Brexit
  • My LS

End of transition period guidance: EU data flows

This guidance reflects the grace period set out EU-UK Trade and Cooperation Agreement.

This guidance sets out the implications for legal services’ EU data flows from the end of the transition period and into 2021.

It’s relevant:

  • for UK lawyers involved in cross-border data flows with EU counterparties and clients
  • in the event that data adequacy is approved by the EU Commission, and in the event that it is not

The UK left the EU on 31 January 2020 and the transition period expired on 31 December 2020. Until that date, EU law continued to apply within the UK. 

From the end of the transition period, the UK in general is now considered as a ‘third country’ under EU rules. However, in the field of data, the UK-EU Trade and Cooperation Agreement grants an effective grace period for data flows. During this period, it is expected that EU complete its data adequacy assessment.

If adequacy is not granted, anyone transferring personal data from the EU/EEA to the UK will do so on a third-country basis.

The UK government has already determined that it considers all EU 27 and EEA member states to be adequate for the purposes of data protection, ensuring that data flows from the UK to the EU/EEA remain unaffected.

See the government guidance on using personal data after Brexit

According to article 71 of the Withdrawal Agreement, UK organisations that received personal data from the EU until the end of the transition period will have to apply the GDPR to that ‘stock of data’ rather than UK law after the end of the period. EU law will also apply to data processed on the basis of the agreement.

Data exchange from 1 January 2021

Data flows can continue without interruptions under the Trade and Cooperation Agreement reached between the EU and the UK. See Part 7 Final Provisions, Art. FINPROV.10A.

From the UK to the EU and EEA

The UK government has already determined that it considers all EU 27 and EEA member states to be adequate for the purposes of data protection, ensuring that data flows from the UK to the EU/EEA remain unaffected.

From the EU to the UK

The right to continue with the exchange of data from the EU to the UK is also covered by the new agreement.

From 1 January, transmission of personal data from the EU to the UK shall not be considered as transfer to a third country under EU law. This means that data transfers can continue without interruptions in January.

It should be noted that the agreement provides only a temporary relief: the data exchange provisions will be in effect for a period of four months from 1 January 2021. This period allows time for the EU to adopt adequacy decisions in relation to the UK under Article 36(3) of Directive (EU) 2016/680 and Article 45(3) of Regulation (EU) 2016/679.

If the adequacy decisions are adopted earlier than four months, the agreement provisions cease to be in force and the adequacy decision enters into force. If more time is needed, the period can be extended to from four months to six months unless one of the parties objects.

This continuation of the data exchange mechanism is conditional, so that if the UK makes any changes to the application of the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), as implemented in UK national law, without the agreement of the Joint Council, the agreement no longer applies.

In the event that data adequacy is approved by the EU Commission

Transfers from the EU to the UK with an adequacy decision do not require any additional safeguards or an authorisation (except for compliance with relevant laws and regulations).

An adequacy decision is an implementing act adopted according to the examination procedure set out in article 5 of Regulation (EU) No 182/2011.

This assessment is carried out by the Commission and informed by the EU’s national data protection authorities, a model broadly maintained by the GDPR and LED.

Adequacy can apply to an entire country but also to specific sectors.

It’s possible that the UK will not benefit from an adequacy decision of the European Commission. The Commission is under no obligation to make this decision in favour of the UK. In any case, obtaining an adequacy decision may take a long time.

The process starts with a proposal from the Commission. To conclude its decision, the EU then needs the following:

  • an opinion of the European Data Protection Board
  • approval from the representatives of all EU states
  • official adoption of the decision by the Commission

The most recent adequacy decision (New Zealand) took the EU four years to adopt.

In the event that data adequacy is not approved

Organisations may rely on safeguards set out in the GDPR. These include:

  • binding corporate rules (BCRs)
  • standard contractual clauses (SCCs)
  • certification and codes of conduct
  • derogations (applying to EU data exporters only)

Standard contractual clauses (SCCs)

There are currently three sets of SCCs:

  • two for EU/EEA controller to non-EU/EEA controller
  • one for EU/EEA controller to non-EU/EEA processor

However, the European Commission published the draft proposal for the revised SCCs on 10 November. These cover transfers from:

  • controller to controller
  • controller to processor
  • processor to controller, and
  • processor to processor

These are yet to be finalised and adopted by the Commission. Organisations will have 12 months to replace their SCCs with the new ones. Until then, current SCCs apply.

