- My LS
End of transition period guidance: EU data flows
This guidance sets out the implications for legal services’ EU data flows from the expiry of the transition period.
- for UK lawyers involved in cross-border data flows with EU counterparties and clients
- in the event that data adequacy is approved by the EU Commission, and in the event that it is not
The UK left the EU on 31 January 2020 and is now within a transition period which lasts until 31 December 2020. Until that date, EU law continues to apply within the UK.
Therefore, cross-border transfers of personal data are still regulated by instruments under the EU law, namely:
- General Data Protection Regulation (GDPR)
- Law Enforcement Directive (LED)
Note that according to Article 71 of the Withdrawal Agreement, UK organisations that received personal data from the EU until the end of the transition period will have to apply the GDPR to that ‘stock of data’ rather than UK law after the end of the period. EU law will also apply to data processed on the basis of the Agreement.
After the end of the transition period, the UK will be considered as a ‘third country’ under EU rules. Anyone transferring personal data from the EU/EEA to the UK will do so on a third country basis, with or without an adequacy decision by the European Commission regarding the UK.
The UK Government has already determined that it considers all EU 27 and EEA member states to be adequate for the purposes of data protection, ensuring that data flows from the UK to the EU/EEA remain unaffected.
In the event that data adequacy is approved by the EU Commission
Transfers from the EU to the UK with an adequacy decision do not require any additional safeguards or an authorisation (except for compliance with relevant laws and regulations).
An adequacy decision is an implementing act adopted according to the examination procedure set out in Article 5 of the Regulation (EU) No 182/2011.
This assessment is carried out by the Commission and informed by the EU’s national data protection authorities, a model that is broadly maintained by the GDPR and LED. It’s important to note that adequacy can apply to an entire country but also to specific sectors.
It’s possible that the UK will not benefit from an adequacy decision of the European Commission. The Commission is under no obligation to make this decision in favour of the UK. In any case, obtaining an adequacy decision may take a long time.
The process starts with a proposal from the Commission. To conclude its decision, the EU then needs the following:
- an opinion of the European Data Protection Board
- approval from the representatives of all EU states, and
- official adoption of the decision by the Commission
It’s important to note that the most recent adequacy decision (New Zealand) took the EU four years to adopt.
In the event that data adequacy is not approved
Organisations may rely on safeguards set out in the GDPR. These include binding corporate rules (BCRs), standard contractual clauses (SCCs), certification and codes of conduct, and derogations (the latter applying to EU data exporters only).
Standard contractual clauses (SCCs)
- two for EU/EEA controller to non-EU/EEA controller
- one for EU/EEA controller to non-EU/EEA processor
These have not yet been updated to reflect the GDPR. Moreover, following the judgment in Schrems II (July 2020) updated guidance on their application has not yet been released.
Many organisations already rely on the SCCs in their international business operations. However, SCCs cannot be used in all circumstances.
SCCs can only apply between parties that are subject to the conclusion of a contract. They cannot be used in certain instances, for example where there are joint controllers or a group of undertakings engaged in joint economic activity.
However, while SCCs could allow UK-based organisations to continue to receive EU personal data, unless further measures are put in place by concerned UK organisations, whether acting as a data controller or a data processor, it will not be sufficient to allow them to transfer EU personal data (personal data to which the GDPR and member state privacy laws apply) onwards to a third country that does not have an EU adequacy decision. Many UK data controllers at present rely on the SCCs in transferring EU personal data outside the EEA to another controller or a processor.
After the end of the transition period, this mechanism, although sufficient for transfers outside the UK of UK personal data (in so far as UK law is concerned), will no longer apply to EU personal data. That is because UK organisations will cease to be data exporters within the meaning of the GDPR and of other EU member states’ privacy laws.
In cases where the UK organisation processes EU personal data as a data processor, this issue might be solved through the execution of the 2010 SCC with the EU-established data controller, and having a non-EEA based third-party, to which the UK organisation transfers EU personal data, to ‘join’ the SCC as a sub-processor.
When the UK organisation acts as a data controller of EU personal data, under the 2004 controller-to-controller SCCs, it cannot transfer EU personal data onwards to a third-party controller established outside the EEA unless certain conditions are satisfied, one of which is that the third party must become a signatory to the SCCs.
However, this route is not possible when the UK organisation is a data controller and the third party established outside the EEA is a data processor of EU personal data.
Therefore, another mechanism (for example, data subject consent) will need to be found to allow UK data controllers to transfer EU personal data to onwards to a non-EEA data processor.
Binding corporate rules (BCRs)
One of the available options for multinational businesses would be to adopt BCRs, in accordance with Article 47 of the GDPR. These allow organisations to transfer personal data from the EEA within their group outside the EEA.
The BCRs need to be approved by a relevant supervisory authority. However, after the end of the transition period the Information Commissioner’s Office (ICO) will no longer be the relevant supervisory authority (see more details in the section below).
However, although the above mentioned Schrems II judgment concerned the validity of the SCCs only, its conclusions also apply to the BCRs as organisations will also be required to demonstrate a higher degree of due diligence with regard to the law and practice of the country into which data are transferred.
