Personal data flows from the EU/EEA after Brexit
Background: UK data adequacy decisions
On 28 June 2021, the European Commission (EC) adopted two UK data adequacy decisions.
These decisions mean that data flows between the EU and the UK can continue, and you do not need to adopt additional safeguards.
However, we advise that you regularly revise your contingency planning, as both decisions are valid for four years and subject to regular monitoring and review.
Due to recent changes in the EU, certain parts of this guidance will need to be updated. We are working on this.
Guidance on transferring data outside of the EEA
This guidance describes the mechanisms to transfer personal data outside of the EEA in the absence of an adequacy decision.
At the moment, the UK is covered by two adequacy decisions. This means no further measures are currently required to continue transferring data.
However, UK lawyers who process the personal data of EU/EEA can use the guidance below for contingency planning.
The outward flow of data from the UK to the EU/EEA will remain unaffected, regardless of the EU’s adequacy decisions. This is because the UK government has considered all EU 27 and EEA member states adequate for the purposes of data protection.
You should make sure you're familiar with the basic features of General Data Protection Regulation (GDPR) compliance, and understand:
- the personal data you process
- where it comes from
- the supply chains you're a part of
- whether you're a controller, joint controller or processor in relation to that data
The fundamentals of compliance with the current data protection regime are set out in our guidance on GDPR for solicitors.
Transfers of personal data without an adequacy decision
Should the EU’s adequacy decisions be revised or withdrawn, anyone transferring personal data from the EU/EEA to the UK would do so on a third-country basis.
Firms would need to put in place one of the additional safeguards set out in article 46 of the GDPR. These include:
- binding corporate rules (BCRs)
- standard contractual clauses (SCCs)
- certification and codes of conduct
Also, article 49 of the GDPR lists derogations available to those wishing to transfer EU/EEA personal data to a third country.
To prepare for this possibility, processors in the UK should make sure they understand:
- their data supply chain, and
- whether and how they might be eligible to rely on a derogation in the absence of an appropriate safeguard
Steps you should take now
1. Check the guidance
You should consult all available guidance from relevant regulators, in particular the EDPB.
2. Be prepared to demonstrate compliance
You'll need to take appropriate actions to demonstrate your/your firm's efforts to comply with the relevant data protection regime.
You can do this by:
- devoting proportionate and reasonable resources to identifying risk associated with your international data transfers
- mitigating that risk with the appropriate mechanism (such as data subject consent, SCCs, BCRs, or certification and codes of conduct)
- supporting this with governance, internal controls and staff training
3. Review EEA data flows
You should review your data flows from the EEA.
- transfers of personal data from the EEA to the UK
- onward transfers of that data from the UK to third countries
4. Consider local privacy laws
If you have an office in another EU country or process EU personal data, you should consider other aspects of local privacy laws in that country, as the GDPR allows for local variations (for example, in relation to processing special categories of data).
5. Nominate a lead supervisory authority
If you have offices in other EU states and have nominated the Information Commissioner's Office (ICO) as your lead supervisory authority (LSA) under the consistency mechanism (section 2 of chapter VII), you'll have to nominate another EU regulator as your LSA for EU personal data.
Your LSA should be chosen in accordance with GDPR requirements.
6. Appoint an EU representative
If you do not have an office in an EU member state, but intend to process EU personal data, you may need to appoint an EU representative and update your privacy notices to include their contact details.
7. Review privacy policies
You should review your privacy policies so that clients are informed of the movements of their personal data in and outside of the EU.
Review which of the safeguards set out in articles 46, 47 and 49 of the GDPR are best suited to the needs of your firm. We discuss these safeguards below.
Please note that this section is currently being updated.
The standard contractual clauses (SCCs) contain contractual obligations on you (the data exporter) and the receiver (the data importer).
They also contain rights for the individuals whose personal data is transferred which can then be directly enforced by them against the data importer and the data exporter.
SCCs can only apply between parties that are subject to the conclusion of a contract.
They cannot be used in certain instances, for example where there are joint controllers or a group of undertakings engaged in joint economic activity.
On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
- These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46
- Since 27 September 2021, it’s no longer possible to conclude contracts incorporating these earlier sets of SCCs
- Until 27 December 2022, controllers and processors can continue to rely on those earlier SCCs for contracts that were concluded before 27 September 2021, provided that the processing operations that are the subject matter of the contract remain unchanged
Following the judgment in Schrems II (July 2020), there is also a higher standard of due diligence imposed on organisations that transfer data outside of the EEA.
The European Data Protection Board (EDPB) updated its guidance on the application of the SCCs.
Read the EPDB’s recommendations on:
Multinational businesses can adopt binding corporate rules (BCRs) under article 47 GDPR.
BCRs allow organisations to transfer personal data within their group of undertakings or enterprises, from the EEA to outside the EEA.
The BCRs need to be approved by a relevant supervisory authority.
In the case of organisations that operate within the EEA, those that have relied on the EU BCRs approved by the ICO will need to have their EU BCRs approved by their lead supervisory authority in the EEA.
The Schrems II judgment also applies to the BCRs.
This is because organisations need to demonstrate a higher degree of due diligence with regard to the law and practice of the country the data is transferred to, regardless of the transfer mechanism.
Existing binding corporate rules (BCRs) will remain good practice to demonstrate compliance with the GDPR.
Organisations in the UK may wish to consider adopting, through their trade association or representative body, approved codes of conduct or certification mechanisms, together with enforceable and binding rules on the controller or processor.
Article 49 lists derogations for specific situations. These include:
- explicit consent
- fulfilling a contractual obligation
- public interest
- exercise or defence of legal claims or vital interests of the data subject
Although derogations are a valid transfer mechanism, the EDPB advises that the use of derogations be interpreted restrictively so that the exception does not become a rule.
If your firm’s processing relied on consent obtained while the UK was a member of the EU, you should consider obtaining it again; it’s currently unclear whether UK businesses relying on consent in processing EU personal data will be able to continue to do so after the end of the bridging mechanism.
You should closely examine the consent language to see if it specifically covers the transfer of personal data obtained outside the EEA.
Bilateral agreements with EU member states
EU member states do not have the competence to unilaterally grant adequacy decisions to third countries.
The UK cannot form bilateral agreements with member states on the cross-border transfer of data, in areas governed by EU law, or in relation to databases governed by EU law.
Read European Data Protection Board (EDPB) guidance:
- guidelines 3/2018 on the territorial scope of the GDPR (article 3)
- recommendations on the European essential guarantees for surveillance measures
- recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
- information note on binding corporate rules with UK SA as lead authority
- guidelines on derogations of article 49 under Regulation 2016/679