07 December 2020

CRE: Transferring personal data between the EEA and the UK post-Brexit

The continued flow of customers’ and employees’ personal data is vital to many businesses, supply chains and public authorities to ensure effective functioning.

UK organisations can currently transfer personal data freely between the UK and the European Economic Area (EEA) under the provisions of the EU-UK Withdrawal Agreement. However, from 31 December 2020, the UK will become a “third country” and two sets of rules will begin to apply; the UK transfer rules and the EU transfer rules (applicable to data from the EU and EEA).

From the end of the transition period, the UK government has stated that restricted personal data transfers outwards from the UK to the EEA will be permitted, as they currently are under the EEA data protection laws, the adequacy of which the UK intends to recognise. However, the framework will be kept under review by the UK regulatory authorities.

The European Commission and the UK government are currently undertaking an adequacy assessment, with the intention remaining for the Commission to reach an adequacy decision prior to the end of the transition period, so that data can continue to flow freely from the EEA to the UK.

With the test for adequacy being “equivalent as” and not “identical to”, the fact that no other sovereign nation has uniquely approached the assessment as a former EU member state, with an almost identical legal framework, provides optimism for UK organisations in the absence of a guarantee.

Common concerns

Despite the adequacy assessment being separate and distinct from the broader UK-EU negotiations, there are common concerns that overlap to form potential barriers to a positive adequacy decision, including:

The UK’s stated objective of developing a sovereign data protection system, indicating a divergence from the EU in the future

The UK Data Protection Act 2018’s exemption for processing personal data for immigration purposes

The UK’s legal framework on the retention of electronic telecommunications data

The UK government and law enforcement authorities’ access to data (and potential onward transfer to the US) for national security, law enforcement and mass surveillance purposes, which the Court of Justice of the European Union has placed at the forefront in both the Schrems I and Schrems II decisions.

Anticipating that an adequacy decision may not be available beyond the end of the transition period, UK organisations should begin to prepare for the implementation of the other permitted safeguards and derogations to ensure business-critical continuity with the EEA, as follows:

Standard contractual clauses (SCCs) will be the best approach for the majority of UK organisations, so long as they are applied appropriately and correctly. SCCs cannot be used for EU-based processor to UK-based controller transfers and are recommended for small or medium-sized businesses. The Commission is in the process of updating the SCCs, which the UK government has stated it intends to recognise following the end of the transition period. The application of the new SCCs to UK organisations should be considered and prepared well in advance of the transition end date, once the Commission makes these available.

Ad hoc contractual clauses: Modifications to SCCs, beyond those set out by the Commission or European Union Data Protection Board would be considered tailored clauses. If not already approved, authorisation by the national supervisory authority is required.

 

Binding corporate rules (BCRs): Large UK organisations or multinational companies with UK/EEA operations may enter into rules recognising the UK as a third country and governing transfers of personal data within the group. The UK government has stated its intention to recognise BCRs authorised under the EU process before the transition end date. Under the General Data Protection Regulation, BCRs must be approved by the Information Commissioner.

More to come

At present, no sector-specific Codes of Conduct and Certification Mechanisms (CCCMs) governing safe international transfers have been published. However, the ICO has stated that it intends to work on developing CCCMs and will continue to after the transition end date.

For UK organisations with restricted transfers not covered by an adequacy decision, or an appropriate safeguard, a transfer can only be made if it falls within one of the Article 49 exceptions; the UK organisation should consult the supplemental laws applicable to the derogation and be mindful that the organisation will need to check for and adjust to different member state approaches in the relevant area(s).

As the deadline looms, without significant progress in the negotiations between the UK and the EU, it is increasingly important for organisations to assess their data transfer arrangements now.

Clyde & Co has published a report – Data protection: legal regulatory and practical considerations post-Brexit – available at:

www.clydeco.com/en/insights/2020/11/data-protection-legal-regulatory-and-practical-con

 

© Commercial Risk Europe