- My LS
Personal data flows from the EU/EEA to the UK after Brexit
On Friday 19 February 2021, the European Commission published draft UK data adequacy decisions. The decisions need to be officially approved by the EU member states and the Commission, following the opinion of the European Data Protection Board (EDPB).
This guidance will be updated once the approval process has been finalised.
This guidance is relevant for UK lawyers who process the personal data of European Union (EU)/European Economic Area (EEA) citizens after the end of the transition period on 31 December 2020.
The outward flow of data from the UK to the EU/EEA remains unaffected since the UK government has determined that it considers all EU 27 and EEA member states to be adequate for the purposes of data protection.
You should make sure that you're familiar with the basic features of General Data Protection Regulation (GDPR) compliance and understand:
- the personal data you process
- where it comes from
- the supply chains you're part of
- whether you're a controller, joint controller or processor in relation to that data
The fundamentals of compliance with the current data protection regime are set out in our guidance on GDPR for solicitors.
The UK left the EU on 31 December 2020, which marked the end of the transition period.
From 1 January 2021, the UK-EU relationship is regulated by the EU-UK Trade and Cooperation Agreement (TCA).
The TCA includes a bridging mechanism for data flows until the end of April 2021 (which can be prolonged until the end of June 2021) (article FINPROV.10A).
During this period, the transfers of personal data from the EEA to the UK will continue as during the transition period.
The bridging mechanism is conditional. This means that if the UK makes any changes to the application of the Data Protection Law Enforcement Directive (LED) or GDPR as implemented in UK national law (UK GDPR) without the agreement of the EU-UK Partnership Council, the mechanism no longer applies.
The mechanism was put in place so that the EU can complete its assessment of whether the UK data protection regime is broadly equivalent to the EU's. The assessment is the basis for the adequacy decisions.
The mechanism will end when:
- the European Commission approves the adequacy decisions in accordance with article 36(3) LED and article 45(3) GDPR,
- either side abrogates the agreement, or
- the EU does not approve the draft adequacy decisions before 30 June 2021
If data adequacy is approved by the European Commission
If the adequacy decisions are approved, further safeguards or authorisations covering transfers from the EU/EEA to the UK will not be needed (except for compliance with relevant laws and regulations).
If data adequacy is not approved
If the adequacy decisions are not approved, anyone transferring personal data from the EU/EEA to the UK will do so on a third-country basis.
Firms will need to put in place one of the additional safeguards set out in article 46 GDPR. These include:
- binding corporate rules (BCRs)
- standard contractual clauses (SCCs)
- certification and codes of conduct
In the absence of adequacy approval, article 49 GDPR lists derogations available to those wishing to transfer EU/EEA personal data to a third country.
To prepare for this possibility, processors in the UK should make sure they understand their data supply chain, and whether and how they might be eligible to rely on a derogation in the absence of an appropriate safeguard.
The EDPB has advised that derogations be interpreted strictly (see below).
Steps that you should take now
It's still uncertain if and when the draft adequacy decisions might be approved. Even if approved, the decisions are subject to review and legal challenge.
While the bridging mechanism is in place, there are several steps that you should consider taking.
Check the guidance
You should consult all available guidance from relevant regulators, in particular the UK Information Commissioner's Office's information rights at the end of the transition period FAQs and guidance form the European Data Protection Board (EDPB).
You should also regularly check our website for updated guidance.
You'll need to take appropriate actions to demonstrate your/your firm's efforts to comply with the relevant data protection regime after the end of the transition period.
You can do this by:
- devoting proportionate and reasonable resources to identifying risk associated with your international data transfers
- mitigating that risk with the appropriate mechanism (such as data subject consent, SCCs, BCRs, or certification and codes of conduct)
- supporting this with governance, internal controls and staff training
Review EEA data flows
You should review your data flows from the EEA.
- transfers of personal data from the EEA to the UK
- onward transfers of that data from the UK to third countries
Consider local privacy laws
If you have an office in another EU country or process EU personal data, you should consider other aspects of local privacy laws in that country, as the GDPR allows for local variations (for example, in relation to processing of special categories of data).
Nominate a lead supervisory authority
If you have offices in other EU states and have nominated the ICO as your lead supervisory authority (LSA) under the consistency mechanism (section 2 of chapter VII), you'll have to nominate another EU regulator as your LSA for EU personal data.
Your LSA should be chosen in accordance with GDPR requirements.
Appoint an EU representative
If you do not have an office in another EU state, but intend to process EU personal data, you may need to appoint an EU representative and update your privacy notices to include their contact details.
Review privacy policies
You should review your privacy policies so that clients are informed of the movements of their personal data in and outside of the EU.
Review appropriate safeguards
You should consider the possibility that the draft adequacy decisions are not approved.
Review which of the safeguards set out in articles 46, 47 and 49 of the GDPR is best suited to the needs of your firm. We discuss these safeguards below:
The standard contractual clauses (SCCs) contain contractual obligations on you (the data exporter) and the receiver (the data importer).
They also contain rights for the individuals whose personal data is transferred which can then be directly enforced by them against the data importer and the data exporter.
