Photo taken by Habib Ayoade.
What Happens to the GDPR Post-Brexit?
This article provides high level information regarding Brexit and GDPR. This article is aimed at UK organisations. It covers the major points of the current situation. It is not meant to be exhaustive, and organisations should undertake their own research and study.
The UK and EU have agreed to delay personal data transfer restrictions until May 2021 (with the option to extend this to July 2021) or until an adequacy decision by the EU has been reached. In layman's terms, this means that they have effectively extended the transition period specifically for the GDPR. Until then, business as usual can continue; however, this may change within the next 6 months and you should be prepared. Organisations now have limited time to consider their positions and execute the appropriate actions for different scenario outcomes.
Key Points of Post-Brexit GDPR
- There is now a 'UK-GDPR'. The UK has written into law what is now being named the 'UK-GDPR'.
- The UK-GDPR is currently functionally identical to the EU-GDPR but is a separate piece of UK legislation.
- It will mean that the UK-GDPR legislation can be altered separately by the UK government. Our expectation is that it would mirror many of the future changes in the EU-GDPR.
- The Data Protection Act and PECR (Privacy and Electronic Communications Regulations) are already within UK law and thus there is no change with these.
- In the eyes of the EU, the UK is now considered to be what is known as a ‘third country’. This is because the UK is no longer part of the EEA.
- Currently, the EU is making an adequacy decision about the UK. If the UK is granted adequacy status by the EU, then the UK's status will change from 'third country' to 'adequate country'. Adequacy means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data.
- If the UK is assessed as adequate, then the contracts between organisations in UK and the EEA need to be checked and modified appropriately to recognise that the UK is no longer in the EEA and, if necessary, specify UK-GDPR and EU-GDPR.
- If the UK is not assessed as Adequate, then contracts between senders of data from the EEA and receivers of data in the UK will need to be modified to ensure there is adequate data protection. Examples of modifications could be the use of the Standard Contractual Clauses (SCCs).
- The UK has adopted all adequacy decisions that the EU has granted. The UK's Information Comissioner's Office (ICO) has copied all existing adequacy decisions that were made by the EU commision. Under the UK-GDPR, all transfers that were allowed under the EU-GDPR are allowed under the UK-GDPR. Important Note: Due to the unknown adequacy status of the UK under the EU-GDPR, the reverse is not true.
What should I do as an organisation either controlling or processing personal data in the UK?
- The majority of your responsibilities remain unchanged. As the UK-GDPR is functionally identical to the EU-GDPR, the majority of your legal duties (having a legal basis for data processing, abiding by the GDPR principles, etc.) are identical.
- Personal data transfers to adequacy countries are still allowed. If you transfer personal data to the EEA and those countries that were covered by a European Commission adequacy decision, then this is still permitted by the UK GDPR. Note: The UK will in future make its own adequacy decisions. These may be different to the EU adequacy decisions.
- Standard Contractual Clauses can still be used. For agreements with organisations in countries that are not within EEA and where you are using EU-SCCs, then these can be used. Contracts should still be reviewed to ensure that they reflect that the fact that the UK is now not in the EEA.
- UK Organisations may need to appoint what is known as an EU-GDPR representative. If you are selling goods or services to the EEA or monitoring the behaviour of EEA citizens, and you do not have a physical presence in the EEA, then you will need to appoint an EU-GDPR representative. This not a costly exercise and there are services that can be purchased on the Internet. There is a separate section on this at the bottom of this article that gives more information on this.
- You should review all policies and procedures within your organisation and modify as necessary. This is to ensure that they reflect the fact both the UK-GDPR and EU-GDPR now exist.
- If you are receiving personal data from the EEA, then there are two choices, one of which has risks attached.
- You can hope that the UK passes the adequacy assessment by the EU and thus not do anything. If the UK is considered Adequate, then the current contracts will be acceptable. This option has risks. If the UK is not deemed as Adequate in several months from now, it shortens the time that you will have left to ensure contracting is correct.
- You can decide that the UK will not pass the Adequacy assessment by the EU and prepare for this outcome. You would need to work with the EEA companies who send personal data to you (these could be controllers or joint controllers) to change the current contracts that you have. This is to ensure that the appropriate safeguards are in place (as the UK would be deem a third country). E.g. by use of the SCCs.
