With the end of the Brexit transitional period approaching and the increasing likelihood of there being “no-deal”, attention is turning to how UK-based businesses and other organisations with international stakeholders can function effectively from the beginning of 2021. Amongst a range of issues to consider is how the highly regulated area of personal data is impacted. In this article we attempt to simplify the position and explain the steps that organisations need to consider taking.
Our key message is that if you have not already begun to think about this then you need to do so as soon as possible in order to minimise the potential disruption to your work and business.
Example 1: activities within the UK
Let’s start with a purely domestic UK organisation which has all of its customers or key stakeholders based in the UK and is not transferring any personal data outside the UK.
This is straightforward – there is no real change needed from your existing compliance levels, as the UK is adopting the EU’s General Data Protection Regulation (the EU GDPR) into its domestic law from 1 January 2021. The changes that you will need to make will be minimal. For example, your privacy terms issued to customers and employees will need to take out any references to the EU GDPR and simply refer to applicable UK legislation, primarily the UK Data Protection Act 2018 (the UK DPA, which refers to and in effect incorporates the EU GDPR).
Example 2: international activities by UK organisations
However, the reality is that few businesses are purely domestic anymore, and even not-for-profits (whether or not via their trading arms) are likely in many cases to have some connections with the rest of Europe. Here, the position is more complex when it comes to handling the personal data of customers and employees.
To illustrate the position, we are going to take the example of a UK headquartered business selling to consumers in the UK and in the EU online, and through retail stores operated by subsidiary companies in Italy, Germany, France and Spain (we have chosen a business as an example but similar considerations will apply with international supporters, stakeholders, associated organisations etc).
During the Brexit transition period, which ends on 31 December 2020, the EU GDPR continues to apply. However, from 1 January 2021 the main changes you need to prepare for are as follows:
For customers based in the EU, they will continue to benefit from the protection of the EU GDPR and that is what the UK parent must comply with in relation to them. For UK based customers dealing with the UK parent, the UK DPA will apply to them. For UK customers dealing with the Continental European subsidiaries, the EU GDPR will apply.
As things stand, there is no practical distinction between the UK DPA and EU GDPR in terms of what you need to tell customers and their rights, so there is no need for any changes currently in terms of your relationship with such individuals – except to update privacy policies issued to customers to make it clear which regime covers them, depending on where they are located, and which entity within your Group (if applicable) is dealing with them as the relevant data controller.
Relationships with regulators
The UK Information Commissioner (ICO) is likely to be your current lead supervisory authority for data protection across all of your businesses in Europe. This means that if any complaints are made or problems arise anywhere, they will be handled by the ICO.
That certainty will end on 31 December 2020. Yet, for the customers (and employees) of the parent company based in the UK, the ICO will continue to be the regulator; however, for individuals based in the rest of Europe, they will be able to turn to their local data protection regulators to handle any complaints or issues. And for UK customers dealing with the subsidiaries, they can refer complaints to regulators where the relevant subsidiary is located. This could mean you will be dealing with a complex web of multiple regulators without one of them taking a lead role.
You should ensure that anyone in your wider corporate Group (if applicable) who is dealing with complaints from customers and with compliance issues is aware of this, and that you are capable of acting in a coordinated way across the Group if problems arise.
Because you are dealing from the UK with customers in the rest of Europe (through eg online sales), you will need to appoint an EU based representative to be a point of contact for those customers and for EU based regulators. Similar considerations might apply to supporters or beneficiaries of not-for-profits.
The EU representative must be in one of the countries where you have customers (or supporters, etc). It might make sense to appoint one of your subsidiaries in Italy, Germany, France or Spain to perform this role. Guidance to businesses from the European Data Protection Board (EDPB), the collective body of all EU based regulators, provides that ideally the EU representative should be appointed in a country where the majority of EU based customers are located – but this is not a strict requirement.
It is fair to say that in the first couple of years of the EU GDPR, the obligation for GDPR regulated organisations based outside the EU to appoint an EU Representative has been more honoured in the breach than in its observance. However, in June 2020, in its report on the first two years of the EU GDPR, the EU Commission singled out this area of non-compliance as one for specific focus. So, the rather relaxed approach to this requirement seems to be ending and UK based businesses might become a particular focus for attention from some EU regulators after the end of this year. Also note that under the UK DPA, there is a reciprocal requirement for your EU subsidiaries to appoint a UK representative if they have customers in the UK. It might be most convenient for that to be the UK parent entity.
When you appoint an EU or UK representative you will need to explain who they are and how to contact them in the privacy notices issued to your affected customers.
Sharing and transferring personal data
You will need to consider how your EU subsidiaries can share personal data with you. This is most likely to be data about customers or employees, and “sharing” personal data can be as simple as the UK head office accessing remotely the personal data about customers or employees held by its EU subsidiaries. It also applies to receiving data from partner organisations or contractors in the EU.
