The end of the transition period will bring about additional layers of complexity for UK organisations’ compliance with data protection law. The relevant changes will come into force at 11pm on 31 December 2020. Some of them will apply to all UK organisations, for example in relation to cross-border transfers of personal data and the requirements to update data protection documentation. Others will be specific to those organisations that have presence in the EU or carry out certain activities involving EU individuals. In this article, we look at what is changing and how UK organisations should prepare.
The extent of the changes will depend on whether the European Commission grants the UK an adequacy decision before the end of the transition period. Adequacy decisions are granted to those countries outside the EEA, which the European Commission deems as providing an essentially equivalent level of protection for EU personal data. An adequacy decision would be the best-case scenario for UK organisations, as it would allow for the free flow of personal data from the EEA to the UK to continue, eliminating a significant burden of additional compliance and related costs.
Given that securing an adequacy decision before the end of the transition period seems increasingly unlikely, UK organisations should continue their preparations for a non-adequacy scenario.
- What is changing (and what is not)
Law: three different data protection regimes
The UK GDPR
The GDPR will be retained in domestic law at the end of the transition period as the ‘UK GDPR’ and will apply to all UK organisations processing personal data. The Data Protection Act 2018, which introduced the GDPR framework, will remain in place, as will the Privacy and Electronic Communications Regulations. From this perspective the day-to-day- data protection obligations on UK organisations will hardly change.
The EU GDPR
The GDPR will continue to apply in EU Member States and will be referred to as the EU GDPR from 1 January 2021. The EU GDPR will apply to some UK organisations with links to the EU (i.e. with an establishment in the EU or those that process personal data of EU individuals when offering them goods or services or monitoring their behaviour). These organisations will have to comply with both the UK GDPR and the EU GDPR. The processing of UK personal data will be covered by the UK data protection law and EU data processing activities will be governed by the EU GDPR (and the relevant national data protection laws).
‘EU legacy data’
Additionally, in the no-adequacy scenario, the Withdrawal Agreement grants special protection to non-UK citizens’ personal data which was transferred to the UK before the end of the transition period (or will be processed pursuant to the Withdrawal Agreement). Such ‘EU legacy data’ will have to be processed in accordance with the GDPR as in force on 31 December 2020 and any new caselaw from the European Court of Justice may continue to apply.
This will put UK organisations in a complicated situation, where they will be legally obliged to process different categories of personal data under effectively three different legal regimes (UK law, EU law, and EU law as on 31 December 2020). Initially, the practical consequences will be limited as UK data protection law will remain essentially aligned with EU law (in terms of data subjects’ rights, principles and obligations on organisations processing data). However, the UK will have the independence to keep its data protection framework under review, meaning that over time it may diverge from the European law. If the UK law were to diverge substantively from the EU GDPR, this application of A recent report from UCL European Institute estimates that post-Brexit restrictions to EEA-UK personal data flows in no adequacy scenario may cost UK organisations on aggregate between £1 and £1.6bn. These costs could be especially threatening to small and medium enterprises, who will be the least well-resourced to deal with the additional compliance burden.
- UK’s status as a third country and impact on personal data flows
At the end of the transition period, the UK will become a ‘third country’ in relation to the EEA and in the absence of an adequacy decision, the UK will officially become an unsafe jurisdiction for EU personal data. Personal data flows between the EEA and the UK will become ‘restricted transfers’ under the EU GDPR and the UK GDPR. The UK government has confirmed that personal data flows from the UK to EEA will not require any additional safeguards (as part of a provisional ‘adequacy decision’) and there will be no changes to the way organisations send personal data to the EEA. The EU GDPR’s restrictions on the free flow of personal data will, however, apply to data transfers from the EEA to the UK. This means that unless a derogation applies (which may be the case only in very limited circumstances), additional safeguards will be required to send personal data from the EEU to the UK. This new compliance burden will fall on EU data exporters, but UK organisations will be required to cooperate to ensure that personal data can continue to flow lawfully.
For most organisations, unless a derogation applies, the best (or the only) way to keep data flowing is by signing the standard contractual clauses (SCCs) adopted by the European Commission. In light of the CJEU ruling in the Schrems II case in July this year, SCC will need to be accompanied by a ‘data transfer impact assessment’ and on the basis of such an assessment, organisations may need to put in place additional technical, contractual or organisational safeguards. For more information on additional measures required to legitimise international transfers of personal data and the new (improved) SCCs expected to be finalised by the European Commission at the beginning of 2021, please see our article ‘Changes to international data transfers’ here.
- Supervisory authority
The ICO will remain the supervisory authority in the UK. However, to the extent that the EU GDPR will apply to the UK organisations (see above), that processing governed by the EU GDPR will be supervised by a relevant European data protection regulator. It means that at the end of the transition period, some UK organisation processing EU personal data may find themselves exposed to regulatory scrutiny of multiple national regulators. This may include enforcement actions from both the ICO and its European counterparts. If, for example, a UK organisation suffers a personal data breach, which affects the UK and European data, both the ICO and the relevant European regulator(s) may need to be notified. Where a UK charity has establishments in more than one EU country, it will need to decide which European regulator should be its ‘lead supervisory authority’.
- EU Representative (Article 27 GDPR)
A separate compliance requirement, applicable to some of those UK organisations that will need to comply with the EU GDPR, is the ‘representative obligation’. Article 27 of the GDPR stipulates that organisations which are not established in the EU but offer goods and services to EU citizens (even for free) or monitor their behaviour (for example, through cookies and other online trackers), must have a ‘representative in the Union’ unless an exemption (for occasional, low risk processing) applies. This requirement will apply even if the UK is granted adequacy recognition. In practice, it means that after the transition period, many UK organisations that systematically process EU personal data, may need to appoint a representative with an EU postal address, who can correspond with EU regulators and data subjects. This will impose an additional burden on many smaller organisations without an international presence.
- What action do you need to consider now?
The impact of Brexit on UK organisations’ data protection compliance will differ depending on the nature of their links with the EU.
All UK organisations will need to:
- Identify flows of personal data from the EEA (e.g. from their service providers and partners),
- engage with the EEA counterparts, consider if they can rely on derogations under the EU GDPR for any transfers of personal data to the UK (this will be the case only in very limited circumstances) and if not, implement safeguards required to legitimise EEA - UK data transfers (SCCs and, if required, additional measures).
- Update relevant data protection documentation (for example privacy notices, privacy policies and/or protocols, records of processing and DPIAs) to implement any (mainly minor) changes that will be required at the end of the transition period. For example, references to EU legislation will need to be replaced with references to the new UK legislation and where relevant, privacy notices will need to include details of a representative in the EU.
- Be aware that special rules may apply to personal data of ‘non-UK citizens’ processed up to the end of the transition period or processed pursuant to the Withdrawal Agreement (‘EU legacy data’).
We have produced a Brexit readiness tool for organisations which can be found here.
- In addition to the above, UK organisations with a certain presence in the EU:
- Will need to assess if post-Brexit, their processing of EU personal data will trigger the application of EU data protection laws and how to satisfy any new requirements.
- They should assess which national regulators will supervise their processing activities. They should be cognisant to the fact that in some cases, e.g. in case of a cross-border data breach, they will need to liaise with multiple supervisory authorities. It may be prudent to re-assess their risks and to amend their internal procedures and training.
- Organisations with establishments in a few European countries will need to select a ‘Lead Supervisory Authority’ in the EU.
- Organisations that don’t have an establishment in the EU might need to appoint a representative in the EU, unless an exemption (for occasional, low level risk processing) applies