The expiry of the Brexit transition period raised data protection compliance concerns for many companies operating in both Ireland and the United Kingdom ("UK"). Examples of such companies include those transferring personal data across the Irish Sea on an intra-group basis and/or using service providers in the other jurisdiction. This briefing considers the implications of the expiry of the Brexit transition period and the EU-UK Trade and Cooperation Agreement ("TCA")1 for personal data transfers.
EU to UK Data Transfers
With effect from 1 January 2021 the UK became a "third country" to EU Member States for data protection purposes. The TCA includes a grace period of up to six months allowing data transfers to the UK to continue without the need to put an EU GDPR transfer tool in place ("TCA Grace Period"). Absent that provision, transfers from the EEA to the UK would have had to satisfy one of the EU GDPR provisions on the transfer of personal data to third countries. The TCA Grace Period is a welcome postponement to the onset of new data privacy requirements applying to EU to UK data transfers. But this reprieve is temporary and companies should prepare accordingly.
The TCA Grace Period is intended to give the European Commission ("Commission") time to perform its adequacy assessment on the UK's data protection laws. This period may end prior to 1 July 2021 if, for example, the Commission issues an adequacy decision, or if the UK takes certain actions derogating from existing data transfer protections during this period.
Likelihood of a UK Adequacy Decision
It would be reasonable to expect a UK adequacy decision to be issued given that the UK and the EU have had the same data protection regime in place until recently. However, the adoption of an adequacy decision is by no means certain. The process involves multiple stakeholders (a Commission proposal, an opinion of the European Data Protection Board and approval by EU member state representatives, prior to adoption by the Commission). It will also include an assessment of UK surveillance authorities' access to personal data in a manner not previously within the EU's remit. This could be problematic if the concerns in relation to US law enforcement access to personal data addressed by the European Court of Justice in the Schrems II decision2 also arise in the UK context.
Use of Standard Contractual Clauses
To address the consequence of no adequacy decision being issued during the TCA Grace Period, the UK Information Commissioner ("ICO") has recommended that it would be a 'sensible business precaution' for UK businesses to put in place alternative transfer mechanisms. The UK government has suggested that Standard Contractual Clauses ("SCCs") will be the most relevant transfer tool. There are currently two sets of SCCs depending on the nature of the transfer. The Commission published draft updated SCCs for consultation in November 20203. The timing on approval of the new SCCs is unclear but they are progressing through the formal channels. The European Data Protection Board and European Data Protection Supervisor adopted a joint opinion on 15 January 2021 welcoming the new SCCs and proposing amendments4. Until the new SCCs are adopted, the original SCCs can continue to be used.
UK to EU Data Transfers
The UK has provisionally recognised the adequacy of EU data protection laws for the purposes of UK GDPR and transfers of personal data from the UK to the EU. This means that UK companies sending data to counterparts within the EU do not need to put any special safeguards in place for these transfers.
Non-Transfer Data Compliance Issues
The UK has adopted its own GDPR. In the short term there will be few practical differences between it and the EU GDPR as the UK GDPR follows the EU GDPR. It is worth noting the potential for double jeopardy because of the two separate regimes. Where for example, an incident gives rise to a breach of the EU and UK GDPR regimes a company may be exposed to fines and other corrective measures by both EU and UK data protection authorities.
The following are some specific areas in which compliance remediation steps may be needed:
- If the ICO was identified as a company's lead regulator, it can no longer be a lead regulator for the purposes of the EU GDPR. Companies will need to assess whether or not there is a "main establishment" within the EU for EU GDPR purposes so that it can appoint an EU data protection authority as its lead.
- Conversely, if a company is not established in the EU for EU GDPR purposes following 1 January 2021, it may be obligated to appoint an EU representative. The UK GDPR contains a similar provision for entities not established in the UK but to which the UK GDPR applies.
- The legal basis for processing under the EU GDPR needs to be reassessed where it is based on a UK national law. UK national law will no longer satisfy Article 6(1)(c) of the EU GDPR.
- Privacy notices and data privacy impact assessments should be reviewed to ensure that they remain accurate.
- The data protection provisions of service provider contracts may also need to be updated to ensure that both the EU and UK GDPRs are addressed.
2 C-311/18, 16 July 2020 http://curia.europa.eu/juris/documents.jsf?num=C-311/18
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.