Preparing for EU Exit: Data Protection

GDPR

The end of the EU Exit transition period, which is just a few months away, will bring specific implications for transfers of personal data between the EU and UK.

At present data transfers between the UK and countries in the EU are able to continue as normal due to the UK’s continued recognition of the EU General Data Protection Regulation (EU GDPR). The regulations streamline the data protection landscape across all EU member states.

After 31 December 2020 this will change and businesses are advised to prepare now. This feature, which follows our webinar with Arthur Cox, details the changes you need to know and what you can do now to prepare.

What happens at the end of the EU Exit transition period?

By virtue of the European Union (Withdrawal) Act 2018, the EU GDPR will be incorporated into the UK’s domestic law as the UK GDPR. As a result, the Information Commissioners Office (ICO) has stated that following our EU Exit, the key data protection principles and obligations will remain the same.  It is worth taking time to read the ICO Guidance.

The UK is still going to be viewed as a “third country” for the purposes of the EU GDPR. This means that transfers of personal data from the UK into EU member states will be outside the protection of the EU GDPR (i.e. “restricted") unless the UK obtains an adequacy decision from the EU Commission. An adequacy decision would see the EU Commission formally determine that the UK offers an equivalent level of data protection to EU member states, enabling data transfers to continue freely.

However, it is looking increasingly unlikely that the UK is going to obtain an adequacy decision by the end of the EU Exit transition period.

If this is the case, data transfers from the UK to the EU will be “restricted” and an additional transfer mechanism under Article 46 of the GDPR will be required, namely:

  • EU Standard contractual clauses (“SCCs”); or
  • Binding corporate rules.

The ICO has confirmed that in reality most organisations will only have the option of relying on the SCCs. This is because binding corporate rules only cover data transfers within a corporate group.

What are SCCs?

SCCs are model contractual clauses available for the following scenarios:

  • EU controller to processor in a third country; and
  • EU controller to controller in a third country.

SCCs are quick and easy to implement because they cannot be amended and must be used in their entirety.

The validity of SCCs were the subject of a recent legal challenge in the case of Schrems II. Fortunately the European Court of Justice (ECJ) ruled that the SCCs remain a valid transfer mechanism subject to additional due diligence being carried out.

The ECJ recommends that:

  • Controllers sending personal data outside the EEA should assess whether the recipient country offers adequate protection, for example, reviewing the specific circumstances of the data transfer and the legal regime of the receiving country.
  • Parties assess whether any further protections beyond SCCs may be required. (Further guidance is awaited on what these further protections may be).

What can you do if a transfer mechanism under Article 46 does not apply?

There are also derogations under Article 49 of the GDPR, albeit these are narrowly drafted and only intended to apply in limited circumstances.

The main derogations are:

(a) The data subject has explicitly consented having been informed of the possible risks of the transfer (this will not be straight-forward for large organisations transferring personal details of many individuals).

(b) The transfer is necessary for:

  1. Performance of a contract with the data subject;
  2. Public interest reasons;
  3. Exercise, establishment or defence of legal claims; and/or
  4. Protecting vital interests of data subjects.

What happens at the end of the EU Exit transition period?

  • Review data flows and re-visit data mapping: Knowledge is key to compliance.  You need to know where personal data is being sent to and received from to ascertain what additional steps need to be taken.
  • Check data clauses in contracts: it is possible that international data transfer provisions will need updated to reflect the UK GDPR and the fact that the UK is no longer in the EU.
  • Consider whether an appropriate safeguard will need put in place: This will most likely be SCCs and you will need to determine which set of SCCs will apply.
  • Good record keeping:  Keep a paper trail of any appropriate safeguards or derogations relied upon. This is in accordance with the accountability principle under Article 5 of the GDPR.
  • Keep up to date with official guidance: Keep up to date with updates from the ICO particularly as amendments to the SCCs are anticipated. The European Data Protection Board, Invest NI and UK Government are also useful resources.

We also have a series of webinars and clinics this autumn. You can register now for:

Comments

Clara D. Thompson

Thank you so much for the information.
Looking forward to a new post.