It is two months since the end of the Brexit transition period and therefore a useful time to take stock of some of the key changes that have been implemented in the area of data protection and to look ahead to consider how businesses might need to prepare for some potentially significant changes over the next few months.
UK General Data Protection Regulation (“UK GDPR”)
Since 1 January 2021, the EU GDPR no longer applies in the UK. However, the UK has codified into domestic law many components of EU privacy law. The Data Protection Act 2018 (as now amended by the Data Protection, Privacy and Electronic Communications Amendments etc) (EU Exit) Regulations 2019) set up a new regime under the UK GDPR and made certain administrative changes (for example, by substituting references to EU institutions with UK ones). However, in practice, the GDPR and the UK GDPR are similar in substance and there are few substantive changes to UK data protection law.
The UK GDPR applies to organisations that are established in the UK, as well as organisations that are established outside the UK, but which offer goods or services to, or monitor the behaviour of individuals taking place in the UK. If you are a UK business that already complies with the GDPR and has no contacts or customers in the EU, you do not need to do much more to be data protection compliant.
However, while the GDPR and the UK GDPR are currently aligned, they may diverge in the future. The UK Government is currently consulting on a National Data Strategy, which suggests that UK data protection law may be amended in the near future. Businesses that share personal data between the UK and EU should keep an eye on the potential changes, so that they can prepare.
The EU-UK Trade and Cooperation Agreement, which is applicable since 1 January 2021, provides a temporary bridging mechanism which allows for the uninterrupted free flow of personal data from the European Economic Area (EEA) to the UK for at least four months, extendable up to 6 months unless one of the parties in the EEA or UK object.
This is to allow time for the European Commission (EC) to complete its adequacy assessment of the UK. The UK government are seeking an adequacy decision which would allow for seamless data flows from the EEA to the UK without the need for any additional safeguards. However, if adequacy is not granted at the end of the bridging mechanism, the UK will be a ‘third country’ for the purpose of data flows and transfers from the EEA to the UK will need to comply with EU GDPR transfer restrictions.
If you are a UK business that receives personal data from contacts in the EEA, you may want to consider putting appropriate safeguards in place before the end of April, if you haven’t done so already, to ensure that personal data can continue to flow from the EU to the UK if the bridge ends without adequacy. The most widely-used safeguard is the EU-approved terms known as Standard Contractual Clauses (“SCCs”) – a key tool to ensure the lawful and secure transfer of personal data from within the EEA to ‘third countries’.
The good news is that on 19 February 2021, the EC published two draft adequacy decisions for transfers of personal data to the UK, one under the GDPR, and the other for personal data related to law enforcement under the Law Enforcement Directive. Information Commissioner, Elizabeth Denham, has hailed the draft adequacy decisions “an important milestone in securing the continued frictionless data transfers from the EU to the UK“.
However, there is still some way to go. The draft adequacy decisions are now with the European Data Protection Board (EDPB) who will deliver an opinion to the EC. After taking into account the opinion of the EDPB, the EC will request approval from the committee of EU Member State representatives in what is known as the ‘comitology procedure’. If the green light is received from the committee, the EC could proceed to adopt the two adequacy decisions.
Whilst businesses may not wish to incur unnecessary expense in putting in place alternative transfer mechanisms in light of the current uncertainty as to whether or not the adequacy decisions will be adopted, on balance, such safeguards will be welcome in the long run if adequacy is not granted to the UK or if any disruption is caused as a result of any legal challenge.
It is worth mentioning that the UK has already declared that data from the UK to the EEA ensures an adequate level of protection and is therefore permitted to flow freely, (although this will be kept under review,) so for now there are no issues about data transfers in the UK-EEA direction.
Appointing an EU representative
If you are a UK business with an office, branch or other established presence in the EU, or you offer goods or services to customers in the EU, or monitor the behaviour of individuals in the EU, you need to comply with both UK and EU data protection regulations. You may need to appoint a suitable representative in the EU who will act as your local GDPR representative with individuals and data protection authorities in the EU in respect of these activities.
Bearing in mind the issues covered, we recommend businesses operating in the UK consider the following:
- Data transfers: map your flow of personal data from the EU to the UK and work with your EU affiliates or partners to consider if they need you to put in place any alternative transfer mechanisms to permit you to receive uninterrupted data transfers from the EU to the UK.
- Data protection officers (DPOs): you may continue to have a DPO who covers the UK and the EEA. The UK GDPR and the GDPR both require that any appointed DPO is ‘easily accessible from each establishment’ in the UK and the EEA.
- EU representative: appoint an EU representative if you have an office, branch or other established presence in the EU or your business is offering goods or services, or monitoring the behaviour of individuals in the EU.
- Existing contracts and templates: update terms to include relevant data transfer wording and appropriate referencing to the GDPR and the UK GDPR.
- Privacy notices, DPIAs and other documentation: review internal and external privacy notices to reflect changes to international data transfers, update references to EU law and, where applicable, the addition of your UK and/or EU representative.
- Legacy data: the EU GDPR will also apply to ‘legacy data’ collected by UK organisations prior to the end of the transition period. Ensure that your records of processing identifies the difference between legacy data that falls under the EU GDPR and data gathered after 1 January 2021 under the UK GDPR.
We will be monitoring the situation as it evolves. For further information or to discuss any data protection queries, please contact James Castro-Edwards, Head of Data Protection at Wedlake Bell (email: firstname.lastname@example.org / telephone: 020 7395 3108).