Moreover, following the judgment in Schrems II (July 2020), the European Data Protection Board (EDPB) has updated its guidance on the application of the SCCs: see its recommendations on measures that supplement transfer tools to ensure compliance and the European essential guarantees for surveillance measures.

The considerations below apply to the current SCCs and do not take into account the revised draft SCCs from November 2020.

Many organisations already rely on the SCCs in their international business operations. However, SCCs cannot be used in all circumstances.

SCCs can only apply between parties that are subject to the conclusion of a contract. They cannot be used in certain instances, for example where there are joint controllers or a group of undertakings engaged in joint economic activity.

However, while SCCs could allow UK-based organisations to continue to receive EU personal data, unless further measures are put in place by concerned UK organisations, whether acting as a data controller or a data processor, it will not be sufficient to allow them to transfer EU personal data (personal data to which the GDPR and member state privacy laws apply) onwards to a third country that does not have an EU adequacy decision. Many UK data controllers at present rely on the SCCs in transferring EU personal data outside the EEA to another controller or a processor.

After the end of the transition period, this mechanism, although sufficient for transfers outside the UK of UK personal data (in so far as UK law is concerned), will no longer apply to EU personal data. That is because UK organisations will cease to be data exporters within the meaning of the GDPR and of other EU member states’ privacy laws.

In cases where the UK organisation processes EU personal data as a data processor, this issue might be solved through the execution of the 2010 SCC with the EU-established data controller, and having a non-EEA based third-party, to which the UK organisation transfers EU personal data, to ‘join’ the SCC as a sub-processor.

When the UK organisation acts as a data controller of EU personal data, under the 2004 controller-to-controller SCCs, it cannot transfer EU personal data onwards to a third-party controller established outside the EEA unless certain conditions are satisfied, one of which is that the third party must become a signatory to the SCCs.

However, this route is not possible when the UK organisation is a data controller and the third party established outside the EEA is a data processor of EU personal data.

Therefore, another mechanism (for example, data subject consent) will need to be found to allow UK data controllers to transfer EU personal data to onwards to a non-EEA data processor.

Binding corporate rules (BCRs)

One of the available options for multinational businesses would be to adopt BCRs, in accordance with Article 47 of the GDPR. These allow organisations to transfer personal data from the EEA within their group outside the EEA.

The BCRs need to be approved by a relevant supervisory authority. However, after the end of the transition period the Information Commissioner’s Office (ICO) will no longer be the relevant supervisory authority (see more details in the section below).

However, although the above mentioned Schrems II judgment concerned the validity of the SCCs only, its conclusions also apply to the BCRs as organisations will also be required to demonstrate a higher degree of due diligence with regard to the law and practice of the country into which data are transferred.

Codes of conduct and certification mechanisms

Organisations in the UK may wish to consider adopting, through their trade association or representative body, approved codes of conduct or certification mechanisms together with enforceable and binding rules on the controller or processor.

These instruments may also take time and substantial resources to adopt. If the process has already been started it would still be worthwhile to proceed with implementing a code of conduct, even if that process is not complete by December 2020, as progress would demonstrate compliance with best practice to the relevant regulator.

Derogations

Article 49 lists derogations for specific situations. These include:

  • explicit consent
  • fulfilling a contractual obligation
  • public interest
  • establishment
  • exercise or defence of legal claims or vital interests of the data subject

Steps that you should take in the absence of the adequacy decision

Ahead of the end of the transition period, there are several steps that you should consider taking.

You should consult all available guidance from relevant regulators, in particular the UK ICO Information rights at the end of the transition period FAQs and the relevant guidance from the European Data Protection Board (EDPB).

You should also regularly check our website for updated guidance.

You will need to take appropriate actions to demonstrate your/your firm’s efforts to ensure compliance with the relevant data protection regime after the end of the transition period. You can do this by:

  • devoting proportionate and reasonable resources to identifying risk associated with your international data transfers
  • mitigating that risk with the appropriate mechanism such as data subject consent, SCCs, BCRs, or certification and codes of conduct
  • supporting this with the necessary governance, internal controls and staff training

You should review your data flows from the EEA. This includes transfers of personal data from the EEA to the UK and onward transfers of that data from the UK to third countries (in particular where contracts include clauses where transfer of data outside of the EU is prohibited).

If you have an office in another EU country or process EU personal data, you should consider other aspects of local privacy laws in that country, as GDPR allows for local variations (for example, in relation to processing of special categories of data).

