Preparing for EU Exit: Data Protection
The end of the EU Exit transition period, which is just a few weeks away, will bring specific implications for transfers of personal data between the EU and UK.
At present data transfers between the UK and countries in the EU are able to continue as normal due to the UK’s continued recognition of the EU General Data Protection Regulation (EU GDPR). The regulations streamline the data protection landscape across all EU member states.
After 31 December 2020 this will change and businesses are advised to prepare now. This feature, which follows our webinar with Arthur Cox, details the changes you need to know and what you can do now to prepare.
What happens at the end of the EU Exit transition period?
By virtue of the European Union (Withdrawal) Act 2018, the EU GDPR will be incorporated into the UK’s domestic law as the UK GDPR. As a result, the Information Commissioners Office (ICO) has stated that following our EU Exit, the key data protection principles and obligations will remain the same. It is worth taking time to read the ICO Guidance.
Data transfers from the UK to EU
The UK Government has confirmed that it will continue to recognise the protection offered in EU member states by virtue of the EU GDPR. This means that personal data transfers from the UK to the EU can continue as normal.
Data transfers from the EU to UK
The UK is going to be viewed as a “third country” for the purposes of the EU GDPR. This means that transfers of personal data from EU member states into the UK will be outside the protection of the EU GDPR (i.e. “restricted") unless the UK obtains an adequacy decision from the EU Commission. An adequacy decision would see the EU Commission formally determine that the UK offers an equivalent level of data protection to EU member states, enabling data transfers to continue freely.
However, it is looking increasingly unlikely that the UK is going to obtain an adequacy decision by the end of the EU Exit transition period.
If this is the case, transfers of personal data coming from EU member states into the UK will be “restricted” and an additional transfer mechanism under Article 46 of the GDPR will be required, namely:
- EU Standard contractual clauses (“SCCs”); or
- Binding corporate rules.
The ICO has confirmed that in reality most organisations will only have the option of relying on the SCCs. This is because binding corporate rules, which are essentially an internal code of conduct, only cover data transfers within a corporate group and are subject to a lengthy approval process.
What are SCCs?
SCCs are model contractual clauses currently available for the following scenarios:
- EU controller to processor in a third country; and
- EU controller to controller in a third country.
SCCs are quick and easy to implement because they cannot be amended and must be used in their entirety.
On 12 November 2020, the EU Commission published draft updated SCCs (“New SCCs”).
The New SCCs aim to address the gaps from the previous SCCs and will also cover the following transfer scenarios:
- EU processor to sub-processor in a third country; and
- EU processor returns personal data to a controller in a third country.
The New SCCs reinforce the additional obligation that data controllers sending personal data outside the EEA should assess whether the recipient country offers adequate protection, as highlighted by the European Court of Justice in Schrems II. In practice this could mean carrying out a review of the specific circumstances of the data transfer and the legal regime of the recipient country.
It is hoped that the New SCCs will be finalised at the beginning of 2021. Organisations will then have a one year timeframe to put the New SCCs in place.
What can you do if a transfer mechanism under Article 46 does not apply?
There are also derogations under Article 49 of the GDPR, albeit these are narrowly drafted and only intended to apply if the additional safeguards under Article 46 of the GDPR are not feasible.
The main derogations are:
(a) The data subject has explicitly consented having been informed of the possible risks of the transfer (this will not be straight-forward for large organisations transferring personal details of many individuals.
(b) The transfer is necessary for:
- Performance of a contract with the data subject;
- The performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- Public interest reasons;
- Exercise, establishment or defence of legal claims; and/or
- Protecting vital interests of data subjects.
If organisations wish to rely on a derogation, they must document this decision in their records of processing activities in accordance with Article 30 of the GDPR.
What can Northern Ireland organisations do to prepare for the end of the transition period?
- Review data flows and re-visit data mapping: Knowledge is key to compliance. You need to know where personal data is being sent to and received from to ascertain what additional steps need to be taken.
- Check data clauses in contracts: it is possible that international data transfer provisions will need updated to reflect the UK GDPR and the fact that the UK is no longer in the EU.
- Consider whether an appropriate safeguard will need put in place: This will most likely be SCCs and you will need to determine which set of SCCs will apply.
- Good record keeping: Keep a paper trail of any appropriate safeguards or derogations relied upon. This is in accordance with the accountability principle under Article 5 of the GDPR.
- Keep up to date with official guidance: Keep up to date with updates from the ICO and EU Commission particularly in relation to the finalisation of the New SCCs. The European Data Protection Board, Invest NI and UK Government are also useful resources.