When the Brexit transition period drew to a close at the end of 2020, the UK moved to a new data protection regime known as the UK GDPR but that isn’t the end of the story. At the same time, businesses now need to be aware of:
a ‘grace period’ or ‘bridge’ for transfers from the EU/EEA (hereafter ‘the EEA’) to the UK while uncertainty continues over if and when the European Commission will grant an adequacy decision;
new transitional provisions for international transfers from the UK (this time, in UK domestic law); and
a ‘separation’ period under the EU Withdrawal Agreement in respect of legacy data.
Below, we explain these key data protection developments that businesses transferring data to and from the UK should be aware of and recommend how to navigate current uncertainty.
The new UK GDPR
Some of you will already know that the UK has now moved to a formally separate data protection regime set out in the UK GDPR. This results from the retention of the EU GDPR in UK law at the end of the Brexit transition period, and some further adaptations made by UK domestic legislation to enable it to function effectively. The updated text of the UK GDPR can be viewed here.
While the EU GDPR and UK GDPR regimes are extremely similar, they are now entirely separate. Businesses should therefore be alive to the possibility that, depending on their processing activities, both regimes may now apply to them, which may entail additional regulatory obligations. This is particularly important given the risk of dual enforcement action by both the UK Information Commissioner’s Office (“ICO”) and the EEA Data Protection Authorities for non-compliance in future.
If, for example, a business is processing personal data in the context of the activities of an establishment in both the EEA and the UK, or offering goods or services or monitoring behaviour of individuals in both territories, then it will be subject to both regimes. This means, amongst other things, that the business should update its privacy notices and should consider if it needs to appoint an EEA or UK Representative if they fall within scope of the relevant regime and are not established in that territory. If established in the EEA, they should also consider whether or not they may be able to identify a new EEA lead supervisory authority for cross-border processing if the ICO previously fulfilled this role.
If only the UK GDPR now applies to the business, some changes are still required, for example, in how they describe international transfers in their privacy notices. It is important to note that the above should be considered regardless of the grace period for EEA to UK transfers provided by the EU-UK Trade and Cooperation Agreement (“TCA”).
While the UK has deemed the EEA to offer an adequate level of data protection thereby allowing transfers from the UK to those states to continue provided other data protection law requirements are met, the European Commission has not yet made a determination in respect of the UK. Whilst an adequacy decision was not contained in the TCA (and is subject to a separate procedure in the EU GDPR), the TCA does provide for a grace period for EEA to UK transfers. This means that for 4 months (extendable to 6 months unless one of the parties objects) or until an EU adequacy decision in respect of the UK is made, transfers of personal data from the EEA to the UK shall not be considered to be transfers of personal data to a third country.
The grace period offers some relief to the many businesses which had not been able to put in place standard contractual clauses (or other appropriate safeguards) for transfers from the EEA to the UK prior to the end of the Brexit transition period, allowing them more time to take steps to ensure compliance if required. It is subject to certain conditions, including that the UK will not change its arrangements on international transfers without the EU’s agreement during this period.
In terms of progress, we understand that the European Commission’s consideration is progressing but there is as yet no fixed date available for when the outcome will be known. In case no adequacy decision is in place at the end of the grace period, at the time of writing the ICO continues to recommend that businesses put in place appropriate safeguards before the end of April here.
Transfers from the UK to other third countries
Another area of confusion for businesses is in how they can make international transfers from the UK to other third countries. Aside from making the initial finding that the EEA offers an adequate level of data protection, the UK Government has not made any adequacy decisions and neither it nor the ICO have proposed any new standard contractual clauses (“SCCs”) and are precluded from progressing this work without EU agreement during the grace period.
To allow personal data transfers to continue from the UK to other third countries, a series of transitional provisions have therefore been added to the UK Data Protection Act 2018 (the “DPA 2018”) to enable businesses to rely on EU adequacy decisions and SCCs as they applied up until the end of the Brexit transition period for transfers from the UK.
In practice, this means that for transfers to third countries, such as from the UK to the US, aside from undertaking the due diligence required by Schrems II businesses can continue to rely on EU-approved SCCs. However, in line with the DPA 2018, we recommend that modifications are made to the SCCs, for example to refer to the UK rather than the EEA in the drafting. (See further Part 3 of Schedule 21, DPA 2018.)
The ICO has published further guidance for businesses seeking to rely on SCCs for international transfers here.
Please note that the position may become more complicated once the EU adopts new SCCs, which will not automatically be applicable in UK law. The current proposals by the European Commission can be viewed here and a decision is expected soon.
Personal data processed under EU law in the UK prior to the end of the Brexit transition period
Finally, the EU-UK Withdrawal Agreement contains ‘separation provisions’ to set out what happens to personal data processed under EU law in the UK prior to the end of the Brexit transition period or on the basis of the Withdrawal Agreement. This is relevant for businesses as Article 71 indicates that the EU GDPR and other EU data protection law still apply to the processing of such personal data of individuals outside of the UK (e.g. whether in the EEA or elsewhere) unless and until there is an adequacy decision. (For more information, please click here.)
The recent developments described above are seismic shifts in the data privacy landscape and have caused greater uncertainty for businesses. In determining the extent of their obligations and how best to undertake international transfers to and from the UK, businesses should be careful to consider each data protection regime independently, particularly given their extra-territorial effect. Whilst the grace period offers a brief respite to businesses that were not fully prepared for the UK’s withdrawal from the EU, it is clear that this is only a temporary measure. It is crucial to keep abreast of key market developments and act as soon as possible to ensure compliance for the future.