More than 4 years after voting to leave the EU, a deal was finally struck, just in time for the official end of the Brexit Transition period, 31st December 2020. So, we now have perfect clarity on our future relationship with Europe from a data protection perspective, right? Wrong!!
When it comes to the flow of personal information of EEA citizens (the EU plus Iceland, Norway and Liechtenstein) into the UK, a further extension has been announced. An agreement regarding the UK processing of such data is expected to be reached within the next 4 months, with a maximum additional 2 months, to 30th June 2021, at the latest.
So…what happened on 1st January 2021?
A UK-specific version of The General Data Protection Regulation (GDPR), (which previously applied from May 2018 whilst we remained part of the European Union), was written into UK domestic law. This is now known as the UK GDPR.
The UK GDPR, the Data Protection Act 2018 (updated to reflect UK GDPR rather than EU GDPR) and the Privacy and Electronic Communications Regulation (PECR), now form the UK’s privacy legislation.
With regard to the general obligations and principles of data protection, not much changes, as the UK GDPR is essentially the same as the GDPR, just in a UK-only context.
What will Happen During the Extension Period?
Personal information will continue to flow freely from the EU (and the EEA) to the UK and conversely, for a maximum of 6 months, to avoid any interruption.
Meanwhile, the EU will decide whether the UK has sufficient safeguards in place to be listed amongst its Countries of Adequacy.
What are Countries of Adequacy? – territories outside the EU that are deemed to have legal frameworks which equal the robustness of the GDPR. As such they are considered safe to allow the flow of personal data.
Should the EU agree to add the UK to this list, there will be no additional requirements on UK businesses and organisations, and therefore no interruption to the flow of personal information after the end of the extension period.
What will happen if the UK isn’t deemed “adequate”?
The UK will be referred to as a Third Country – essentially any nation that is not an EU (or EEA) Member State nor listed amongst the Countries of Adequacy.
If this is the case, alternative mechanisms will need to be implemented to allow the flow of personal data belonging to EEA citizens into the UK.
Several options currently cater to this situation, the two most suitable for SMEs are:
- Standard Contractual Clauses (SCC)
- Corporate Binding Agreements
Standard Contractual Clauses (SCCs)
These are “ready-made” standardised terms and conditions pre-approved by the EU which should be agreed by both the UK business receiving the personal data and the EU Member company that is providing the data.
– although the responsibility to protect the data lies with the sender, it is clearly in the interests of the UK company receiving the data to assist with implementing the SCCs to ensure no disruption to their business operations.
Binding Corporate Rules (BCRs)
These are agreements made between international entities belonging to the same parent group – like a Code of Conduct. BCRs ensure a sufficient level of protection (which meet EU standards) to personal data as it flows across borders within a multinational group of companies.
If you’re a UK business with offices in the EEA, it may well be worth appointing a representative, as compliance to both UK and EEA legislation (that is, UK GDPR and EU GDPR) will be expected.
Additional transfer mechanisms also exist which may be applied to public authorities, medical emergencies or situations where a one-off transfer of personal data is required. Contact us for bespoke guidance on these circumstances
Transfers of personal data to the U.S
Until July 2020, personal data flowed freely from the UK to the U.S, under the well-established Privacy Shield.
However, following the Schrems II ruling, the Shield is no longer considered adequate and alternative safeguarding measures have been introduced.
These include taking a risk-based approach by performing a Data Protection Impact Assessment (DPIA) to ensure all aspects relating to the security of the data transferred is considered.
In conclusion, we’ll all have to wait and see whether adequacy is secured for the UK before the June 2021 deadline. However, the ICO and data experts advise that companies protect themselves by putting appropriate mechanisms in place by April 2021, to mitigate the risk of interruption to their data flows.