- Receiving personal data from non-EEA countries.
- The UK authorities are working with non-EEA countries and territories to make specific arrangements for transfers to the UK.
- If this is not achieved then UK organisations may need to comply with the sender’s local laws.
- Binding Corporate Rules (BCRs). This normally only applies to large organisations.
- If BCRs already exist then these will need to be re-authorised by the ICO under the UK GDPR.
- Organisations with BCRs should immediately consider their next steps and request a re-authorisation from the ICO. This must be completed by 30th June 2021.
- In any case, the BCRs must be changed to recognise that the UK is now a third country and not part of the EEA.
Will the UK Pass the EU's Adequacy Assessment?
The UK may not pass the Adequacy Assessment. Some people may expect that as the UK has adopted functionally identical privacy laws to the GDPR, then an adequacy decision is taken for granted; this may not be the case. A good example of a failure is the United States' Privacy Shield program. Until mid 2020, US companies could rely on their participation in the Privacy Shield program to be considered as Adequate. There was a EU legal case, called Schremms II, that has meant that Privacy Shield was scrapped (you can read about this here). Now, Privacy Shield cannot be relied upon, and all companies that were relying on it now have to use the SCCs or equivalent protections to transfer data.
Privacy Shield failed as it was found that the US Government could use their national laws associated with systemic monitoring to access the personal data of EU citizens. Privacy Shield did not protect against this. It is currently understood that the UK also undertakes a sort of systemic monitoring of personal data that would include EU citizens. The EU gave the UK a warning about this in October of 2020 (read about it here). This did not matter when the UK was in the EU, but it is not in the EEA now. Thus, the UK may not be considered adequate for this reason.
This is a difficult decision to make. Do you embark on what could be substantial work to change contracts that, if the UK is deemed Adequate, is then wasted, or do you hope that the UK is deemed adequate and thus not start any contract work until Adequacy (or not) is determined?
This is not legal advice, but a suggested approach could be:
- Audit the number of contracts that may have to be changed.
- Identify the amount of work likely to be needed to change each contracts.
- Speak with the EEA organisations that you currently transfer data with and estimate the duration of any contract change. I.e., how long would it take to agree the new contract? This could involve agreeing to SCCs and any other controls deemed necessary.
- Once you have this information then you can determine how long you could be prepared to wait for the adequacy assessment of the UK to take before kicking off a re-contracting process. For example, if you believe that you could change all contracts within two months, then you can afford to wait until the end of February (end of April if the extra two months of transition is allowed) before commencing the re-contracting process.
There are always risks in dealing with contracts so adequate contingency time should be put in place. In addition, legal resources could be an issue due to all companies wanting to do the same activity at the same time; plan this into your legal team’s schedules.
The Information Commissioners Office currently recommends that you should proceed down the re-contracting route now and then desist if the UK is deemed as Adequate. This is clearly the least risky route, but it will consume resources that, should the UK be deemed as Adequate, will be wasted time, effort and of course cost. Each organisation should make its own risk assessment given the above information and decide on the approach that they wish to make.
More details on EU-GDPR Representation
If you are a business that does not have a physical presence in the EEA, but you process data on anyone in the EEA (more than occasionally) or you monitor the behaviour of EEA citizens, you will probably have to appoint an EU-GDPR representative. If you are selling goods or services to people/companies within the EEA, this will apply to you.
- The definition of what is ‘occasional’ has not been quantified. You should make a judgment for your own organisation.
- There are some exceptions for the appointment of an EU GDPR Representative but the majority of commercial organisations who sell into the EEA on a normal ongoing basis and do not have a physical presence in the EEA will need to appoint an EU-GDPR Representative.
- The role of the EU-GDPR representative is to act as the main point of contact for your business for any data subjects (EEA citizens) whose data you hold. Additionally, the EEA GDPR representative will liaise with the data protection regulators in the EEA where necessary. This is to ensure that EEA based data subjects can have any data protection issues with the data that you hold on them handled within the EU.
You should review then need for EU-GDPR representation needed for your business and act as necessary.
Tacita will provide further newsletters on the Brexit transition when more details are clarified. This article is not meant to constitute legal advice. You should always consult your lawyers. For more detailed information please email at firstname.lastname@example.org