UPDATE: Firms should actively prepare for the implications of a "no-deal" Brexit on the cross-border transfer of personal data
Update 05/01/2021: Since the time of writing, the UK government and the EU negotiating team have agreed terms of a trade deal (see summary here). Under such deal, personal data will flow freely from the EU and EEA EFTA states to the UK until adequacy decisions are adopted, and for no more than six months. This transitional finding of adequacy means that businesses will not need to use standard contractual clauses, binding corporate rules or the other limited derogations set out below to import personal data from the EU. However: UK businesses who offer goods or services to individuals in the EU or monitor the behaviour of individuals located in the EU must still appoint a representative unless one of the exemptions to doing so applies (our article on appointing a representative can be found here); and the ICO still recommends UK businesses work with their EU and EEA counterparts regarding such transfer mechanisms as a precaution to safeguard the flow of personal data to the UK (see here)
The free flow of personal data across borders between the EU has been a standard for many decades now. Brexit will, however, impact these arrangements. Firms that conduct their business in the EU face uncertainty over how they can transfer the personal data of EU data subjects back into the UK.
The UK is currently deemed to be an EU member state as part of the transition arrangements. However, that status will end on 31 December 2020 at 11 pm ("exit day") and the UK will be a "third country" (i.e. a non-EU state) for the purpose of EU laws, including the data protection regime under the EU's General Data Protection Regulation 2016 ("the GDPR").
Standard Contractual Clauses and the Adequacy Decision
As at the date of writing, the UK and the EU are busy negotiating up to the wire to secure a deal. Part of that deal will need to address the UK's status as regards processing of EU data subjects' personal data. Ministers in the Department for Culture Media and Sports and a director at the EU Exit Data Protection Negotiation Hub in October both signalled their optimism and confidence that the European Commission will grant the UK an adequacy decision (referred to generally in this article as an "adequacy decision") before the end of the transition period; but as 1 January 2021 fast approaches, we have to question whether this is a real possibility.
If no adequacy decision is granted before the end of the year, the UK Government has assured businesses that they can continue to freely send personal data from the UK to EU and EEA member countries. However, the EC has made it clear that it will not return the favour in respect of personal data flows from EU businesses to the UK.
If there is no deal (or if the deal does not include an adequacy decision), the UK will be a third country with no adequacy decision in place, and the GDPR will apply to any UK firms seeking to do business in the EU. The GDPR will also govern any transfers of EU data subjects' data out of the EU, whether such transfers are by UK or EU businesses. Such businesses will need to ensure that "adequate safeguards" are in place to govern any transfer of personal data to the UK.
This includes using either:
- contracts based on the current suite of EU Standard Contractual Clauses ("SCCs") with counter-part customer and supplier businesses in the EU;
- binding corporate rules which cover the UK-based company as part of an international group of companies that share personal data across the group. If these were in place before the exit date, these will continue to be effective; but note that these would need to be updated to reflect that the UK would be a third country; or
- one of the other limited derogations.
What about the reverse and the position as regards cross-border transfers of UK data subjects' personal data? The UK Government has said that when the UK leaves the EU, it will still be permitted for UK data subjects' personal data to be transferred from the UK to the EU (for example to EU service providers), although this will be kept under review. UK-based businesses looking to continue transferring personal data outside of the UK and the EU (for example to the USA) will have to implement "adequate safeguards", as previously. However, this would be governed by UK data protection law which retains the current version of the GDPR.
For transfers from a country that has the benefit of an EU adequacy decision (e.g. Canada and Israel and others), the position is not yet as clear. The UK's Information Commissioner's Office ("ICO") expects that the UK Government will begin the process of making alternative arrangements for transfers between these countries and the UK. Until these are made, UK-based businesses will need to ensure that they comply with the requirements of those countries, in line with their laws on transferring personal data.
Schrems II: the invalidation of EU-US Privacy Shield and additional requirements alongside Standard Contractual Clauses
The decision of the European Court of Justice ("ECJ") in the landmark case of Maximillian Schrems v Data Protection Commissioner (C -362/14) (the so-called Schrems II decision) declared the EU-US Privacy Shield arrangements between the EU and the USA to be invalid.
The ECJ found that the protections provided for in the Privacy Shield framework are not sufficient to address the freedoms with which security and law enforcement agencies can access EU data subjects' data. However, the ECJ went further and said that the SCCs themselves may not be sufficient to protect the personal data of EU data subjects when processed in third countries. Businesses will need to perform due diligence to establish whether the protections that SCCs are designed to provide will be respected in the jurisdictions to which the data is being transferred. This will require additional due diligence and in particular consideration of local laws in those jurisdictions.
The European Data Protection Board followed this and on 11 November 2020 published guidance to assist controllers and processors in complying with the ECJ's decision such that businesses relying on SCCs must conduct a risk assessment of the transfer and if necessary, implement “supplementary measures” to protect the data in the recipient country.
Note that these additional due diligence requirements apply equally to the use of SCCs to transfer of personal data to the US or indeed any third country (which will of course now include the UK).
Version 2 of the SCC's
It gets even more complicated! The European Commission published a new set of draft SCCs ("SCCs v2") in the first half of November 2020. The SCCs v2 have been drafted to address some of the historic concerns (including the absence of processor to processor SCCs) and they also provide additional safeguards following the concerns raised in Schrems II.
The drafts closed for consultation on 10 December. We do not have a timeline for the formal ratification of the final versions by EC decision. However, it may well be in pretty short order in 2021.
There is a "sunset provision" in the draft EC implementing decision which gives businesses 1 year to replace any SCCs with the new SCC v2.
If the burden of Brexit on UK businesses was not already enough, they will now find that they will have to put in place the current SCCs and then end up having to replace them within a year.
Opening an office in the EU or appointing a representative
Businesses that process the personal data of EU data subjects that do not otherwise have an establishment in an EU member state may also have to appoint a third party as their "appointed representative" in the EU. See further here.
Organisations should identify existing relationships, including those with suppliers and group companies, which involve the international transfer of personal data. Companies should review any relevant international transfer provisions and/or mechanisms and assess whether any amendments may be needed to cater for Brexit.
In many contracts and privacy policies, there will be references to transfers of personal data within or outside the EEA or EU. Of course, once the UK leaves the EU at the end of March, personal data would inevitably be processed outside the EEA or EU and this would contradict any such provisions. Businesses should ensure that such documentation is updated in light of the Brexit.