Data and Brexit – the latest decisions

Although the UK has now left the EU and signed a trade agreement with it, the two sides were unable to decide whether there should be any changes to the rules on data transfers from the EU to the UK and have further deferred the question by agreeing a bridging period that will last 6 months at most and continues to allow transfers on the same basis, for now.

This update explains:

• the impact of the end of the Transition Period
• what has changed or is going to change
• the requirement to appoint a representative in the EU
• the action you need to take now.

The end of the Transition Period

• the UK GDPR has replaced the existing EU GDPR from 31st December 2020 at 11 pm
• UK GDPR maintains all of the main principles, obligations and rights, meaning that for most businesses there are no changes to how they have to handle data
• the existing EU GDPR will continue to apply, unchanged, in the countries of the EEA
• the EU has not yet decided whether UK laws provide adequate protection to EU citizens’ personal data.

What has changed or is going to change?

Sending data from the UK to the EEA

The UK government and the ICO had already confirmed that transfers to the EEA from the UK would be unaffected.

Receiving data from the EEA in the UK

The UK government has announced that the trade agreement will allow data to flow freely from the EU (and EEA) to the UK during a bridging period of no more than six months. They intend that the EU will issue an adequacy decision about the UK before the end of the six months. The process is underway at the moment. An adequacy decision is a decision which shows that the European Commission has accepted that local data protection laws are acceptable and would mean largely uninterrupted data flows from the EEA to the UK, as we currently have.

What happens if there is no adequacy decision?

Transfers from the EEA to the UK would be illegal unless the parties could put appropriate safeguards in place or rely on an exemption.

The ICO have recommended for some time that businesses should pre-emptively put alternative measures in place to avoid disruption or interruption to the free flow of data from the EEA to the UK.

What alternative measures can be used?

The ICO’s guidance is that most businesses should put Standard Contractual Clauses in place in case the UK is not granted an adequacy decision, although there are other ways to ensure appropriate safeguards are in place. Businesses may want to provide that the standard clauses would only apply if there is no adequacy decision.

Be aware that since the Schrems II case, it seems that a documented case-by-case assessment will be required for any transfer using these mechanisms to ensure the data subjects remain protected to an ‘essentially equivalent’ standard as under EU and UK law. If the assessment shows that to be unlikely, the parties will need to make further arrangements which may be contractual, organisational or technical or a combination of all three.

Sending data from the UK to a non-EEA country

The UK government has confirmed that UK businesses will be able to rely on the same mechanisms as under the EU GDPR – adequacy decisions, appropriate safeguards, exceptions.

However, you will need to make sure that you comply with the new assessment requirements of Schrems II, above.

Appoint a representative in the EU

If you do not have an establishment in the EU but you collect or process data about EU citizens, you will likely need to appoint an EU representative to be your point of contact for all data-related queries from individuals and regulators in the EU.

The representative needs to be identifiable in your privacy notice and on your website. In practice, the easiest way to appoint a representative may be under a simple service contract.

What action do you need to take?

• if you receive data from the EEA, decide whether you need to put new measures in place in case there is no adequacy decision.
• update your privacy notices, data processing records, policies, and template documents to make sure you have the right references to relevant legislation and accurate descriptions of international transfers and the basis on which such transfers take place.
• if you don’t have an establishment in the EU and process EU citizens’ data, appoint an EU representative as your point of contact for individuals in the EU.

If you wish to discuss anything in this article or for other Corporate and Commercial matters, please do not hesitate to contact us by emailing enquiry@ashtonslegal.co.uk.