24 December 2020
The data protection aspects of Brexit have received relatively little attention in the mainstream press. But data is a crucial consideration for every business with customers, clients, or business partners in the European Economic Area (EEA).
At the time of writing, there's still a lot of uncertainty about what will happen on January 1, 2021. Many businesses are "in limbo" and eagerly awaiting news about tariffs, customs checks, and deregulation.
However, when it comes to ensuring you can still receive personal data from the EEA next year, it's possible to prepare for a "worst-case scenario" without significant costs.
This article will help you get ready for the end of the transition period, whether or not the UK has secured a free trade agreement.
In preparing for the end of the transition period,your first task is to understand how the UK's data protection framework could change.
Below, we've answered some frequently asked questions about the privacy implications of Brexit.
The EU's "adequacy" framework determines which countries can freely receive personal data from data controllers in the EEA (which includes the 27 EU countries plus Iceland, Liechtenstein, and Norway). There are 12 countries on the adequacy list, including Japan, Canada and New Zealand.
The EU has not yet determined whether the UK will be an "adequate" third country after the end of the transition period. It is by no means clear that the UK will receive an adequacy decision.
Some commentators argue that if the EU and the UK successfully negotiate a free trade agreement, the EU will grant the UK an adequacy decision as part of this agreement.
But the UK may leave the EU without a free trade agreement or an adequacy decision. In this scenario, businesses that have not prepared will face difficulties maintaining the flow of personal data from the EEA to the UK.
With many unanswered questions remaining and very little time remaining, the UK government strongly recommends preparing for a "no-deal" and "no adequacy decision" scenario. Our transition checklist will help you do this.
The UK will continue to apply the same data protection standards from January 1, 2021. Data protection and privacy will continue to be regulated by the UK's Data Protection Authority, the Information Commissioner's Office (ICO).
However, there will be some major changes to how data protection law will work and how UK and EEA businesses exchange personal data. This includes the repealing of the "EU GDPR" and the taking effect of the "UK GDPR."
The UK GDPR is the UK's version of the GDPR that will apply from January 1, 2021. The government will be able to amend the UK GDPR but, at first, it will remain the same in key areas, such as:
This means UK businesses will need to continue applying the same data protection standards after the end of the transition period.
The amendments to the UK GDPR are published in a "Keeling Schedule," available on the UK government's website, to help people keep track of the changes. Here's an example of the types of changes that have been made (at page 5 of the Keeling Schedule):
In the image above, you can see how references to "the Union" have been replaced by references to "the United Kingdom." References to "Member State law," meaning the law of an EU country, have been replaced by references to "domestic law," meaning UK law.
The UK Data Protection Act 2018 (DPA 2018) will continue to apply in the UK after the end of the Brexit transition period. It sits alongside the UK GDPR.
Some parts of the DPA 2018 have also been amended to reflect the incorporation of the GDPR into UK law as the UK GDPR, to remove references to the EU, and to implement the UK's adequacy framework.
The amendments to the DPA 2018 are also available in a Keeling Schedule. Here's an example of some of the recent amendments to the DPA 2018 (at page 129 of the Keeling Schedule):
In the image above, you can see changes to the rules around how the ICO must coordinate with EU DPAs now that the ICO is no longer a member of the European Data Protection Board (EDPB).
These changes are unlikely to affect most small and medium-sized businesses, but it's important for all businesses to understand the fundamental changes occurring to the legal framework of the UK due to Brexit.
Data transfers from the EU to the UK have been unaffected throughout the transition period. But once the transition period ends, things may get more complicated.
This section applies to data flows from the EEA to the UK, meaning:
Data flows in the opposite direction (from the UK to the EEA) will be mostly unaffected by Brexit.
If you aren't sure whether your business is a controller or a processor, see our article GDPR Data Controller vs. Data Processor.
To ensure that personal data is protected once it leaves the EEA, EEA-based data controllers are only allowed to transfer personal data to non-EEA controllers and processors under one of the following conditions:
As explained above, you cannot assume that the UK will receive an adequacy decision. Therefore, UK businesses receiving personal data from EEA businesses will need to rely on one of the other three safeguard options.
The onus is on the sender of personal data (i.e., the EEA-based controller) to ensure that personal data is protected during and after the transfer. However, the receiver will also want to ensure that the transfer is legally compliant.
For most businesses, the most appropriate choice of safeguard is likely to be option 2: SCCs.
This means UK businesses that receive personal data from the EEA and EEA businesses that send personal data to the UK must ensure:
For more information on using SCCs, see our article Using Standard Contractual Clauses.
It may also be possible to rely on option 4 (derogations) for one-off transfers. The EEA-based sender of the personal information will need to determine whether this would be lawful in each case.
For more information on all other data transfer safeguard options, including the exceptions to the GDPR's data transfer rules, see our article Transferring Personal Data Out of the EU.
The EU requires some non-EEA organizations to designate an "EU representative," who will act as their legal presence in the EEA.
This section applies to UK businesses that are not established in the EEA, and:
If you aren't sure whether you "are established in the EEA," "offer goods and services in the EEA," or "monitor the behavior of people in the EEA," see our article How EU and U.S. Privacy Laws Apply to Foreign Businesses.
Not all UK companies will need to appoint an EU representative, even if they do meet the conditions above. Your business might not need to appoint an EU representative if it meets all of the following three conditions:
An EU representative is your company's main contact for EEA consumers and DPAs. They can be called before an EEA court if you violate the GDPR. They can also help keep records of your EEA data processing.
Your EU representative can work directly for your company, or they may be a contractor or agency worker. In fact, anyone can be your EU representative, as long as they meet the following three conditions:
Appoint your EU representative in whichever EEA country your business has the most significant presence.
You'll need to appoint your EU representative in writing.
For more information about how to do this, see our article GDPR Appointment of EU Representative Letter.
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
The one-stop shop mechanism (OSS) applies to businesses that engage in cross-border transfers of personal data within the EEA.
This section is relevant to businesses that are:
For example, if you are based in the UK, have an office in France, and have customers in multiple EEA countries.
If a data protection issue arises concerning multiple EEA countries, the OSS mechanism means that an EEA business will only need to deal with the DPA in its "main establishment." This main establishment DPA is known as the company's "lead supervisory authority." The OSS thus saves businesses operating in more than one EEA country from dealing with multiple DPAs.
Brexit means that the ICO may stop participating in the OSS. This means that if the ICO is your lead supervisory authority, you may need a different DPA to act as your lead supervisory authority after the end of the transition period.
Whilst it is not strictly possible to choose your LSA, you should try to determine which EEA country is your main establishment so that you know who to approach in the event of an incident concerning your cross-border processing activities.
The Article 29 Working Party states that your main establishment is the EEA country in which your "central administration" is located. This has a slightly different meaning for controllers and processors.
For controllers, the central administration is: "where decisions about the purposes and means of the processing of personal data are taken" and which "has the power to have such decisions implemented."
For processors, the central administration is: "where the main processing activities take place."
Once you know where your central administration, and thus your main establishment, is located, you will know which DPA to approach if you suffer a data breach or need to consult on a data protection impact assessment (DPIA).
To prepare for the end of the UK's transition out of the EU, you may need to take one of more of the following steps:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.