On January 31, 2020, the United Kingdom left the European Union. With the entry into force of the withdrawal agreement, the country entered a transition period during which it remained subject to European law. What does this mean in terms of data security, and what security measures will need to be taken when transferring personal data between the EU and the United Kingdom?
The transition period ended on December 31, 2020. Just before the end of the transition period, on December 24, 2020, the United Kingdom concluded the EU-UK Trade and Cooperation Agreement (TCA), which allowed for the continuation of the EU-UK trade and cooperation regime until January 31, 2021.2020, the United Kingdom concluded the EU-UK Trade and Cooperation Agreement (TCA), which allowed for the continued free flow of personal data from the EU to the United Kingdom for a maximum period of six months from the end of the transition period (June 30, 2021). Under this agreement, British companies could continue to freely receive data from the European Economic Area (hereinafter referred to as the "EEA" – EU Member States plus Iceland, Norway, and Liechtenstein) without further restrictions. The United Kingdom believed that the European Commission would issue an adequacy decision and thus classify the country as safe for the transfer of personal data [1]. For the United Kingdom, this would mean that the transfer of personal data from the EU to this third country would be possible without the need for additional safeguards (even after six months from the end of the transition period). However, to date, the European Commission has not issued any decision.
UK legislation on personal data protection after December 31, 2020
After the transition period, Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the "GDPR") is no longer applicable in the UK. However, the GDPR was incorporated into UK law by the Withdrawal Act to create a personal data protection regime specific to the UK context after Brexit. This new regime is known as the UK GDPR (the British version of the European Regulation). In order for European standards to continue to apply in the UK, technical amendments and additions had to be made based on the EU's withdrawal regulations. The principles and rules remain unchanged.
Guidance and procedure
The UK's independent authority for protecting and upholding information rights in the public interest (Information Commissioner's Office – hereinafter "ICO") has published guidance on its website to help small and medium-sized businesses and organizations in the UK to ensure that they can guarantee the secure transfer of personal data to the EEA after the transition period.
The UK government is committed to maintaining a high standard of personal data protection when transferring personal data to the EEA. This means that if a company/business complies with data protection principles and has no contacts or customers in the EEA, it does not need to take any additional steps in line with data protection. However, if this company/business receives personal data from contacts in the EEA, it must make reasonable efforts to ensure that the transfer of such data complies with European and UK regulations. In this case, the controller in the United Kingdom is required to appoint a representative in the EU (in accordance with Article 27 of the GDPR).
If the European Commission does not classify the United Kingdom as a safe country and the six-month period specified in the Trade and Cooperation Agreement expires, the country will become a "third country" in terms of personal data protection. In such a case, companies/businesses will have to implement alternative mechanisms, such as standard contractual clauses (SCCs), binding corporate rules (BCRs), and updated documentation to ensure the protection of EU residents' personal data during transfers.
Use of standard contractual clauses
The simplest way to ensure adequate protection for the transfer of personal data between the EEA and the United Kingdom is to conclude standard contractual clauses (SCCs). This method is intended for small and medium-sized enterprises that need to maintain the continuous flow of personal data between the EU and the UK. Standard contractual clauses contain contractual terms and conditions that are signed by both the "transfers" and "recipients" of personal data. They include contractual obligations that help protect personal data during its transfer. A tool for creating these contractual clauses between controllers, or between a controller and a processor, is also offered by the UK Information Commissioner's Office.
Updating internal rules
However, ensuring the transfer is not just a matter for smaller businesses. Multinational companies should also consider updating their existing internal rules (BCR) for the transfer of personal data between the EU and the United Kingdom (Article 47 of the GDPR). With the UK leaving the EU, the independent authority (ICO) has lost its status as a supervisory authority under the GDPR. Intra-company rules for the transfer of personal data from the EEA to the United Kingdom will therefore have to be approved by a European supervisory authority, as the ICO can no longer continue to approve such rules.
Security documentation
Under the adequacy of processing legislation, companies may continue to transfer data between the UK and the EEA. However, it is important to update your security documentation on personal data protection to include information and notices relating to this transfer. In view of the situation, UK businesses are required to update their GDPR documentation and bring it into line with the requirements of the UK GDPR. In particular, all privacy notices, DPIA (data protection impact assessments), DSAR (data subject access requests) and documentation covering international flows of personal data must reflect the UK's independent jurisdiction and the specific wording and scope of the UK GDPR.
Representatives within individual countries
One alternative to ensure the protection of transferred data is to select suitable representatives within the EEA who will act as a direct contact for data subjects and supervisory authorities within the EEA.
A representative may be a natural person, company or organization based in the EEA who must represent the entrepreneur or organization in fulfilling its obligations under the GDPR (e.g., a law firm or private company). The simplest way to appoint a representative is to enter into a simple service agreement.
It is necessary to define in which countries the representatives will be based and to create appropriate powers of attorney for them. Information about representatives should also be easily accessible to individuals (data subjects) whose personal data is processed by the country concerned. They can find out more details on the controller's website.
When transferring personal data to third countries, it is important that controllers and processors ensure adequate protection of such transfers before the personal data is processed for the first time.
Further information on the transfer of personal data between EU countries and the United Kingdom will be updated as necessary.
[1] To date, the European Commission has only recognized Andorra, Argentina, Canada (business organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as countries providing adequate protection of personal data.
Sources
https://www.mhsr.sk/obchod/brexit-informacie-pre-obcanov-a-podniky
https://ec.europa.eu/info/european-union-and-united-kingdom-forging-new-partnership/brexit-brief_sk
https://www.itgovernance.co.uk/eu-gdpr-uk-dpa-2018-uk-gdpr
https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/dp-transition-small-orgs
