International transfers of personal data have long caused difficulties for businesses. In a cloud computing based world, businesses often don’t fully understand the cloud storage, SaaS and marketing services they use. Failing to realise that their email marketing service transfers the personal data of all their customers over to the US, for example, without any lawful basis or safeguards and therefore in breach data protection laws.
Things are about to get even more difficult. Not only is a no deal Brexit looming large on the horizon, we also had the Schrems-II decision from the CJEU in the summer which invalidated the EU-US Privacy Shield. This decision was supplemented by the recent publication by the European Data Protection Board (EDPB) of draft recommendations on supplementary measures for international transfers. The draft recommendations, currently open for public consultation, also include updated draft standard contractual clauses (SCCs) from the European Commission. Providing drafts of the long-awaited processor to controller and processor to processor versions of the SCCs. All with a one year transition period for getting the new SCCs in place once they achieve approved status. The EDPB draft recommendations also set out the ways in which SCCs can be used and the due diligence and additional steps required of businesses prior to implementing SCCs as the appropriate safeguard to make international transfers of personal data lawful under the GDPR.
If a deal is struck ahead of 31 December 2020, and a (data protection laws) adequacy decision is granted to the UK by the EU then, for so long as the adequacy decision stands, data flows would be able to continue between the UK and EEA without additional measures.
Although the UK has stated it will incorporate the EU-GDPR into UK law at the end of transition, as the UK-GDPR to sit alongside the DPA 2018, the various derogations from the protections under EU-GDPR included in the DPA 2018 and powers for the UK Government to carry out surveillance means that UK law is not actually fully equivalent to the European levels of individual data protection. As such, and taken along with the real possibility of a no deal Brexit, the chances of an adequacy decision being granted by the European Commission ahead of the end of next month seem low.
If there’s a no deal Brexit, or a data protection adequacy decision is not forthcoming as part of that deal, then the UK will become a third country for the purposes of data protection transfers. As such, transfers of personal data between the UK and EEA become restricted, and businesses will need to identify and put in place appropriate safeguards to ensure those personal data transfers remain lawful as from 1 January 2021.
How you might be affected
If you are a UK only company, processing UK personal data only, using only UK based processors, and you are already compliant with the GDPR then you don’t need to do much more than review and update your policies and contracts to ensure any references to the EEA carve out the UK as needed. The UK-GDPR and DPA 2018 will be your applicable laws.
UK to EEA Transfers
If you are a UK company, already compliant with the GDPR and only transferring personal data of UK data subjects to the EU (e.g., using EU based processors), the UK Government have so far indicated that there is no necessity to have additional measures in place (effectively that the UK recognises the EEA’s data protection laws are adequate). Similarly, if you are transferring UK personal data to a country with a current valid EU adequacy decision (e.g., Canada, New Zealand, Israel etc.) that data can also continue to flow without additional measures. So, for the time being, you just need to update your policies and contracts and keep a watch on developments or further statements by the UK Government and ICO. The UK-GDPR and DPA 2018 will be your applicable laws.
EEA to UK Transfers
If you are a UK company, transferring personal data from the EEA to the UK then you need to act now. This would apply if you are a business targeting EU citizens as customers, or if you are a provider of processing services (e.g., SaaS provider) based in the UK processing EU personal data on behalf of your customers – you need to consider next steps. You may need to appoint an EU representative if you don’t have a group company based in the EU. You may also need to put in place appropriate safeguards for the transfers of EU personal data into the UK. The most appropriate solution for many businesses receiving EU data from another organisation will be entering into standard contractual clauses with the EU organisation. A key point to note is that the EDPB last week issued new SCCs as part of its guidance on international transfers. As such, any SCCs you sign now may need to be replaced before the end of 2021 with the new model clauses. The EDPB recommendations also makes clear that SCCs alone are not enough. If local laws in the destination country impede the effectiveness of the transfer tool, supplementary measures have to be implemented or the transfers stopped. The UK-GDPR and DPA 2018 AND the EU-GDPR will be your applicable laws and you must comply with both regimes and keep up to speed with developments for both (and watch out for the upcoming replacement e-Privacy Regulations coming into force and affecting e-marketing, cookies etc.).
Other International Transfers
If you are a UK company transferring personal data from the UK to locations outside the EEA you should already have in place appropriate safeguards in order for the transfer to be lawful. Potentially this might be on the basis of an adequacy decision from the European Commission in favour of the country of destination. Alternatively, you may have in place standard contractual clauses with the data recipient(s) in the destination country. Current statements from the UK Government and ICO indicate that such transfers will continue to be lawful. However, it is important that you review those transfers in the light of the Schrems-II judgment and the EDPB draft consultation. Ensure that your data transfers were not reliant on the now invalid EU-US privacy shield; carry out an analysis of whether the destination country’s laws are such that you need to put in place additional measures as recommended in the EDPB consultation. Keep in mind the guidance issuing from e.g. Berlin and the Irish data commissioner that transfers of personal data to the US may not be lawful even under SCCs due to the high levels of US government surveillance – if your personal data transfers to the US are not essential it might be a good time to consider stopping them due to the additional administrative and security burden involved in taking those additional steps now being recommended by the EDPB to ensure transfer under SCCs is lawful.
- understand personal data flows and locations
- review contracts and policies
- identify which laws are applicable to your data flows
- carry out due diligence and enter into SCCs where appropriate
- update contracts and policies
- appoint a European representative if needed
- on-shore where needed – it is particularly important to eliminate transfers of personal data to the US regardless of Brexit, given the statements from the CJEU in Schrems-II and the draft consultation from the EDPB
- consider knock-on effects of Brexit regarding your appointed supervisory authority, location and language of your data protection officer
- keep up to date with developments on Brexit and on divergence between EU and UK data protection laws
- look out for the new form SCCs being adopted and approved by the European Commission