If you have offices in other EU states and have nominated the ICO as your lead supervisory authority (LSA) under the consistency mechanism (Section 2 of Chapter VII), you will need to consider nominating another EU regulator as your LSA for the EU personal data. Your LSA should be chosen in accordance with the GDPR requirements.

Read the guidelines on the LSA

If you do not have an office in another EU state, but will process EU personal data, you may need to appoint an EU representative and update your privacy notices to include their contact details.

Read guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

You should review your privacy policies so that clients understand the movements of their personal data in and outside of the EU.

You should review which of the safeguards (as set out in articles 46, 47 and 49 of the GDPR) is best suited to the needs of your firm (see the details in the section below).

Standard contractual clauses

If at present your firm relies on the SCCs for some or all of its international transfers, note that the EDPB has recently updated its guidance on the use of SCCs following the CJEU judgment in Schrems II.

The judgment maintains the validity of the SCCs but also imposes a higher level of due diligence on exporters and importers of personal data from the EEA.

The ICO is yet to publish its own guidance in due course.

NOYB, the organisation of Max Schrems, has also published guidance for EU companies.

If at present your firm relies on SCCs in transferring EU personal data from outside of the EEA to another controller or a processor outside the EEA, you should consider putting in place a new mechanism for that transfer.

Alternatively, you may wish to consider changing your firms’ data flows in relation to EU personal data so that it's transferred from an EU data exporter directly to a non-EEA/non-UK data importer under an appropriate data transfer mechanism (for example, SCCs).

See the SCCs on the European Commission website.

However, the Commission has recently published a revised draft of the new SCCs (to reflect the GDPR and the requirements of the Schrems II judgment). These are still open for consultation and would need to be approved by the Commission and EU member states.

Once approved, organisations will have 12 months to replace their existing SCCs. Until then, current SCCs will apply.

Binding corporate rules

Existing binding corporate rules (BCRs) will remain good practice to demonstrate compliance with the GDPR.

However, if your firm relies on the BCRs which have been approved by the ICO as the lead supervising authority, you have to choose a supervisory authority within the EEA in order to continue relying on this transfer mechanism. This is because the ICO will cease to be the competent supervisory authority after the end of the transition period.

Also note that you’ll need to change the lead supervisory authority for your BCRs before the end of the transition period.

See the EDPB’s statement, Information Note on Binding Corporate Rules with UK SA as Lead Authority.

Although implementing a BCR takes a long time and requires substantial resources, if the process has already been launched, it would still be worthwhile to proceed with implementing BCRs even if the process is not complete by the end of December 2020, as progress would demonstrate compliance with best practice to the relevant regulator.

Consent

In case your firm’s processing relies on consent obtained while the UK is still a member of the EU, you should consider obtaining it again, as it’s unclear at the moment whether UK businesses relying on consent in processing EU personal data can continue to do so after the end of the transition period.

This applies in cases where the consent was obtained when the UK was still a member of the EU and does not specifically cover transfer of personal data outside the EEA.

You should closely examine the consent language to see if it specifically covers the transfer of personal data obtained outside the EEA.

Derogations

Derogations are still a valid transfer mechanism. However, the EDPB advises that the use of derogations be interpreted restrictively so that the exception does not become a rule.

Bilateral agreements with EU member states

Member states do not have the competence to unilaterally grant adequacy decisions to third countries.

The UK would not be able to form bilateral agreements with member states on the cross-border transfer of data in areas governed by EU law, or in relation to databases governed by EU law.

Resources

Standard contractual clauses (SCCs)

Proposal for revised standard contractual clauses (SCCs)

UK government technical notice on using personal data in your business or other organisation during and after the transition period (published 6 February 2019, last updated 2 October 2020)

ICO guidance on data protection after the end of the transition period

European Commission’s Notice to stakeholders: Withdrawal of the UK and EU rules in the field of data protection (6 July 2020)

C-111/18, Judgment of the Court (Grand Chamber) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems

EDPB guidelines on the lead supervisory authority

EDPB guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

ICO statement on Schrems II judgment

EDPB FAQs on the Schrems II judgment

EDPB recommendations 02/2020 on the European essential guarantees for surveillance measures

EDPB recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data - version for public consultation

Updated ICO statement on recommendations published by the European Data Protection Board following the Schrems II case

NOYB’s (organisation of Max Schrems) guidance for EU companies

EDPB statement: Information note on binding corporate rules with UK SA as lead authority

EDPB guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679