Codes of conduct and certification mechanisms
Organisations in the UK may wish to consider adopting, through their trade association or representative body, approved codes of conduct or certification mechanisms together with enforceable and binding rules on the controller or processor.
These instruments may also take time and substantial resources to adopt. If the process has already been started it would still be worthwhile to proceed with implementing a code of conduct, even if that process is not complete by December 2020, as progress would demonstrate compliance with best practice to the relevant regulator.
Article 49 lists derogations for specific situations. These include:
- explicit consent
- fulfilling a contractual obligation
- public interest
- exercise or defence of legal claims or vital interests of the data subject
Steps that you should take in the absence of the adequacy decision
Ahead of the end of the transition period, there are several steps that you should consider taking.
You should consult all available guidance from relevant regulators, in particular the UK ICO Information rights at the end of the transition period FAQs and the relevant guidance from the European Data Protection Board (EDPB).
You should also regularly check our website for updated guidance.
You will need to take appropriate actions to demonstrate your/your firm’s efforts to ensure compliance with the relevant data protection regime after the end of the transition period. You can do this by:
- devoting proportionate and reasonable resources to identifying risk associated with your international data transfers
- mitigating that risk with the appropriate mechanism such as data subject consent, SCCs, BCRs, or certification and codes of conduct
- supporting this with the necessary governance, internal controls and staff training
You should review your data flows from the EEA. This includes transfers of personal data from the EEA to the UK and onward transfers of that data from the UK to third countries (in particular where contracts include clauses where transfer of data outside of the EU is prohibited).
If you have an office in another EU country or process EU personal data, you should consider other aspects of local privacy laws in that country, as GDPR allows for local variations (for example, in relation to processing of special categories of data).
If you have offices in other EU states and have nominated the ICO as your lead supervisory authority (LSA) under the consistency mechanism (Section 2 of Chapter VII), you will need to consider nominating another EU regulator as your LSA for the EU personal data. Your LSA should be chosen in accordance with the GDPR requirements.
If you do not have an office in another EU state, but will process EU personal data, you may need to appoint an EU representative and update your privacy notices to include their contact details.
You should review your privacy policies so that clients understand the movements of their personal data in and outside of the EU.
You should review which of the safeguards (as set out in Articles 46, 47 and 49 of the GDPR) is best suited to the needs of your firm (see the details in the section below).
Standard contractual clauses
If at present your firm relies on the SCCs for some or all of its international transfers, note that there will be updated guidance on the use of SCCs following the CJEU judgment in Schrems II.
The judgment maintains the validity of the SCCs but also imposes a higher level of due diligence on exporters and importers of personal data from the EEA. You should, therefore, keep an eye on the guidance from the ICO and guidance from the EDPB.
NOYB, the organisation of Max Schrems, has also published guidance for EU companies.
If at present your firm relies on SCCs in transferring EU personal data from outside of the EEA to another controller or a processor outside the EEA, you should consider putting in place a new mechanism for that transfer.
Alternatively, you may wish to consider changing your firms’ data flows in relation to EU personal data so that it is transferred from an EU data exporter directly to a non-EEA/non-UK data importer under an appropriate data transfer mechanism (for example, SCCs).
See the SCCs on the European Commission website. Note that they’ve not yet been updated to reflect the GDPR and may still be updated in the coming weeks or months. Until they are updated, they still apply.
Binding corporate rules
Existing binding corporate rules (BCRs) will remain good practice to demonstrate compliance with the GDPR.
However, if your firm relies on the BCRs which have been approved by the ICO as the lead supervising authority, you have to choose a supervisory authority within the EEA in order to continue relying on this transfer mechanism. This is because the ICO will cease to be the competent supervisory authority after the end of the transition period.
Also note that you’ll need to change the lead supervisory authority for your BCRs before the end of the transition period.
See the EDPB’s statement, Information Note on Binding Corporate Rules with UK SA as Lead Authority.
Although implementing a BCR takes a long time and requires substantial resources, if the process has already been launched, it would still be worthwhile to proceed with implementing BCRs even if the process is not complete by the end of December 2020, as progress would demonstrate compliance with best practice to the relevant regulator.
In case your firm’s processing relies on consent obtained while the UK is still a member of the EU, you should consider obtaining it again, as it’s unclear at the moment whether UK businesses relying on consent in processing EU personal data can continue to do so after the end of the transition period.
This applies in cases where the consent was obtained when the UK was still a member of the EU and does not specifically cover transfer of personal data outside the EEA.
You should closely examine the consent language to see if it specifically covers the transfer of personal data obtained outside the EEA.
Derogations are still a valid transfer mechanism. However, the EDPB advises that the use of derogations be interpreted restrictively so that the exception does not become a rule.
Bilateral agreements with EU member states
Member states do not have the competence to unilaterally grant adequacy decisions to third countries.
The UK would not be able to form bilateral agreements with member states on the cross-border transfer of data in areas governed by EU law, or in relation to databases governed by EU law.
UK Government Technical Notice: Using personal data in your business or other organisation during and after the transition period (published 6 February 2019, last updated 2 October 2020)
ICO guidance: Data protection after the end of the transition period
European Commission’s Notice to stakeholders: Withdrawal of the UK and EU rules in the field of data protection (6 July 2020)