Brexit has a major impact on the day-to-day business for many organizations and therefore already resulted in serious headaches for many of us.
If you wonder what the implications are on the free trade of goods, taxes and duty, the movement of people and the transfer of personal data between the EU and UK. Chances are your organization is affected by Brexit too.
Are you advising your organization concerning EU-UK data transfers and how to respond to Brexit through your DPO role?
Or are you responsible for a process within you organization whereby personal data is transferred to the UK?
Certainly you want to be able to maintain these data transfers in a compliant manner after new year right?
Find out more in this article on how to tackle the data transfer issue using our practical step by step approach.
The UK as any other third country
After Brexit entered into force last year, a transition period started which upheld the status quo for data flows between EU and UK.
However, this transition period ends on December 31st 2020, resulting in the UK becoming a ‘third country’ outside the European Economic Area (EEA) in terms of the GDPR.
In other words, the UK becomes a foreign country to the EU just as all non-EEA countries in the world and therefore is no longer considered to be safe (by default) to transfer personal data of EU residents.
Typical GDPR Data Transfer Safeguards
To legitimize a data transfer to a third country and ensure equivalent protection as EU laws, GDPR offers several mechanisms which can be applied.
The most common data transfer safeguards are:
- Adequacy decision by the European Commission – meaning the EU declares a third country has adequate data protection whereby no additional safeguards for data transfer are required – also referred to as the so-called “safe countries”.
- Standard Contractual Clauses of the European Commission (SCCs) – to ensure a particular data transfer is valid and guarantees the data importer provides equivalent data protection as the data exporter under EU laws.
- These template EU documents are usually attached to a data protection agreement between data controller and data (sub)processor or between two data controllers.
- Recently the EC released draft version of 4 new SCCs that will soon be adopted – after their current review period.
- Binding Corporate Rules (BCRs) – these are legally binding and enforceable internal intragroup rules and policies allowing to transfer data from an EU/EEA affiliate to a non-EU/EEA affiliate. BCR’s ensure a similar level of data protection for intragroup data transfer
- e.g. multinational with HR activities centralized in the UK – hence data of EU employees is transferred from EU subsidiaries to UK headquarters
Why the outcome of the Brexit negotiations matters ?
One of the hot topics in the Brexit negations is a UK adequacy decision by the European Commission (EC). The UK government is seeking such an adequacy finding – as part of the EU-UK trade deal – to allow for the continued free flow of personal data using a single, overarching solution.
The EC’s decision, however, will depend on several conditions. With certain conditions likely having a positive impact on the EC’s decision:
- The UK having strong data protection rules through implementation of the GDPR
- UK having an independent data protection authority (ICO)
However, certain other conditions could have a negative impact on the adequacy finding:
- UK’s surveillance program (Investigatory Powers Act 2016) and it’s similarities to US surveillance programs
- The CJEU invalidated the EU-US Privacy Shield, with one of the Court’s arguments being the circumstances of the US surveillance programs
- UK-US data sharing agreement (Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime)
In case of an adequacy decision, EU-UK data transfer will be valid and generally speaking you shouldn’t have to worry about any additional safeguards.
However, in the event an adequacy decision is not granted before the end of the transition period, – and chances are reducing – you will have to fall back on another mechanism for lawful data transfer to the UK.
Are Standard Contractual Clauses (SCCs) the solution?
In the absence of an adequacy filing, SCCs will be in most cases the practical solution. SCCs are signed between the data exporter and the data importer. At the time of writing, SCCs are available for data transfers from an EEA controller to a non-EEA controller and from an EEA controller to a non-EEA processor. The EC is in the process of updating the SCCs and the result is expected by the start of 2021.
However, simply signing SCCs doesn’t suffice any longer according to the CJEU’s judgement in the Schrems ll case.
You now need to verify in advance if the personal data transferred is equally protected, through a Transfer Impact Assessment (TIA). In such a TIA you’re evaluating if the processing of personal data within the third country – taking into account surveillance, government controls etc. – is considered safe.
The result of such assessment may be that supplementary measures – e.g. encryption, pseudonymization, – are required. This needs to be assessed on a case-by-case basis.
How to perform a Transfer Impact Assessment?
Make sure to conduct a TIA before you effectively transfer data to the UK.
The TIA should be based on the criteria set out in the Scherms ll case. You need to prove to have conducted an extensive assessment of at least the data protection and surveillance laws of the third country, the existence of any independent data protection authority, what technical and organisational measures are used to protect the data, and any international commitments made by the country.
Feel free to contact us if you require a Transfer Impact Assessment template.
In case of NO adequacy decision – What are the practical steps you should be taking?
Map any UK data transfers. Leverage your register of processing activities (ROPA) and take into account onward data transfers as well, e.g. from your processors to sub-processors.
- What to do if your ROPA is not up-to-date? –> please read this previous blog of us to find out about and apply our best practices for keeping your ROPA up-to-date.
- You might also want to leverage any privacy statements or Data Protection Agreements you have in place.
Assess the necessity of those UK data transfers and if any appropriate EU alternatives exist.
Identify the appropriate safeguard for each (set of) data transfer(s) between EU and UK
- SCCs will in most cases be the suitable data transfer mechanism -> Sign SCCs with data importers located in the UK
Conduct a Transfer Impact Assessment for each (set of) data transfer(s) between the EU and UK
- to verify the effectiveness of the data transfer mechanism
- to identify additional measures that, if applicable, are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence -> Consider Annex 2 of the European Data Protection Board (EDPB) recommendation 1/2020 (draft) for a non-exhaustive list of examples of additional measures accompanied with some of the conditions they would require to be effective.
Adopt the identified supplementary measures before commencing the data transfer (i.e. technical, contractual and/or organizational measures).
Re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to the UK and monitor if there have been or there will be any developments that may affect it.