The UK officially left the European Union (EU) at 11:00 pm on 31 January 2020. However, as part of the Withdrawal Agreement with the EU to help the UK transition away from EU membership, EU law continued to apply to the UK as if it were still a Member State until the end of 31 December 2020. On 24 December 2020, the EU and UK reached the Trade and Cooperation Agreement (TCA), which applies as of 1 January 2021. From this time, the UK and EU became two distinct regulatory, legal and customs territories. The result of this is we now have two separate parallel data protection regimes – one for the EU and one for the UK.
Set out below are the top implications concerning data protection which organisations should be considering now that the UK is no longer part of the EU.
-
Map data flows – How do we know which arrangements include cross-border processing?
You should map your organisation's international flows of data (including transfers between the EEA and the UK in order to assess what action to take in respect of transfers of personal data outside the UK.
The Information Commissioner's Office (ICO) recommends that you prioritise mapping data flows for transfers of large volumes of data, special category data, criminal convictions data and any business-critical transfers of data.
If transferring personal data outside the UK to third countries, you should put in place appropriate safeguards so that such transfers continue lawfully after 1 January 2021 (see point 2 below for transfers from the EEA to the UK).
-
EEA to UK transfers of personal data – What safeguards should we now have in place?
After 1 January 2021, the UK is considered a "third country". Under the TCA, the UK and the EU have agreed a "bridging" period of four months (with an additional two- month extension available by agreement) from 1 January 2021 permitting the flow of personal data from the EEA to the UK without any additional safeguards. The intention is that before the end of this period the European Commission (EC) will grant the UK adequacy status.
If your organisation transfers personal data from the EEA to the UK, you should prepare for the possibility that the EC may not grant the UK adequacy by taking steps now to implement appropriate data transfer safeguards before the end of the "bridging" period.
One of the safeguards available to you under the General Data Protection Regulation 2016/679 (GDPR) is to enter into the EC's approved Standard Contract Clauses (SCC). If you choose to implement the SCC to enable transfers of personal data from the EEA to the UK, you should consider whether any necessary further requirements are needed as a result of the recent Schrems II decision (see point 3 below).
-
Schrems II – Do we need to undertake a transfer risk assessment?
The decision of the European Court of Justice in the Schrems II case requires organisations that transfer personal data to third countries to carry out case-by-case risk assessments of whether the relevant third country's law offers a level of personal data protection that is essentially equivalent to that provided in the EU.
This requirement does not apply to third countries that are already recognised by the EC as providing adequate data protection. The EC currently recognises Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Therefore, unless the EC grants the UK adequacy before the end of the"bridging" period (see point 2 above), you will also need to conduct a risk assessment in respect of any transfers of personal data your organisation makes from EEA Member States to the UK.
-
EU-US Privacy Shield – Is the EU-US Privacy Shield still a valid safeguard for data transfers from the UK to the US?
The decision in Schrems II found the US-EU Privacy Shield to be invalid. This means it is no longer a lawful way to transfer personal data from either the EU or the UK to the US.
This decision will form part of UK law, and therefore you need to consider what other measures, such as the SCC should be put in place to cover transfers from the UK to the US to ensure that such transfers continue to be lawful. The same risk assessment as discussed at point 3 above should also be conducted in respect of these UK-US transfers.
-
EU representative – Do we need to appoint an EU representative?
UK-based organisations that do not have an establishment in the EEA, but which either (i) offer goods and/or services to individuals in the EEA, or (ii) monitor the behaviour of individuals in the EEA, will need to appoint a European representative in one of the EU Member States of those individuals.
This EU representative may be an individual or a company. The representative must be physically based in the EU, and be authorised to act on your organisation's behalf (including dealing with relevant data supervisory authorities) with respect to compliance with EU data protection law.
-
Customer documentation – Do we need to update our privacy notices?
You should update your organisation's privacy notices and other data subject-facing documents (such as standard terms and conditions) to provide details of your EU representatives, refer to the UK as a third country and make reference to either UK data protection law or EU data protection law, as appropriate.
-
Internal documentation – Do we need to update our policies and procedures?
You should review and update your organisation's internal data protection policies, procedures and records, such as data breach notification procedures and data protection impact assessments, to reflect changes to international transfers and supervisory authority notification requirements.
-
Data Protection Officers – Should we change our Data Protection Officer?
If your organisation was required to have a Data Protection Officer (DPO) prior to 1 January 2021, it will continue to be required to have a DPO. If your DPO is based in the UK, you should review whether your DPO can continue to be "easily accessible" to each EU establishment, the relevant supervisory bodies and EU data subjects. Official guidance recommends that an organisation's DPO should be located in the EU, unless the DPO's activities can be carried out more effectively outside the EU.
-
EU supervisory authorities – Will the ICO remain our organisation's lead supervisory authority?
From 1 January 2021, the ICO is no longer an EU supervisory authority. If your organisation currently has the ICO as its lead supervisory authority, you should identify an EU supervisory authority if your organisation continues to maintain an EEA establishment and engage in cross-border processing after 31 December 2020. That EU supervisory authority is likely to be your organisation's lead supervisory authority now that the transition period has ended.
If a complaint was made before 1 January 2021, and your organisation's lead supervisory authority was the ICO at that time, the ICO will continue to be the authority investigating and bringing any enforcement action in relation to that complaint. In these circumstances, a supervisory authority in another EU Member State will provide input, but would not be able to bring separate enforcement action.
-
Is EU data protection law still applicable in the UK?
The EU data protection legal and regulatory framework will continue to apply after 1 January 2021 for UK organisations that either offer goods or services in the EU or monitor the behavior of EU data subjects. The ICO has confirmed that organisations should continue to follow its current guidance regarding compliance with EU data protection law.
If you require further information or if you need tailored advice, please do get in touch with your usual Ashurst contact, or any of the people listed below.
