There are a number of practical steps that organisations (both controllers and processors) should consider taking in relation to data protection compliance after the end of the transition period. These steps must be considered carefully on a case-by-case basis and we would be pleased to discuss any aspect of this Guide with you in more detail.
What will happen to GDPR?
The General Data Protection Regulation (GDPR) is an EU Regulation and, after the end of the transition period, will no longer apply in the UK. However, the Government has introduced legislation, in the form of the EU (Withdrawal) Act 2018 and The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which will, in effect, preserve the GDPR in UK law, albeit with amendments for the UK context. This separate law has been called 'UK GDPR' to differentiate it from the existing GDPR. UK based organisations that also have an establishment in the EEA, or that process the personal data of individuals based in the EEA, will need to continue to comply with the actual GDPR, as it has extra-territorial effect in certain circumstances.
Accordingly, organisations that do business in the UK and the EEA will need to navigate and comply with two regulatory regimes, 'UK GDPR' and the actual GDPR. These regimes will approach data protection from a similar set of principles and objectives and, in many areas, no separate action will be required. However, there may be divergences that will need to be taken into account and there are a number of important issues to consider, in particular, in relation to flows of personal data. Organisations may also find that they are at risk of enforcement actions or complaints in several jurisdictions across the EEA and/or the UK (either by regulatory authorities or by individuals) arising out of the same incident.
Transfer of personal data
The free flow of personal data between the EEA and the UK is an issue of critical importance for most organisations. At the end of the transition period, the UK will be treated as a 'third country' for the purposes of personal data flows from the EEA, unless and until an adequacy decision from the European Commission (Commission) is in place in relation to the UK's data protection regime. This could take some considerable time to be agreed, if at all.
To prepare for the risk of the UK not being granted an adequacy decision, you will need to take stock of your international flows of personal data: work out what personal data you have and where you hold it, as well as where you are transferring it to and from. You can then decide upon the appropriate mechanism for your personal data transfer flows. Note, that where a customer passes their own personal data to the organisation, this will normally not be said to be a data transfer, and so these issues will not need to be considered.
In summary, the position for data transfers at the end of the transition period, if the UK does not have an adequacy decision, is as follows:
Transfers of personal data from the UK to the EEA
These will be able to continue unrestricted, as now. The UK Government has said that it will continue to recognise EU data protection standards as sufficient (albeit it will keep this under review).
Transfers of personal data from the EEA to the UK
Until an adequacy decision in favour of the UK is in place, transfers of personal data from the EEA to the UK will only be able to occur using:
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- Codes of Conduct and Certification Mechanisms
- Derogations including, for example, explicit consent of the data subject
Whilst the most obvious solution for organisations that want to transfer personal data from the EEA to the UK would have been SCCs, the validity of this mechanism has been called into question following the CJEU's decision in Schrems II. As we discuss here, this has made data transfers from the EEA to non-EEA territories particularly challenging and is being looked at by various data protection authorities as a matter of urgency.
Transfers of personal data from the UK to other jurisdictions
These can continue where the Commission has already adopted adequacy decisions for the relevant jurisdiction. Transfers of personal data from the UK to the US, where many businesses will have relied upon the Privacy Shield before the Schrems II decision, will need to be considered very carefully.
Transfers of personal data from non-EEA jurisdictions to the UK
Where the EU has made an adequacy decision in respect of a particular country, the UK is working with those countries to make specific arrangements for data transfers to continue to flow to the UK. Pending those arrangements, it will be necessary to ensure compliance with local law on the transfer of personal data.
Group Companies and Binding Corporate Rules (BCRs)
In relation to restricted transfers from the UK which are within a corporate group, it may be possible to rely upon BCRs. The UK Government has said it will recognise BCRs that have been authorised under the Commission process before the end of the transition period (the UK will need to be listed as a third country outside the EEA), but it is important to note that there is as yet no indication that the Commission will continue to approve existing BCRs of UK companies. It is important also to note that the effect of CJEU's decision in Schrems II will be to require existing BCRs to be reassessed to ensure whether appropriate safeguards are in place in respect of the specific transfers involved, and whether supplementary measures need to be adopted.
Main establishments and 'One Stop Shop' under GDPR
Under GDPR, EEA-based organisations which carry out processing in more than one EEA state only need to deal with a single regulatory authority as their lead supervisory authority. This is known as the 'One Stop Shop' principle. It means that, for example, there would only be one fine imposed by an authority as a result of an infringement that covered a number of EEA territories, and that single fine would cover the whole EEA.
Non-EEA based organisations cannot rely upon the One Stop Shop principle. However, they may be liable for a breach of GDPR on the basis of its extra-territorial effect in certain circumstances. You should consider what cross-border processing you carry out, as this will affect the extent to which you are subject to the ICO and/or EEA supervisory authorities after the end of the transition period:
Organisations with a main establishment in the UK and establishments in the EEA: You may wish to consider whether any of your EEA establishments in the EEA could be your main establishment, in order to take advantage of the GDPR 'One Stop Shop', and avoid being at risk of regulatory action from multiple EEA regulators. Even if you are able to demonstrate that you have an EEA main establishment, however, where cross-border processing involves the EEA and the UK, you will still be subject to the ICO's jurisdiction, as well as the lead EEA regulator.
Organisations with a main establishment in the UK and no establishments elsewhere in the EEA: you will no longer be able to take advantage of the GDPR 'One Stop Shop'. As GDPR has extra-territorial effect in certain circumstances, you may have to deal with the supervisory authorities in all EEA states where data subjects are located, and whose personal data you process.
EEA and UK representatives
If you are based in the UK and do not have an establishment in the EEA, and you offer goods or services to data subjects in the EEA or monitor their behaviour, you will need to appoint a representative in the EEA, unless you can take advantage of an exception. Exceptions will need to be assessed on a case-by-case basis.
If it is appropriate for you to appoint an EEA representative, you must ensure they are based in an EEA state where at least some of the individuals whose personal data you process are located. You may need to agree an indemnity with the representative, as they are potentially liable for any breaches committed by you under GDPR.
Under the 'UK GDPR', relevant organisations located outside of the UK will need to appoint a UK representative, again subject to a relevant exception applying.
Updates to privacy policies, term of conditions, terms of business etc
Your Privacy Policies and related documents such as terms and conditions for websites, and terms of business will need to be updated to take into account the various regulatory regimes that you are subject to after the end of the transition period, i.e., GDPR and/or the 'UK GDPR'.
Digital Services Providers and Essential Services
If you are a company operating with essential services (e.g., banking, health care, energy and transport) or you are currently providing online marketplaces, online search engines or cloud computing services to those in the EU, you may will also need to consider the effect of Brexit on the Network and Information Systems Regulations. The Regulations will continue to apply in the UK after the end of the transition period. As with GDPR, digital service providers will need to consider appointing representatives in the EEA and/or UK as appropriate (see the Government's recent consultation in relation to requiring non-UK based Digital Services Providers to nominate a representative in the UK).
If you would like to discuss any of the issues raised in this Client Guide, please contact a member of our Data Protection team.