Brexit
  • My LS

Personal data flows from the EU/EEA to the UK after Brexit

On Friday 19 February 2021, the European Commission published draft UK data adequacy decisions. The decisions need to be officially approved by the EU member states and the Commission, following the opinion of the European Data Protection Board (EDPB).

This guidance will be updated once the approval process has been finalised.

This guidance is relevant for UK lawyers who process the personal data of European Union (EU)/European Economic Area (EEA) citizens after the end of the transition period on 31 December 2020.

The outward flow of data from the UK to the EU/EEA remains unaffected since the UK government has determined that it considers all EU 27 and EEA member states to be adequate for the purposes of data protection.

You should make sure that you're familiar with the basic features of General Data Protection Regulation (GDPR) compliance and understand:

  • the personal data you process
  • where it comes from
  • the supply chains you're part of
  • whether you're a controller, joint controller or processor in relation to that data

The fundamentals of compliance with the current data protection regime are set out in our guidance on GDPR for solicitors.

Background

The UK left the EU on 31 December 2020, which marked the end of the transition period.

From 1 January 2021, the UK-EU relationship is regulated by the EU-UK Trade and Cooperation Agreement (TCA).

The TCA includes a bridging mechanism for data flows until the end of April 2021 (which can be prolonged until the end of June 2021) (article FINPROV.10A).

During this period, the transfers of personal data from the EEA to the UK will continue as during the transition period.

The bridging mechanism is conditional. This means that if the UK makes any changes to the application of the Data Protection Law Enforcement Directive (LED) or GDPR as implemented in UK national law (UK GDPR) without the agreement of the EU-UK Partnership Council, the mechanism no longer applies.

The mechanism was put in place so that the EU can complete its assessment of whether the UK data protection regime is broadly equivalent to the EU's. The assessment is the basis for the adequacy decisions.

The mechanism will end when:

  • the European Commission approves the adequacy decisions in accordance with article 36(3) LED and article 45(3) GDPR,
  • either side abrogates the agreement, or
  • the EU does not approve the draft adequacy decisions before 30 June 2021

If data adequacy is approved by the European Commission

If the adequacy decisions are approved, further safeguards or authorisations covering transfers from the EU/EEA to the UK will not be needed (except for compliance with relevant laws and regulations).

If data adequacy is not approved

If the adequacy decisions are not approved, anyone transferring personal data from the EU/EEA to the UK will do so on a third-country basis.

Firms will need to put in place one of the additional safeguards set out in article 46 GDPR. These include:

  • binding corporate rules (BCRs)
  • standard contractual clauses (SCCs)
  • certification and codes of conduct

In the absence of adequacy approval, article 49 GDPR lists derogations available to those wishing to transfer EU/EEA personal data to a third country.

To prepare for this possibility, processors in the UK should make sure they understand their data supply chain, and whether and how they might be eligible to rely on a derogation in the absence of an appropriate safeguard.

The EDPB has advised that derogations be interpreted strictly (see below).

Steps that you should take now

It's still uncertain if and when the draft adequacy decisions might be approved. Even if approved, the decisions are subject to review and legal challenge.

While the bridging mechanism is in place, there are several steps that you should consider taking.

Check the guidance

You should consult all available guidance from relevant regulators, in particular the UK Information Commissioner's Office's information rights at the end of the transition period FAQs and guidance form the European Data Protection Board (EDPB).

You should also regularly check our website for updated guidance.

Demonstrate compliance

You'll need to take appropriate actions to demonstrate your/your firm's efforts to comply with the relevant data protection regime after the end of the transition period.

You can do this by:

  • devoting proportionate and reasonable resources to identifying risk associated with your international data transfers
  • mitigating that risk with the appropriate mechanism (such as data subject consent, SCCs, BCRs, or certification and codes of conduct)
  • supporting this with governance, internal controls and staff training

Review EEA data flows

You should review your data flows from the EEA.

