Preparing for the Brexit Endgame
As the end of the year closes in, UK firms are finding themselves once again confronting the uncertainty of Brexit – and, for some, what it will mean for international data transfers.
James Simpson, Partner at Blaser Mills Law, examines the known and unknown outcomes of Brexit for UK firms, and how international data transfers will be altered.
Although the UK left the European Union on 31 January 2020, for practical purposes its relationship with the EU has remained largely unchanged due the transition period. Since 31 January 2020, both sides have engaged in negotiations with the aim of negotiating a trade deal. At the time of writing, no such deal has been achieved and businesses are left wondering whether they will be operating under a ‘deal’ or a ‘no-deal’ situation from next year.
For businesses currently grappling with the global coronavirus pandemic it is difficult to know how to prepare for an uncertain future. A survey by the British Chamber of Commerce in September 2020 concluded that there was insufficient information for businesses and that a significant numbers of its members remained unprepared for a deal/no-deal situation.
One particular area of concern is data protection. The General Data Protection Regulations (GDPR), which were incorporated into UK law from EU law in May 2018, introduced greater protections for the transfer and processing of data and gave individuals more control over when and in what context their data could be used. The Government produced a guide providing more details about the GDPR and its implications for businesses.
From 1 January 2021, the GDPR, along with the Data Protection Act 2018, will become known as EU retained law and will be incorporated into UK legislation. This means that, for the immediate future, the data protections in the UK will remain largely unchanged. The UK Parliament could, in the future, make changes to the legislation. However, this could have consequences for UK/EU trade.
Once the UK leaves the EU, it will become a ‘Third Country’ under the GDPR. This means that the European Commissioner must assess the UK’s data protection regime to determine whether it provides adequate protections for data subjects. Under terms previously agreed, the European Commissioner has agreed to start this assessment shortly after the UK leaves the EU and if the outcome of the assessment is positive, an ‘Adequacy Decision’ will be issued thereby allowing data to flow freely from EU member states to the UK. The UK has already issued an ‘adequacy notice’ for the EU thereby allowing data to flow from the UK to the EU.
From 1 January 2021, the GDPR, along with the Data Protection Act 2018, will become known as EU retained law and will be incorporated into UK legislation.
However, the “Adequacy Decision” is not guaranteed because the EU has an issue with our surveillance framework. This has provided a problem for the USA where the “Privacy Shield” provisions that were relied on for data transfers to the USA were recently rendered invalid by the Schrems II decision. This was because of the surveillance activities carried out by the US government together with concerns over data rights. The EU has similar issues with surveillance activities in the UK and could mean that the UK does not get its much needed “Adequacy Decision”.
The Government is now assessing the impact of the Schrems II decision. It is worthwhile noting that even if granted, Adequacy Decisions are subject to periodic review and can be revoked by the European Commission or challenged before the ECJ.
The Information Commissioner (ICO) will continue to oversee and enforce UK compliance with the UK’s data protection regime but will no longer sit or take part in EU debates and discussions. The ICO has produced guidance on post Brexit obligations along with some frequently asked questions.
In the event that the UK leaves the EU without an Adequacy Decision, companies are advised to use standard contractual clauses (known as SCCs). These provide for the protection of data when it is being processed by a third party. The ICO has produced an interactive tool for small and medium businesses to use for this purpose.
With the Schrems II decision, use of SCCs will also require an assessment of the data protection rules in the receiving country. This means that existing SCC arrangements may need to be refreshed. Conversely, transfers from the UK to the EU can continue without additional protections being put in place, as the UK deems that EU countries have an adequate level of data protection.
Groups of companies can also look to binding corporate rules (known as a BCRs) that can cover cross-border data transfers within a group. These are unchanged and are a solid foundation for data transfers but they require approval from the supervisory authority in each member state. Alternatively, groups can use well drafted data transfer agreements. And, if all else fails, another alternative is to rely on express consent from the data subject for the transfers. However, consents need to be very carefully secured and recorded to ensure that they are valid under GDPR. Consent can also be withdrawn by the data subject at any time making this a risky option for a business to rely on.
Finally, businesses need to consider the application of Article 27 GDPR. In some circumstances, this requires a non-EU organisation that does not have an “establishment” in the EU to appoint a “Representative” within the EU in relation to its processing of the data of EU citizens. Presently, in the transition phase, UK organisations do not need to do this. However, when the UK becomes a “Third County” and if the requirements are met, UK organisations must have a “Representative” in the EU. The UK is likely to have a similar regime and so EU organisations may also need to appoint a “Representative” in the UK if they process the data of UK citizens. Hence, organisations need to check if they are affected by this requirement.
It is hoped that things become clearer as we approach the end of the year and a “deal” materialises, but even if it does, cross-border transfers are still going to require consideration because the power blocs around the globe have different views about how data can be used and regulated.
Finally, the Government has produced guidance on using personal data in businesses after the transition date which organisations may find useful.