SCCs can only apply between parties that are subject to the conclusion of a contract.
They cannot be used in certain instances, for example where there are joint controllers or a group of undertakings engaged in joint economic activity.
There are currently three sets of SCCs:
- two for EU/EEA controller to non-EU/EEA controller
- one for EU/EEA controller to non-EU/EEA processor
As noted below, the European Commission published its draft proposal for the revised SCCs on 10 November 2020. This has yet to be adopted.
The guidance below looks at the position based on the current SCCs.
If at present your firm relies on SCCs in transferring EU personal data from outside of the EEA to another controller or a processor outside the EEA, you should consider putting in place a new mechanism for that transfer.
Alternatively, you may wish to consider changing your firms’ data flows in relation to EU personal data so that it's transferred from an EU data exporter directly to a non-EEA/non-UK data importer under an appropriate data transfer mechanism (for example, SCCs).
However, while SCCs can allow UK-based organisations to continue to receive EU personal data, unless further measures are put in place by UK data exporters, it's not sufficient to allow them to transfer EU citizens’ personal data onwards to a third country that does not have an EU adequacy decision. Many UK data controllers at present rely on the SCCs in transferring EU personal data outside the EEA to another controller or a processor.
After the end of the bridging period, this mechanism, although sufficient for transfers outside the UK of UK personal data (in so far as UK law is concerned), will no longer apply to EU personal data. That is because UK organisations will cease to be data exporters within the meaning of the GDPR and of other EU member states’ privacy laws.
In cases where the UK organisation processes EU personal data as a data processor, this issue might be solved through the execution of the 2010 SCC with the EU-established data controller, and having a non-EEA based third-party, to which the UK organisation transfers EU personal data, to ‘join’ the SCC as a sub-processor.
When the UK organisation acts as a data controller of EU personal data, under the 2004 controller-to-controller SCCs, it cannot transfer EU personal data onwards to a third-party controller established outside the EEA unless certain conditions are satisfied, one of which is that the third party must become a signatory to the SCCs.
However, this route is not possible when the UK organisation is a data controller and the third party established outside the EEA is a data processor of EU personal data. Therefore, another mechanism (for example, data subject consent) will need to be found to allow UK data controllers to transfer EU personal data to onwards to a non-EEA data processor.
EU Commission draft proposal for revised SCCs
You should be aware, however, that the European Commission published its draft proposal for the revised SCCs on 10 November 2020.
These cover transfers from:
- controller to controller
- controller to processor
- processor to controller
- processor to processor
These are yet to be finalised and adopted by the Commission. Once adopted, organisations will have 12 months to replace their SCCs with the new ones. Until then, current SCCs apply.
The considerations above apply to the current SCCs and do not take into account these revised draft SCCs.
Following the judgment in Schrems II (July 2020), the European Data Protection Board (EDPB) updated its guidance on the application of the SCCs: see its recommendations on measures that supplement transfer tools to ensure compliance and the European essential guarantees for surveillance measures.
The judgment maintains the validity of the SCCs but imposes a higher level of due diligence on exporters and importers of personal data from the EEA.
The ICO has announced that it will publish its own guidance.
NOYB, the organisation of Max Schrems, has also published guidance for EU companies.
Multinational businesses can adopt binding corporate rules (BCRs) under article 47 GDPR. These allow organisations to transfer personal data from the EEA within their group outside the EEA.
The BCRs need to be approved by a relevant supervisory authority. The ICO will remain the supervisory authority in the UK and will approve the UK BCRs.
However, in case of organisations that operate within the EEA, the organisations that have relied on the EU BCRs that were approved by the ICO will need to have their EU BCRs approved by their lead supervisory authority in the EEA.
The Schrems II judgment also applies to the BCRs. This is because organisations need to demonstrate a higher degree of due diligence with regard to the law and practice of the country into which data are transferred regardless of the transfer mechanism.
Existing binding corporate rules (BCRs) will remain good practice to demonstrate compliance with the GDPR.
Article 49 lists derogations for specific situations. These include:
- explicit consent
- fulfilling a contractual obligation
- public interest
- exercise or defence of legal claims or vital interests of the data subject
Derogations are still a valid transfer mechanism.
However, the EDPB advises that the use of derogations be interpreted restrictively so that the exception does not become a rule.
If your firm’s processing relied on consent obtained while the UK was a member of the EU, you should consider obtaining it again, as it’s unclear at the moment whether UK businesses relying on consent in processing EU personal data will be able to continue to do so after the end of the bridging mechanism.
You should closely examine the consent language to see if it specifically covers the transfer of personal data obtained outside the EEA.
Bilateral agreements with EU member states
EU member states do not have the competence to unilaterally grant adequacy decisions to third countries.
The UK cannot form bilateral agreements with member states on the cross-border transfer of data in areas governed by EU law, or in relation to databases governed by EU law.
GOV.UK technical notice on using personal data in your business or other organisation during and after the transition period (published 31 December 2020, last updated 10 March 2021)
EDPB recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data – version for public consultation (January 2020)
EDPB information note on data transfers under the GDPR to the United Kingdom after the transition period (adopted December 2020, updated January 2021)