BY Kim Walker, partner and data protection specialist at law firm, Shakespeare Martineau.
At 11pm on 31 December the Brexit transition period will end and, as an EU Regulation, the GDPR will no longer be part of UK law. The UK will however adopt it into UK national law, meaning that from the New Year the UK GDPR and the EU GDPR will co-exist separ
tely. What will this mean for UK businesses and what should they be doing now to ensure personal data of their customers, suppliers and others can continue to flow lawfully into and out of the UK without disruption?
The UK GDPR and the EU GDPR may diverge over time as the UK Government and courts take decisions without being obliged to follow EU precedents, but from 1 January the two regimes will be substantially identical. Unfortunately, this does not mean that data can continue to flow unimpeded from the EU to the UK as it has up to now, because that can only happen if the European Commission formally decides that the UK, no longer a member state of the EU, has data protection laws which are adequate to protect the data protection and privacy rights of EU citizens. Transfers in the other direction, from the UK to the EU, are unaffected, because the UK Government has confirmed that it will continue to recognise the EU GDPR as adequate.
This adequacy decision by the European Commission, which would allow UK and EU data protection laws to work in harmony, was expected in 2020, but has now been delayed. Even though the UK GDPR and the EU GDPR are virtually identical, the European Commission has concerns about some of the UK’s other laws, such as the Government’s right to access mass communications data for national security purposes, and its membership of the Five Eyes intelligence network which the European Commission fears may, among other things, result in EU data ending up in the US.
Not yet having an adequacy decision introduces a number of complexities for UK businesses to tackle once the transition period ends. The foremost of these will be that if a UK business wants to access the data of people in the EU, or wants to receive personal data from the EU, then this will be prohibited unless prescribed additional safeguards are first put in place to protect the data transfer.
It is possible that if a trade deal with the EU is agreed before the end of the year that it may include a six month rollover of the existing adequacy position. If not, and the UK does not receive a formal decision by the end of the transition period, then transfers of personal data from the EU (or strictly speaking the European Economic Area (EEA), which is the EU plus Iceland, Liechtenstein and Norway) to the UK will be treated in exactly the same way as transfers to the US or any other third country without an adequacy decision. This means that such transfers will be prohibited (subject to very limited exceptions) unless the exporting organisation ensures that the appropriate data protection safeguards are in place.
The way businesses normally safeguard data is by agreeing, via a contract incorporating certain approved EU Standard Contractual Clauses, that the importing company will treat the data in accordance with GDPR principles and will allow EU data subjects to enforce the clauses if necessary. This is what UK businesses now need to be doing if they want their business with customers, employees and suppliers in the EU to continue unaffected by Brexit.
They should also be identifying key international data flows. For example,they should consider whether the business uses any data processors in the EU, such as HR or payroll companies, whether it has a sales office in the EU sending leads back to the UK, and whether it has a parent or subsidiary company in the EU. If so, the business needs to ensure the appropriate Standard Contractual Clauses, or one of the other less commonly used safeguards, are in place.
Until the Schrems II Decision of the European Court in July 2020, this would have been a relatively simple process of “papering” the transfers with the clauses. However, the European Court has made it clear in that decision that the clauses alone may not be sufficient to safeguard EU personal data, if the laws of the importing country include supervening government or national security powers to seize data. Therefore, businesses now need to carry out due diligence on the local laws (including those in the UK) and put supplementary measures in place where possible to mitigate the additional legal risks. Possible measures could include encrypting or pseudonymising all personal data, adding contractual provisions in processor agreements, and ensuring the clauses regarding government seizure orders are resisted and minimised as far as possible. Advice from lawyers with experience of how best to deal with these risks will often be required.
Dealing with cross border data transfers to ensure they remain lawful post-Brexit should be the priority. However, there are other steps to be taking too. Documents such as Privacy Notices, processor agreements and employment contracts should be reviewed to ensure references to the EU (or EEA) are altered as necessary to refer separately to the UK, and to ensure the correct legislation (UK or EU GDPR, and Data Protection Act 2018) is referred to.
Since the Schrems II Decision has invalidated the US-EU Privacy Shield, references to that should be removed from the Privacy Notice, as it is no longer a way to legitimise transfers of personal data to the US. UK businesses which sell to customers in the EU but don’t have a base there are also required by the EU GDPR to appoint an EU representative in a member state to provide a point of contact for EU data subjects and supervisory authorities.
Unless, and until, the EU provides the UK with its adequacy decision, the data protection landscape has the potential to be a challenge to navigate for UK businesses, with differing laws and a need for various safeguards to be in place. In our digital world, cross-border data transfer has become an essential part of business, so all companies, big and small, must prepare for the new regime in the New Year to ensure these changes cause as little disruption as possible.