December 31st, 2020 saw the end of the Brexit Transition period for the UK. This inevitably brought a number of disruptive consequences with many stories exemplifying the knock-on effects, from lorries being stuck at the border to UK TV streaming subscribers no longer being able to access live sport when in EU following the UK’s departure from the Single Market as of 1st of January 2021.
Personal Data transmission post-Brexit
When it comes to Data Privacy and the Status of the UK in respect of GDPR, a different set of dates and critical events apply. At its very simplest, the Article FINPROV.10A of the Brexit Trade agreement addresses the interim provision for the transmission of personal data for the United Kingdom by catering for an initial 4 and maximum 6 month extension of the Transition period, in regard to such transmission of data.
In brief, this means that the UK will not be treated as a “Third Country” under Union Law, providing existing Data Protection legislation continues to apply until the 1st July at the earliest. However, it is widely acknowledged that the existing arrangements cannot continue indefinitely.
The “specified period” for this transition extension came with the effective date of the Brexit Trade agreement and will last 6 months; or when the “adequacy decisions” relating to the UK have been adopted by the European Commission (EC). An adequacy decision permits a cross-border data transfer outside the EU or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority (Article 45(1), GDPR).
While the UK announced it will initially treat EEA countries as adequate for the purposes of UK to EEA transfers and will keep this under review, there remains a clear risk that no adequacy decision will be passed prior to the 1st July. This means that after this point, data transmission to the UK would become illegal without the provision of “appropriate safeguards”.
Other key areas where Data Privacy structures have already been affected are:
- The UK ICO (Data Privacy Supervisory Authority) no longer forms part of the European Data Protection Board (EDPB) One-Stop-Shop from January 1st 2021
- Separate EU and UK Data Privacy Representatives are now mandatory for non-established organisations (Organisations without an EU presence, but who target or monitor EU individuals must also understand the impact of the GDPR; and have determined an approach to GDPR compliance)
Key considerations for DPOs
Wavestone recommends that DPOs consider the following key responses over the next 6 months:
Issue #1: If there is no EC adequacy decision regarding the UK, but the EEA sender has put in place one of the EU GDPR list of appropriate safeguards, the EEA sender will be able to make the transfer to you. For most businesses a convenient appropriate safeguard is “Standard Contractual Clauses” (SCCs)
Mitigation: DPOs should reach out to all their EU Third Parties to understand what appropriate safeguards activities are being considered should the UK not be granted “Data Adequacy” status before the end of June. Subsequently, they should carry out a suitable DPIA on the associated risk; including defining key potential mitigation actions.
Issue #2: UK organisation can continue to make transfers of data from the UK to the EEA under UK adequacy regulations.
Mitigation: DPOs should update their documentation and privacy notices to expressly cover those transfers.
Issue #3: Transfers from the UK to other countries can continue under existing arrangements.
Mitigation: No action required in this situation; except where the DPO is concerned that existing arrangements are not fit for purpose.
Issue #4: Obligation to appoint separate EU and UK Data Privacy Representatives to comply with both local UK GDPR and EU GDPR legislation.
Mitigation: Unless you’re the DPO of a non-established organisation, no action required in this situation. Otherwise, you should carry out a suitable DPIA on the associated risk; including defining key potential mitigation actions focused on establishing EU and UK Data Privacy Representatives in post.
In summary
The interim provision for the transmission of personal data window provides UK companies and DPOs with some well received breathing space. However, there remain questions over what the UK and EU’s long–term approach to this issue will be, despite the EC publishing its draft decision on the adequate protection of personal data by the United in the past couple of weeks. By itself, this is no guarantee that an adequacy decision will be passed ahead of 1st July. As such this will remain a source of concern and interest in equal measure for the coming months until a solution is found.
Against this background, it would be wise for DPOs to consider what mitigation activities they might need to be putting into place!