This includes:

  • transfers of personal data from the EEA to the UK
  • onward transfers of that data from the UK to third countries

Consider local privacy laws

If you have an office in another EU country or process EU personal data, you should consider other aspects of local privacy laws in that country, as the GDPR allows for local variations (for example, in relation to processing of special categories of data).

Nominate a lead supervisory authority

If you have offices in other EU states and have nominated the ICO as your lead supervisory authority (LSA) under the consistency mechanism (section 2 of chapter VII), you'll have to nominate another EU regulator as your LSA for EU personal data.

Your LSA should be chosen in accordance with GDPR requirements.

Read the guidelines on the LSA

Appoint an EU representative

If you do not have an office in another EU state, but intend to process EU personal data, you may need to appoint an EU representative and update your privacy notices to include their contact details.

Read guidelines 3/2018 on the territorial scope of the GDPR (article 3)

Review privacy policies

You should review your privacy policies so that clients are informed of the movements of their personal data in and outside of the EU.

Review appropriate safeguards

You should consider the possibility that the draft adequacy decisions are not approved.

Review which of the safeguards set out in articles 46, 47 and 49 of the GDPR is best suited to the needs of your firm. We discuss these safeguards below:

The standard contractual clauses (SCCs) contain contractual obligations on you (the data exporter) and the receiver (the data importer).

They also contain rights for the individuals whose personal data is transferred which can then be directly enforced by them against the data importer and the data exporter.

SCCs can only apply between parties that are subject to the conclusion of a contract.

They cannot be used in certain instances, for example where there are joint controllers or a group of undertakings engaged in joint economic activity.

There are currently three sets of SCCs:

  • two for EU/EEA controller to non-EU/EEA controller
  • one for EU/EEA controller to non-EU/EEA processor

Read the SCCs on the European Commission website

See the ICO’s template on the SCCs

As noted below, the European Commission published its draft proposal for the revised SCCs on 10 November 2020. This has yet to be adopted.

The guidance below looks at the position based on the current SCCs.

If at present your firm relies on SCCs in transferring EU personal data from outside of the EEA to another controller or a processor outside the EEA, you should consider putting in place a new mechanism for that transfer.

 Alternatively, you may wish to consider changing your firms’ data flows in relation to EU personal data so that it's transferred from an EU data exporter directly to a non-EEA/non-UK data importer under an appropriate data transfer mechanism (for example, SCCs).

However, while SCCs can allow UK-based organisations to continue to receive EU personal data, unless further measures are put in place by UK data exporters, it's not sufficient to allow them to transfer EU citizens’ personal data onwards to a third country that does not have an EU adequacy decision. Many UK data controllers at present rely on the SCCs in transferring EU personal data outside the EEA to another controller or a processor.

After the end of the bridging period, this mechanism, although sufficient for transfers outside the UK of UK personal data (in so far as UK law is concerned), will no longer apply to EU personal data. That is because UK organisations will cease to be data exporters within the meaning of the GDPR and of other EU member states’ privacy laws.

In cases where the UK organisation processes EU personal data as a data processor, this issue might be solved through the execution of the 2010 SCC with the EU-established data controller, and having a non-EEA based third-party, to which the UK organisation transfers EU personal data, to ‘join’ the SCC as a sub-processor.

When the UK organisation acts as a data controller of EU personal data, under the 2004 controller-to-controller SCCs, it cannot transfer EU personal data onwards to a third-party controller established outside the EEA unless certain conditions are satisfied, one of which is that the third party must become a signatory to the SCCs.

However, this route is not possible when the UK organisation is a data controller and the third party established outside the EEA is a data processor of EU personal data. Therefore, another mechanism (for example, data subject consent) will need to be found to allow UK data controllers to transfer EU personal data to onwards to a non-EEA data processor.

EU Commission draft proposal for revised SCCs

You should be aware, however, that the European Commission published its draft proposal for the revised SCCs on 10 November 2020.

These cover transfers from:

  • controller to controller
  • controller to processor
  • processor to controller
  • processor to processor

These are yet to be finalised and adopted by the Commission. Once adopted, organisations will have 12 months to replace their SCCs with the new ones. Until then, current SCCs apply.

