to which personal data is transferred, does not impinge on the effectiveness of the data transfer solution adopted. Where local law or practice does impinge on the effectiveness of such safeguards, supplementary measures may be adopted to bring the level of protection into line with EU standards. However, the Recommendations state that if EU data protection standards cannot be met, then personal data may not be transferred.
In the case of data transfers from the EEA to the United Kingdom, such analysis would have to take into account the effect of the Investigatory Powers Act. If the Act was found to impinge on the effectiveness of the SCCs, to the extent that no supplementary measures could ensure an EU level of data protection, then data transfers to the UK would be prohibited.
The UK retained the GDPR in domestic law, as supplemented by the Data Protection Act 2018 (as amended). The ‘UK GDPR’ includes the same key principles, obligations as the GDPR in Europe. However, though the UK is now free to amend the legislation. The Government is currently consulting on a National Data Strategy, which has been interpreted by some as an indication that that UK data protection law may be amended in the near future. If the UK GDPR were to significantly diverge from its European equivalent, this could potentially result in the termination of the bridging mechanism.
The UK GDPR applies to organisations that are established in the UK and to those that are established outside the UK, but which offer goods or services to, or monitor the behaviour of individuals taking place in the UK. Conversely, UK businesses that offer goods and services to citizens in the EU, or monitor the behaviour of citizens in the EU will be subject to the GDPR. The GDPR will also apply to ‘legacy data’ collected by UK organisations prior to the end of the transition period. Accordingly, UK businesses with a European client base are likely to find themselves subject to both the UK GDPR and the GDPR in the Member States where their clients are located. While the two regimes are aligned, this may not be problematic, however, prudent businesses will keep a keen eye on divergence.
Implications for business
UK businesses that already comply with the GDPR and does not have customers or contacts in the EEA are unlikely to be significantly affected by the changes. UK businesses that receive personal data from contacts in the EEA will need to keep a close eye on the changes and prepare for the possibility of the bridging mechanism ending without an adequacy finding being made. UK businesses with a presence or customers in the EEA will need to comply with both UK and EU data protection rules, and may need to appoint a representative. Businesses should also identify any personal data collected from individuals in EEA countries, prior to 1st January 2021; in the absence of an adequacy decision, such ‘legacy data’ will remain subject to the GDPR as it applied in the EU on 31st December. As far as an adequacy decision is concerned, prudent businesses should hope for the best and plan for the worst.
About the Author
James Castro-Edwards is a solicitor and has specialised in data protection since 2006. James is a partner at City of London law firm Wedlake Bell LLP (https://wedlakebell.com/), where he leads the data protection team, as well as the firm’s outsourced data protection officer service, ProDPO (https://prodpo.com/).