On the 31st of December 2020 the Brexit transition period will come to an end and the UK will leave the EU for good. Living in a digitalized world this will have significant implications for the relationships between EU and UK companies, not at least with respect to the protection of personal data and data transfers in particular.
At the end of the transition period, the GDPR will no longer directly apply in the UK and the UK shall be considered as a “third country”. These so called “third countries” fall outside of the GDPR zone, meaning that transfers of personal data to those countries are restricted and the GDPR rules related to international transfers of personal data will need to be respected.
In order to allow for the continued free flow of personal data, without the necessity for any further safeguards for data transfer, the ideal scenario would be for the UK to obtain an “adequacy decision” by the European Commission (i.e. meaning that the UK is considered to provide an adequate level of data protection).
However, the process of granting an adequacy decision can be lengthy and will most probably take months, if not years. Moreover, the recent decision of the CJEU on Schrems II has casted some further doubts on whether the European Commission will ultimately rule that UK law is capable of offering such an adequate level of data protection. Indeed, as evidenced by the Schrems II decision as well as the recent ECJ ruling of 6 October 2020, the decision on adequacy will not be based on data protection legislation alone. It will also take into account the broader legislative situation of a country, including surveillance laws and the investigative powers of law enforcement authorities. This is where the UK might expect its surveillance regime to come under close scrutiny. Especially the Investigatory Powers Act (IPA) is a controversial law that introduced extensive powers for UK intelligence and law enforcement authorities such as the bulk interception of communications, bulk collection of communications data as well as equipment interference. Without these necessarily being subject to prior approval by a Judicial Commissioner.
In case no adequacy decision is granted before the end of the transition period there are other mechanisms that might be considered:
- Standard contractual clauses or ad hoc clauses
Standard contractual clauses (SCC’s) are standard sets of contractual terms and conditions which the exporter and the importer of personal data both sign up to, aimed at protecting personal data leaving the EEA.
Currently there are three versions of SCC’s issued by the European Commission directed at the transfer of personal data from an EEA controller to another non-EEA controller (two versions to be used at the choice of the parties) or the transfer between an EEA controller and non-EEA processor. An update of the SCC’s is expected by the end of 2020.
When making use of the SCC’s it is important to keep in mind that these shall be applied completely and unaltered. However, parties may include additional safeguards or other clauses, provided that this is done without contravening, directly or indirectly, the SCCs or the rights of data subjects.
Furthermore, the Schrems II decision can also impact transfers of personal data to the UK based on SCC’s. On the condition that the data is transferred to a country offering a level of data protection that is essentially equivalent to that of the EU, SCC’s can still be used without the need for additional measures. However, looking at the forgoing this will most likely not be an option for transfers to the UK. When choosing to rely on standard contractual clauses companies will need to make sure that the SCC’s are supplemented with the necessary measures in order to make sure they can be lived up to.
When the adoption of SCCs is not a workable alternative (because of the specificities of the business relationship), companies can conclude ad hoc contracts, provided they offer strong guarantees and a framework for the transfer of personal data compliant the EU legislation. Such ad-hoc contractual clauses must however first give rise to a review by European Data Protection Board and need to be authorized by the relevant data protection authority, in order to ensure that the level of protection of the personal data transferred is sufficient.
- Binding Corporate Rules
For a multinational group of companies, another option would be to draft Binding Corporate Rules (“BCR’s”). BCR’s are legally binding and enforceable internal rules and policies for data transfers within the group of companies allowing to transfer personal data from the EEA to affiliates located outside of the EEA in compliance with GDPR. BCR are more appropriate to be tailored to the need of the business and are much easier in maintenance compared to the use of SCC’s in intra-group contracts.
Binding corporate rules must be approved and overseen by the lead supervisory authority, following an opinion of the EDPB. However please take into account that the ICO will no longer be considered as a supervisory authority under the GDPR, and thus the approval of another supervisory authority within the EEA will be required for the BCR to be a valid mechanism.
Although not in scope of the Schrems II decision, the approval of BCR will also be impacted by the decision in the sense that, when approving BCR’s, the supervisory authority must be convinced that the group companies, including those in the UK, were required and able to comply with the safeguards included in the BCR. The consideration that SCC’s based transfers to the UK might not be compliant on grounds related to surveillance laws comparable to those applicable in the US, would equally apply to transfers to UK based on BCR. An important difference between SCC’s and BCR is however that the assessment of the safeguards’ adequacy in BCR rests with the supervisory authority, while companies using SCC’s must do the assessment themselves and can be held accountable for it.
- 49 derogations
In accordance with article 49 GDPR certain types of data transfers can be executed pursuant to specified derogations. It must be underlined however that these must be treated as what they are, namely ‘derogations. This means that they can only be applied as an exception to the rule of having to put in place appropriate safeguards or transfer the data based on an adequacy decision. They must thus be interpreted restrictively, can only relate to processing activities that are occasional and non-repetitive and shall take place in accordance with the conditions that are foreseen for them.
Personal data may be exported if the data subject provides explicit consent to the data transfer after having been provided with all necessary information about the risks associated with the transfer due to the absence of an adequacy decision and appropriate safeguards. Occasional transfers necessary for the performance or the conclusion of a contract with an EU data subject or in the interest of the individual may also be possible as are the transfers which are necessary for important reasons of public interest or the establishment, exercise or defence of legal claims. Guidelines on the application of these derogations have been set out by the EDPB in their 2/2018 guidelines.
- Codes of Conduct and certification mechanisms
Although there is little evidence of their actual use today, GDPR recognizes Codes of Conduct and certification mechanisms as being a valid mechanism for the transfer of personal data outside of the EEA. This on the condition that they go together with ‘binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards, including with regard to data subjects rights’. Taking into account the recent Schrems II decision, there might however be some movement in this area in the near future.
- Storage and processing of personal data within the EEA
Last but not least companies should consider re-evaluating their transfers to the UK as to determine whether these transfers are really necessary (i.e. is there a possibility to replace them by an EEA alternative?) or at least do a data minimization exercise.
KEEP CALM AND CONTACT CRANIUM
It seems international data transfers to the UK are a very uncertain and thus worrisome topic for many EU companies. Considering the unlikeliness of an adequacy decision and the absence of a clear EU level solution, EU companies may find themselves spending outrageous amounts of time and means on an acceptable approach.
At CRANIUM we unburden our customers by implementing a sound structure and a strategic, risk-based approach that allows them to focus on their business instead:
- As first step, we perform a scan of your company. This will give you an overview and it will allow us to review the available exiting EU data transfer mechanisms for you on a case by case basis.
- Secondly, we offer many CRANIUM solutions that are able minimize or exclude the risks for your company:
- EU representative: never underestimate the power of a first impression!
Complete our test and see whether you need to appoint an EU representative as a first contact point for the supervisory authorities and data subjects.
- Audit: your processor or supplier might be your weak link…
Check whether your suppliers and processors comply with the GDPR and in particular the requirements for international data transfer
- EU Safe haven solutions offered by CRANIUM: rest assured now and in the future!
- A light-weight solution to move UK servers and applications to the EU;
- An EU alternative to Google Analytics with a functionality that is 95% the same.
Contact CRANIUM for more information via firstname.lastname@example.org