On January 31, 2020, the United Kingdom left the European Union. With the entry into force of the Withdrawal Agreement, the country entered a transition period during which it remained subject to European law. What does this mean from a data security perspective, and what security measures will need to be taken when transferring personal data between the EU and the United Kingdom?
The transition period ended on December 31, 2020. Just before the end of the transition period, specifically on December 24, 2020, the United Kingdom concluded the Dohoda o obchode a spolupráci (The EU-UK TCA (Trade and Cooperation Agreement)) with the EU, which allowed for the continued free flow of personal data from the EU to the United Kingdom, but only for a maximum of six months following the end of the transition period (June 31, 2021). Under this agreement, UK businesses could continue to freely receive data from the European Economic Area (hereinafter “EEA”—EU member states plus Iceland, Norway, and Liechtenstein) without further restrictions. The United Kingdom believed that the European Commission would issue an adequacy decision, thereby classifying the country as safe for the transfer of personal data [1]. For the United Kingdom, this would mean that the transfer of personal data from the EU to this third country would be possible without the need for additional safeguards (even six months after the end of the transition period). To date, however, the European Commission has not issued any such decision.
UK Data Protection Legislation After December 31, 2020
Following the end of the transition period, Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the “GDPR”) is no longer applicable within the territory of the United Kingdom. However, the GDPR was incorporated into UK law by the Withdrawal Act to establish a data protection regime specific to the UK context post-Brexit. This new regime is known as the UK GDPR (the UK version of the European Regulation). To ensure that European standards continue to apply within the UK, technical amendments had to be made based on the EU’s withdrawal regulations. The principles and rules remain unchanged.
Guidance and Procedure
The UK’s independent authority responsible for protecting and upholding rights regarding information in the public interest (Information Commissioner’s Office – hereinafter “ICO”), has published guidance on its website designed to assist small and medium-sized enterprises and organizations in the United Kingdom so that they can ensure the secure transfer of personal data to the EEA after the transition period ends.
The UK government has committed to upholding high standards regarding the transfer of personal data to the EEA. This means that if a company complies with data protection principles and has no contacts or customers in the EEA, it does not need to take any additional steps regarding data protection. However, if this company/business receives personal data from contacts in the EEA, it must make reasonable efforts to ensure that the transfer of this data complies with European and UK regulations. In this case, the controller in the UK is required to appoint a representative in the EU (pursuant to Article 27 of the GDPR).
If the European Commission does not designate the United Kingdom as a safe country and the six-month period set out in the Trade and Cooperation Agreement expires, the country becomes a “third country” for the purposes of personal data protection. In such a case, companies/businesses will have to implement alternative mechanisms, namely Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and updates to documentation to ensure the protection of EU residents’ personal data during transfer.
Use of Standard Contractual Clauses
The simplest way to ensure adequate protection for the transfer of personal data between the EEA and the United Kingdom is to enter into Standard Contractual Clauses (SCCs). This method is intended for small and medium-sized enterprises that need to maintain a continuous flow of personal data between the EU and the UK. Standard Contractual Clauses contain contractual terms signed by both the “data exporter” and the “data importer.” They include contractual obligations that help protect personal data during its transfer. A tool for creating these standard contractual clauses between controllers, or between a controller and a processor, is also offered by the UK Information Commissioner’s Office.
Updating internal company rules
However, securing data transfers is not just a concern for smaller businesses. Even multinational companies should consider updating their existing BCRs to facilitate the transfer of personal data between the EU and the UK (Article 47 of the GDPR). With the UK’s departure from the EU, the Independent Commission for Information (ICO) has lost its status as a supervisory authority under the GDPR. Binding Corporate Rules for the transfer of personal data from the EEA to the United Kingdom will therefore need to be approved by a European supervisory authority, as the ICO can no longer continue to approve such rules.
Security Documentation
Under the adequacy regulations, companies may continue to carry out data transfers between the UK and the EEA. However, it is important to update privacy documentation to include information and notices regarding this transfer. Given the current situation, UK businesses are required to update their GDPR documentation and bring it into compliance with UK GDPR requirements. In particular, all privacy notices, DPIA (Data Protection Impact Assessments), DSARs (Data Subject Access Requests), and documentation covering the international flow of personal data must reflect the UK’s independent jurisdiction and the specific wording and scope of the UK GDPR.
Country-Specific Representatives
One way to ensure the protection of transferred data is to appoint suitable representatives within operations in the EEA, who will act as the direct point of contact for data subjects and supervisory authorities within the EEA.
A representative may be a natural person, company, or organization established in the EEA, which must represent the business or organization in fulfilling obligations under the GDPR (for example, a law firm or private company). The simplest way to appoint a representative is to enter into a simple service agreement.
It is necessary to specify in which countries the representatives will be based and to create appropriate powers of attorney for them. Information about representatives should also be easily accessible to individuals (data subjects) whose personal data is processed by the country in question. They can learn more about the details on the controller’s website.
When transferring personal data to third countries, it is important that controllers and processors ensure adequate protection for such transfers even before the first processing of personal data.
We will update further information regarding the transfer of personal data between EU countries and the United Kingdom as needed.
[1] To date, the European Commission has recognized only Andorra, Argentina, Canada (business organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as countries providing adequate protection of personal data
Sources
https://www.mhsr.sk/obchod/brexit-informacie-pre-obcanov-a-podniky
https://ec.europa.eu/info/european-union-and-united-kingdom-forging-new-partnership/brexit-brief_sk
