17 December 2020
Data Protection In A Post-Brexit World
The end of the UK’s membership on 31 January 2020 made little change to the data protection rules in the UK. Thanks to the European Union (Withdrawal) Act 2018, much of the GDPR (on which see our post here) continued to apply until the end of the transition period and is supplemented by the Data Protection Act 2018. However following the end of the transition period on 31 December 2020, UK data protection is legislated independently by the UK, with third country adequacy rating by the EU.
The ICO (Information Commissioner’s Office) has published guidance (available here) for small and medium-sized enterprises seeking to ensure the free flow of data from 1 January 2021. We set out below some of the most important considerations for businesses which exchange data, both nationally and internationally.
Which Data Transfers Are Affected?
Under the UK data protection rules, the UK Government will have the power to make adequacy designations of the data protection legislation of other countries or organisations. It has been confirmed that transfers from the UK to the European Economic Area (i.e. the EU plus Norway, Iceland, and Liechtenstein), are not be restricted after the end of the transition period. This means that UK companies do not need to change the way they export data to the EEA as long as they are compliant with current GDPR legislation.
Transfers from the EEA to the UK are subject to EU GDPR legislation, which allows for the EU to formally recognise a third country’s data protection laws as ‘adequate’. The DPA 2018 and the introduction of UK GDPR aim to reassure the EU that the UK’s data protection regime post-2020 will meet these requirements, however an EU adequacy decision is likely to be dependent on the outcome of ongoing trade negotiations between the EU and UK, and other factors including the UK’s membership of the Five Eyes intelligence-sharing community.
What Data Transfer Mechanism Will Be Available?
If the UK’s data protection regime is not deemed adequate by the EU immediately following the end of the transition period, it will default to being designated a third country with regards to data sharing. Third country firms seeking a transfer mechanism by which to receive data from EEA firms sometimes put in place a contract between the two entities based on terms approved by the EU, otherwise known as Standard Contractual Clauses (SCCs). These approved clauses set out the scope for the data’s use and ensure the rights of individuals whose personal data has been transferred, and offer a remedy to them.
Following a European Court of Justice judgment commonly referred to as Schrems II, data transfers governed by SCCs might be subject to additional safeguards where the importer cannot guarantee an equivalent standard of data protection to that of the EU. Parties to a contract involving the transfer of personal data from the EU should therefore seek legal advice on conducting a transfer impact assessment and if necessary, adopting supplementary measures such as stronger encryption of data and redress mechanisms to ensure data security under EU law.