Data flows after Brexit - actions required
Following the end of the transition period on 31st December 2020 the UK became a Third Country in the eyes of the EU and thus transfers of personal data need to be looked at differently. In general, transfers of personal data from the EU to a Third Country are required under the GDPR to be protected by safeguards in order to ensure “essential equivalence” with EU data protection standards. There are various options in order to comply, as follows:
An adequacy decision in favour of the Third Country, awarded by the EU, indicating that the data protection regime of that Third Country offers equivalent protection to individuals to that offered under EU regulations
Standard Contractual Clauses (SCCs) approved by the EU which commit data exporters and importers to agreed, robust standards of protection
Binding Corporate Rules (BCRs) which can be used by companies for international data transfers between their entities
Certain derogations which I won’t go into here because they can only be used in exceptional circumstances
It was always unlikely that the UK would secure an adequacy decision by 31st December, and there was concern that any business offering goods or services, or monitoring the behaviour of EU individuals, would need to implement SCCs immediately after 31st December.
The good news is that under the UK-EU Trade Agreement finalised on 24th December, whilst adequacy was not awarded, the EU allowed a grace period of up to 6 months from 1st January whereby personal data can continue to flow freely from the EU to the UK without the need for further safeguards. The grace period (known in the agreement as the ‘specified period’) will end sooner if an adequacy decision is awarded before 30th June 2021. The UK government has already agreed that data can continue to flow freely from the UK to the EU.
On 19th February 2021 the EU Commission issued a draft adequacy decision in favour of the UK. This was encouraging news but it was only a draft decision. At the end of May, MEPs expressed concern and requested clarification on some key issues around UK data protection, in areas such as enforcement and exemptions, onward data transfers to Third Countries, and government access to personal data. The concern around onward transfers is a tricky one because there are those within the EU who fear that organisations could potentially use the UK as a ‘back-door’ into the USA in particular, thus circumventing the Schrems 2 ruling.
In my own opinion the government has not helped the situation by announcing at this sensitive stage, its intention to award further adequacy decisions to countries currently not in receipt of adequacy from the EU, and additionally, to vary our data protection legislation from that of the GDPR. It may have been more prudent to await our own formal adequacy decision first!
Indeed the ICO recommend UK companies put alternative safeguards in place as a precaution. It would therefore be sensible for any organisations that offer goods or services or 'monitor the behaviour' of EU individuals to get SCCs in place for example, as soon as possible. Just to clarify what is meant by “monitoring behaviour” Recital 24 of the GDPR states that “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
My advice for any companies meeting the above criteria is to prepare SCCs, make some minor adjustments to your documentation to reflect changes in the legislative landscape e.g., the Data Protection Act 2018 and the UK GDPR so that you are well prepared and fully compliant.
If you require help with your data protection compliance including preparation of SCCs, then feel free to contact us.
Nick Richards CIPP/E
Updated June 2021