The reason to consider this is because the UK becomes a “third country” in EU GDPR terms from 1 January 2021. While this would not affect your ability to transfer data into the EU (because the UK Government recognises such countries as providing adequate protection), your EU subsidiaries, contractors, or partner organisations will need to put in place an EU approved “gateway” allowing transfers from the EU to the UK, starting from 1 January 2021 – unless further transitional provisions are agreed (currently not looking likely). If they do not, then an EU based regulator might block those transfers and apply other sanctions such as fines. Again, this might be an early regulatory focus for some EU regulators.
At the moment the UK is seeking what is known as an Adequacy Decision from the EU Commission which will act as an automatic gateway for any transfers from the EU to the UK. It might be thought that the UK will readily fulfil the necessary criteria of having “essentially equivalent” data protection laws to the EU in light of its past membership of the EU, and the wholesale adoption of EU GDPR into domestic law from 1 January 2021. However, this is not proving straightforward, partly because it is tied up with the overall negotiations of the EU/UK trade deal – now apparently on hold – and because of a recent decision of the Court of Justice of the EU (CJEU) about cross-border data transfers in a case called Schrems II, and in another case involving Privacy International (both of which we refer to in more detail below).
The bottom line is that it is no longer safe to assume that an Adequacy Decision will be granted to the UK by 31 December 2020 or at all. Without it, transfers of personal data from the EU to the UK will be at risk immediately as from 1 January 2021. We therefore recommend that organisations adopt another gateway mechanism and get it ready to apply as from the beginning of next year.
The most likely candidate for an alternative gateway is Standard Contractual Clauses (SCCs), sometimes called EU Model Clauses. These are, as described, standard clauses drafted by the EU Commission that are entered into between the transferring party (the exporter) and the receiving party (the importer) that are designed to ensure that EU data protection standards are maintained to an essentially equivalent level once the data is transferred.
However, the position regarding the use of the SCCs has been made more complex recently by the decision of the CJEU in Schrems II (see our background article here). In summary, though the Schrems II decision upheld the use of SCCs, it made it plain that, before the transfers take place, the exporter (with the importer’s help), needs to carry out an assessment of whether the laws of the importer’s country will put at risk the essentially equivalent level of protection which the SCCs are designed to confer
Again, it might be thought that this assessment would be straightforward as the UK has and will continue to apply EU GDPR. However, some commentators have cited as a cause for concern the UK’s law enforcement and national security laws, and its arrangements for sharing data with America and other third countries as a potential problem. These concerns have been heightened by the separate recent ruling by the CJEU in the Privacy International case, which determined that the gathering of personal data in bulk by UK government agencies for national security and law enforcement purposes is incompatible with EU laws. For the moment a credible assessment needs to be made by the exporter if SCCs are going to be safely relied on, and that assessment should be recorded for future reference in case any EU based regulators or individuals question it.
You should also bear in mind that the EU Commission has indicated that it intends to bring out new versions of the SCCs. However, the timing for this is not clear and may well have been put back by the complexities introduced by the Schrems II ruling. In summary, we do not think it is prudent to wait for new versions of the SCCs to be made available before putting in place a compliant gateway.
In our example, for larger Group companies and those with complex international structures, Binding Corporate Rules (BCRs) might also be another possible gateway. These are intra-group data sharing arrangements approved by EU regulators which are again designed to put in place sufficient safeguards. However, they take a long time to prepare and approve and are an expensive option, meaning that they are really only suitable in practice for a minority. They are in any event potentially subject to the same issues as with SCCs when it comes to considering UK national security and law enforcement provisions.
There are other occasional derogations from the general rule, but these are unlikely to be of use for any regular “business as usual” activities. In any event, it will be the EU-based entities having to make decisions as to the applicability of any such derogation in accordance with the guidance of their own local regulator, rather than a rule or interpretation that your UK office can safely seek to impose on others as a matter of its own judgment.
Note that your contractors (including data processors, such as cloud service providers) based in the EU may be getting in touch with you anyway: for example, to notify the use of SCCs (if they are permitted to vary such terms unilaterally), and/or otherwise seek to avoid putting themselves at risk of breach of contract. This is likely to arise – even though as above you do not need a “gateway” for transfers from the UK to the EU – because of the difficulties they may face in permitting access to the data from the UK, or otherwise sanctioning its return to the UK. Ideally, these conversations ought to have been had before the compliance and practical consequences materialise on 1 January 2021.
Apart from altering Privacy Notices, don’t forget to also update your records of processing to set out the new arrangements you have put in place to deal with the impact of the end of the Brexit transition period. A Data Protection Impact Assessment (DPIA) or other means to record the basis of your risk and compliance assessment, made in respect of international transfers, is advisable.
Further sources of information
You might like to consider the ICO’s Guidance here. We recommend you keep this under review to see if it is updated, particularly as the EU/UK trade negotiations continue over the next few weeks and as regulatory guidance emerges on the impact of the Schrems II decision.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2020