Data Governance

Cross Border Data Transfers post December 2020

Now that Boris has so triumphantly “Got Brexit Done” it falls to UK business to work out what that really means.

The UK is no longer a member of the European Union but, thanks to the transition arrangements set out in the Withdrawal Agreement you might think that very little has changed.

From a data perspective you’d be right – the ICO (the UK data protection regulator) has made it clear that, until the end of December 2020 the position remains the same as before Brexit.  Personal data can still be transferred to and from the EU “as if” the UK were still a member state.

The question that raises however is – what happens after the end of this year?  And what should UK business be doing about it?  

One key issue is that of transfers of data – to what extent will businesses still be able to transfer data into and out of the EU?

Pre-Brexit and until 31 December 2020

Under the current law, whenever a business transfers personal data outside the EEA that business must ensure that there are “adequate safeguards”
in place for that transfer.

The safeguards available are as set out in the GDPR and include, for example, putting in place Standard Contractual Clauses (SCCs) or (for intra group transfers) setting up Binding Corporate Rules (BCRs). 

Those safeguards are not required where an exemption applies or where the European Commission has made an adequacy decision about the country involved.

From 31 December 2020

At the end of the transition period it is anticipated that a UK version of the GDPR will set out a similar set of rules covering transfers outside the UK. 

Transfers from the UK to countries within the EEA

In its guidance the ICO (the data protection regulator in the UK) has suggested that there will be different rules in place for transfers (i) to the EEA and (ii) to other countries.

For transfers from the UK to the EEA, it is anticipated that UK law will permit the flow of data from the UK to other EEA countries without restriction or requiring additional safeguards.  Data can therefore continue to be sent to the EEA without requiring additional measures in place. 

Transfers from the UK to countries outside the EEA

For transfers from the UK to other countries, similar restrictions will apply as are contained in the GDPR in relation to transfers outside the EEA. 

The ICO’s guidance confirms that where a safeguard has previously been put in place under the GDPR for a transfer outside the EEA, UK business will be able to continue to rely on that mechanism.

Adequacy decisions made by the European Commission before Brexit will also continue to be recognised by the UK government going forwards and SCCs and BCRs put in place prior to 31 December will continue to apply.

That is certainly helpful for businesses that do not need to put in place additional measures to cover the same transfers after Brexit. It does suggest however that, if you don’t yet have measures in place for transfers outside of the EEA then, after 31 December you could find yourself in breach of both the UK and EU versions of the GDPR.

For transfers to the US, the Brexit Guidance confirms that although the EU/ US privacy shield will need to be modified, organisations can continue to rely on it in the meantime.

Transfers from the EEA to the UK 

The EU version of the GDPR will also continue to contain restrictions on transfers of personal data outside the EEA.  Following Brexit, any transfers from the EEA to the UK will be subject to those restrictions – meaning that UK businesses, in order to process data about individuals in the EEA would need to have adequate safeguards in place.  This means that many businesses will need to get Model Contract Clauses in place.

The UK government has indicated its intention to seek an adequacy decision from the European Commission for the UK.   However, in order for that to be granted, the European Commission will need to recognise the UK’s data protection regime as “essentially equivalent” to that of the EU.  This is likely to be the subject of negotiation over the coming months. 

Transfers from other countries to the UK

To the extent that the UK is receiving personal data from other countries outside the EEA, any applicable restrictions will likely depend on the local law of the country that the data is transferred from.

Brexit will however have an impact on any transfers to the UK from countries which are subject to an EU adequacy decision which include, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay or USA (under Privacy Shield only).  In order to be deemed adequate under that EU adequacy decision, those countries are likely to have their own legal restrictions on making transfers of personal data to countries outside of the EEA.  Following Brexit, any transfers from those countries to the UK will therefore be subject to those restrictions. 

As with transfers from the EU therefore UK businesses are likely to need to get model contract clauses in place (or an alternative safeguard where applicable) with these non-EU countries.

In summary, in order to prepare for the end of the year UK business should consider getting model clauses or an appropriate safeguard in place wherever it receives personal data from the EU or a country with an adequacy decision.  In respect of non-EEA jurisdictions UK business may also want to seek local advice.  A summary of the different positions is set out in the table below. 

Richard Nicholas and Lauren Webb – data lawyers at Browne Jacobson LLP

About the authors

Richard Nicholas advises public and private sector clients on complex commercial, technology, digital and outsourcing agreements projects, related outsourcing, e-commerce and consumer law and data protection issues.  He is a regular speaker on data protection issues to organisations including the CBI (Confederation of British Industry), CompTIA (the Computing Trade and Industry Association) and the Chambre des Notaires de Paris. He has also been interviewed by national television networks on data protection issues.

Lauren Webb

Lauren specialises in data protection and privacy matters, regularly advising clients in the public, private and charities sectors on data protection compliance issues, including a number of well-known brands. She assists clients on both contentious and non-contentious data protection matters, ranging from privacy by design issues relating to the data protection implications of the introduction of new technologies and processes to liaising with the ICO on behalf of clients to defend data processing activities following complaints received from individuals.

About Browne Jacobson:

Browne Jacobson is a national law firm offering specialist legal advice in the business, education, government, health and financial services sectors from its offices in Birmingham, Exeter, London, Manchester and Nottingham.