How will processing personal data change post-Brexit?

Adequacy Decision Update -- June 2021

Huzzah! Adequacy is here, we can confirm the UK is adequate!

What does this all mean?

June was a big month in the complex world of Data Protection. On 4th of June new EU Standard Contractual Clauses were adopted (for the secure transfer of personal data both to third countries) and can be used from 27th June 2021, and on 28th of June the long-awaited announcement of adequacy decisions for the UK have been approved.

As a result of the end of the transition period, the EU placed the UK in the belt of ‘restrictive transfer’ meaning the EU would have to review the UK GDPR to see if it meets the same standard as the original. The UK could straight away export data to the EU, but not import it as easily. Data flows UK/EU could continue via a “bridging mechanism” negotiated in the Trade and Cooperation Agreement, however this expired on the 30th of June. After this date, to import data from the EU to UK you would have to use a ‘transfer tool’; the Standard Contractual Clauses (SCCs) being the most common.
With 2 days to spare, the adequacy decision on the UK was published. This is great news for UK businesses who receive personal data from the EU (and EEA).

In a recent publication responding to the EU’s adequacy decision, Information Commissioner, Elizabeth Denham said:

“Adequacy is the best outcome as it means organisations can carry on with Data Protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.”

Does this mean things are back to normal?

Almost. While it might feel like we are transferring data much like we did pre-Brexit, we will now be able to make our own decisions on how we change, adapt, and create Data Protection legislation. Considering this, a “sunset” clause was added to the decision allowing the EU to review/renew the UKs position in four years' time.

Can we forget about SCCs and transfer tools?

Oh no, far from it. In fact, it could be the opposite. If you wish to send data outside of the UK and EAA (say to the USA or Australia) you will still have to use Transfer Tools like SCCs. In fact, new court cases are proof the Transfer Tools alone aren’t enough. The Schrems II case last summer led to the dismantling of the EU-US Privacy Shield; finding that this no longer provides adequate safeguards for the transfer of data between the US and the EEA. The European Data Protection Board (EDPB) now recommend 6 steps to protect Data Transfers that includes implementing a Transfer Impact Assessment.

Watch this space.

As IT and Technology changes at a rapid pace, so too must Data Protection. The SCCs have been around for 11+ years now, 8 years before GDPR was thought of! They need updating for a changing landscape of cybercrime and internet espionage. The EU have implemented new SCCs, and it is now up to our own Information Commissioner (the ICO) to help guide and support UK businesses in a way that ensures the safety and security of our data. We at Law 365 will be watching and waiting for any developments. We will be ready to advise and pilot a way though these exciting changes.

Read our original article -- January 2021 

It is unlikely that the Brexit deal has resolved the ‘adequacy position’ (see below), and as such from 1 January 2021 the General Data Protection Regulations (GDPR) will no longer apply to the processing of Personal Data of a UK citizen, though they will still apply for EU citizens.

Note: For UK citizens, you still need to comply with the UK Data Protection Act 2018, which incorporates the terms of the GDPR into directly applicable UK legislation.

This means that the practicalities of how you process and record the processing of Personal Data will remain the same post-Brexit for everyone except EU citizens.

How to process EU Citizens’ Personal Data Post-Brexit

1. Check your contracts. Do they state that you should not send any Personal Data outside of the EEA? If they do, there will be steps you need to follow in that contract if you are going to ‘send’ their Personal Data out of the EEA and you need to ensure that you follow them.
2. Regardless of what is set out in your contracts, if you are going to continue to process EU personal data on behalf of your customer then you will also need to ensure that these Standard Contractual Clauses (SCCs) are executed. They are non-negotiable.

FYI The data importer is the data processor (usually the ‘Supplier’) and the data exporter, the data controller (is most likely, the ‘Customer’).

Top tip: These SCCs can be annexed onto contracts if you prefer and you can also enter into ‘side letters’ or any ‘variation document’  to expressly amend your current contract terms to permit you to continue to process the personal data, outside of the EU.  In any event, the key point is to ensure that both parties execute these clauses.

Will we always have to do this?

We suspect the position may change at some stage.  There are already discussions taking place to try to have the UK accepted by the EC as a country which has an ‘adequate level of protection’ – after all we have incorporated the GDPR into domestic law – but only time will tell. The European Commission may wait to see how the UK courts choose to interpret the legislation, as and when any legal actions arise under it, before finalising its position.

If the UK is eventually deemed ‘adequate’ by the EC then no additional action or documentation will  be required other than to ensure your commercial contracts continue to reflect the appropriate Data Protection requirements, as set out in the Data Protection Act 2018.