Brexit... Data protection

Under the UK-EU trade and co-operation agreement (TCA) agreed on the 24 December 2020, the Brexit transition period has – at least for EU-UK personal data transfers – been extended on an interim basis so, in respect of data transfers, there are no major changes for the moment.

This interim extension is ostensibly to enable the EU to make an adequacy assessment in respect of the UK’s data protection laws, which – if positive – would allow the continued free flow of personal data between the EU and UK without any new significant regulatory obstacles.

The TCA effectively grants an interim GDPR ‘adequacy’ finding to the UK for 4 months (which can be extended to 6 months) from 1 January 2021 (i.e. for this period, EU/EEA to UK personal data transfers during this period are not considered a transfer to a ‘third country’ under the GDPR). Accordingly, there is no need to scramble to put in place the EU-approved standard contract clauses (SCCs) or other measures for EU-UK transfers although organisations should closely watch further developments over the next 3-5 months.

During this interim period, the UK Government is not permitted to amend the UK GDPR or other data protection law, although this seems unlikely anyway. If the EU Commission makes a decision on the UK’s data protection adequacy status (or not), the interim period will automatically terminate.

Transfers of personal data from the UK to the US and other non-EU approved third countries will continue to be subject to the same GDPR rules as before Brexit. This means for data exports from the UK to a country which is not on the EU’s ‘adequacy’ list, the transfer should either be subject to an exemption under the GDPR (e.g. the transfer is necessary for performance of a contract with the data subject; carried out with their explicit consent or is necessary in connection with a legal claim) or the SCCs or another mechanism recognised as providing ‘appropriate’ GDPR safeguards should be in place. The UK ICO has also published its own new set of SCCs for UK to third country transfers that refer to the UK GDPR.

Transfers of personal data from the UK to the EU are deemed legally adequate under UK law so, provided they are compliant with UK GDPR, such data transfers into the EU should not require any additional measures. The UK Government will however keep the status of such transfers under review.

Currently, under the GDPR, if an organisation is established outside the EEA, it is required to appoint a representative within the EEA where it offers goods or services to individuals in the EEA, or monitors the behaviour of such individuals (subject to certain exceptions). That representative acts on behalf of the organisation in relation to its compliance with GDPR obligations.
From 1 January 2021, an organisation in the UK which offers goods or services to individuals in the EEA, or monitors the behaviour of such individuals, but which does not have a branch, office or other establishment in any EEA states, will (subject to limited exemptions) need to designate a representative in an EEA country. The country would need to be one in which some of the individuals whose personal data are processed by that organisation are located. The appointment of a representative, which may be a company, organisation or individual, will need to be agreed in a contract. Details of the representative will also need to be included in your privacy policy or other information provided to individuals on the collection of personal data.
Equivalent provisions will apply in the UK, so that organisations outside the UK including those in Italy, the US or elsewhere will be required to appoint a representative within the UK where offering goods or services to individuals in the UK, or monitoring the behaviour of such individuals (subject to the same GDPR exceptions as before).
The TCA does not change anything in relation to ‘lead supervisory authorities’ under the GDPR. For a company or organisation with a UK and EU presence that continues to process personal data on a cross-border basis within different EU establishments, who had previously dealt with the ICO as its ‘lead supervisory authority’ (because its main business establishment was located in the UK), consideration may need to be given to where its new ‘main’ EU establishment is for GDPR purposes and, as a result, which national EU regulator should be its new lead supervisory authority.
Organisations should also review and (if needed) update language in privacy notices, contracts and other legal documents as necessary to reflect the fact that the UK is no longer technically part of the EU or EEA.

• Most UK-based controllers/processors processing data as part of an offering goods or services targeted into the EU (or actively monitoring EU data subjects) will – subject to some exemptions – now have to designate an EU-based ‘representative’ for GDPR compliance. This would also apply to overseas businesses in the United States and elsewhere that had previously appointed an EU representative in the UK which was subject to the UK Information Commissioner’s Office (ICO) supervision. Conversely, EU based controller/processors who offer goods/services targeted into the UK will need to consider appointing a UK based representative for UK data protection law compliance issues.
• Since the TCA changes nothing in relation to ‘lead supervisory authorities’ under the GDPR, if you are still going to be processing personal data on a cross-border basis within different EU establishments and you had previously dealt with the ICO as your ‘lead supervisory authority’ because your main business establishment was in the UK, you will need to consider where your main EU establishment is and, as a result, which national EU regulator should be your new lead supervisory authority under the GDPR.
• Organisations should review and (if needed) update language in privacy notices and other contracts as necessary to reflect the fact that the UK is no longer part of the EU, EEA and the EU’s data protection regime (although the GDPR is retained as part of UK data protection law).
• Keep a watch on whether the UK secures a positive adequacy decision from the EU in the next 6 months. If this starts to look unlikely, you should consider implementing alternative transfer mechanisms, such as the SCCs or binding corporate rules for large intra-group transfers