The considerations above apply to the current SCCs and do not take into account these revised draft SCCs.

Following the judgment in Schrems II (July 2020), the European Data Protection Board (EDPB) updated its guidance on the application of the SCCs: see its recommendations on measures that supplement transfer tools to ensure compliance and the European essential guarantees for surveillance measures.

The judgment maintains the validity of the SCCs but imposes a higher level of due diligence on exporters and importers of personal data from the EEA.

The ICO has announced that it will publish its own guidance.

NOYB, the organisation of Max Schrems, has also published guidance for EU companies.

Multinational businesses can adopt binding corporate rules (BCRs) under article 47 GDPR. These allow organisations to transfer personal data from the EEA within their group outside the EEA.

The BCRs need to be approved by a relevant supervisory authority. The ICO will remain the supervisory authority in the UK and will approve the UK BCRs.

However, in case of organisations that operate within the EEA, the organisations that have relied on the EU BCRs that were approved by the ICO will need to have their EU BCRs approved by their lead supervisory authority in the EEA.

The Schrems II judgment also applies to the BCRs. This is because organisations need to demonstrate a higher degree of due diligence with regard to the law and practice of the country into which data are transferred regardless of the transfer mechanism.

Existing binding corporate rules (BCRs) will remain good practice to demonstrate compliance with the GDPR.

See the ICO’s updated BCR communication following the EU-UK Trade and Co-operation Agreement (TCA).

See the EDPB’s information note on binding corporate rules with UK SA as lead authority.

Organisations in the UK may wish to consider adopting, through their trade association or representative body, approved codes of conduct or certification mechanisms together with enforceable and binding rules on the controller or processor.

Article 49 lists derogations for specific situations. These include:

  • explicit consent
  • fulfilling a contractual obligation
  • public interest
  • establishment
  • exercise or defence of legal claims or vital interests of the data subject

Derogations are still a valid transfer mechanism.

However, the EDPB advises that the use of derogations be interpreted restrictively so that the exception does not become a rule.

Read the EDPB guidelines on derogations

If your firm’s processing relied on consent obtained while the UK was a member of the EU, you should consider obtaining it again, as it’s unclear at the moment whether UK businesses relying on consent in processing EU personal data will be able to continue to do so after the end of the bridging mechanism.

You should closely examine the consent language to see if it specifically covers the transfer of personal data obtained outside the EEA.

Bilateral agreements with EU member states

EU member states do not have the competence to unilaterally grant adequacy decisions to third countries.

The UK cannot form bilateral agreements with member states on the cross-border transfer of data in areas governed by EU law, or in relation to databases governed by EU law.

Resources

Standard contractual clauses

Proposal for revised standard contractual clauses

GOV.UK technical notice on using personal data in your business or other organisation during and after the transition period (published 31 December 2020, last updated 10 March 2021)

ICO guidance on data protection after the end of the transition period

European Commission’s notice to stakeholders: withdrawal of the UK and EU rules in the field of data protection (July 2020)

C-111/18, Judgment of the Court (Grand Chamber) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems

EDPB guidelines on the lead supervisory authority

EDPB guidelines 3/2018 on the territorial scope of the GDPR (article 3)

ICO statement on Schrems II judgment

EDPB FAQs on the Schrems II judgment

EDPB recommendations on the European essential guarantees for surveillance measures (February 2020)

EDPB recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data – version for public consultation (January 2020)

ICO statement on recommendations published by the European Data Protection Board following the Schrems II case

NOYB guidance for EU companies

EDPB information note on binding corporate rules with UK SA as lead authority

EDPB guidelines on derogations of article 49 under Regulation 2016/679 (February 2018)

ICO guidance on BCR following the EU-UK TCA

EDPB information note on data transfers under the GDPR to the United Kingdom after the transition period (adopted December 2020, updated January 2021)

GOV.UK guidance on using personal data after Brexit