FAQs on data flows after the transition period
The UK has applied for an adequacy assessment from the EU. If granted in full UK businesses will be able to continue to exchange personal data with the EEA based individuals and companies without taking extra steps beyond complying with UK data protection rules.
The UK and the EU committed to reaching a decision on adequacy by the end of the transition period on 31 December 2020. However after agreeing a Trade and Cooperation Agreement the UK and EU have in effect extended the transition period for data for up to an additional six months in order to finalise a data adequacy agreement.
techUK has provided an explainer on Data, adequacy and the future relationship, which you can read here. Guidance from the UK Government can be found here.
However, if adequacy is not granted the UK will need to exchange data with the EU on third country terms.
At the moment as both the UK and EU have similar rules based on the GDPR there are clearly defined processes for transferring data requiring the use of appropriate safeguards, such as standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs).
The ICO provides detailed information on appropriate safeguards, as well as examples of model clauses which can be used here.
In the preparations for the end of the transition period the UK Government has stated that it will automatically recognise the EU as adequate for data transfers. This means that outbound transfers of data from the UK to the EEA will not be restricted as long as UK data protection rules are followed.
However, the EU has made no such commitment meaning that appropriate safeguards would be needed for inbound transfers, from EEA based entities to the UK. If these were not followed EEA based entities could be investigated and fined by the data protection authority of the host member state.
UK companies and their business partners in the EEA will therefore need to check their existing contracts and review any new contracts/bids to ensure that these safeguards are included and that they are sufficiently robust to reassure potential business partners that they will not fall foul of data protection authorities.
Failure to do so or increase the confidence in these measures from UK companies will mean that UK tech firms will be at a competitive disadvantage to companies based in the EEA.
techUK has provided answers to some frequently asked questions on data and the end of the transition period below.
Please note the below should not be taken as advice from techUK to individual businesses. Business preparing for the end of the transition period should seek to follow Government guidance and, where needed, independent legal advice.
What is personal data?
Personal data is found in all organisations and relates to information that can potentially identify an individual.
It can be as simple as information such as names, addresses and bank account numbers, or the more obscure such as an individual’s behaviours and shopping habits. The flows of personal data between organisations is an essential part of any business operation. Such data can be held across different departments in an organisation, with high volumes typically found in HR (e.g. payroll information), marketing and sales departments.
Will the GDPR still apply after the transition period?
The GDPR, as EU law, does not apply to the UK after it ceases to be an EU member.
However, the GDPR has extra-territorial scope, which means any business operating in the UK that:
- Continues to offer goods and services to the EU, or
- Monitor the behaviour of individuals in the EU
The GDPR will apply to the UK as it does to other non-EEA countries, given its extraterritorial reach. It will also apply to organisations in the EU from whom you may receive personal data.
After the transition period businesses solely providing services to UK citizens and operating in the UK will be regulated Data Protection Act 2018 (DPA 2018), instead of the GDPR.
In practice there will be little change to compliance in the short term, as the DPA 2018 is almost identical to the GDPR. With time there may be divergence as UK and EU laws develop independently in the long term.
Can I still transfer personal data to and from the EU after the end of the transition period, even if the UK does not get adequacy?
Yes. In relation to outward transfers to Europe, the UK Government and ICO have made clear that they consider the EU as providing acceptable level of privacy protection and intend to enable data to flow from the UK to EEA countries without any additional measures.
In relation to inward transfers (from Europe to the UK), the most preferable outcome and the one that has been discussed to the greatest extent is the granting of an adequacy decision to the UK. As it is unlikely that adequacy can be adopted immediately after 31st October, businesses will need to implement additional measures to sustain transfers from the EU into the UK. These include:
- Standard Contract Clauses (SCCs)
- Binding Corporate Rules (BCRs)
There are also exceptions where transfers can take place without an adequacy decision or mechanism described above. These exceptions are limited and mainly relate to transfers which are occasional and non-repetitive. The EDPB has clarified that transfers happening more than once outside ‘regular course of actions’, but not at a regular basis, can fall into the exception.
What is a Standard Contractual Clause?
SCCs are one mechanism through which data can be transferred internationally. They are standard data protection contractual clauses adopted by the European Commission that are recognised to provide sufficient safeguards to allow for data to flow out of the EU.
SCCs are relatively easy to implement, and can be put in place via contract between the sender and receiver of the personal data. Template SCCs can be found on the ICO's website.
How will the end of transition affect data flows between the UK and other countries outside the EEA?
a) To and from countries covered by the EU's adequacy decisions:
The UK government recognises EU adequacy decisions, and will allow transfers to continue to be made to countries covered who have had adequacy decisions granted.
Senders of data from countries which are covered by an EU adequacy decision into the UK will need to consider how their transfer complies with its own local laws and if such transfers comply with the conditions for adequacy.
b) To and from all other countries:
New transfers post-transition will need to comply with DPA 2018 and any guidance issued by the ICO on international transfers.
Under DPA 2018, the UK Secretary of State also has the power to decide on whether there is an adequate level of protection of personal data in each country, the assessment of which may take several years. Senders of data from other countries will also need to consider how their transfer complies with its own local laws.
What impact does the recent Schrems II ruling from the CJEU have on adequacy?
The ruling in the Schrems II case does not have an effect on the UK’s adequacy decision. Additional information on the impacts of the Schrems II case on the EU/US Privacy Shield and SCCs can be found here through the ICO.
Will the Privacy and Electronic Communications (PECR) still apply?
Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is the domestic UK legislation that implements the ePrivacy Directive into domestic law. Thus, it still applies post-transition.
The ePrivacy Directive harmonised and updated EU privacy protections in relation to electronic communications.
Accordingly, the PECR covers rules on personal data in the context of marketing communications, tracking of personal information on electronic services and security of communication services, regardless of the technology used.
Guidance from the ICO on the PECR can be found here.
I am part of a multinational group, what are the rules for intra-group transfers across borders?
The rules for transfers and to outside third parties do not differ, as each entity in the group is considered a separate and distinctive party in the eyes of their respective national Supervisory Authority (SA).
Organisations should seek to rely on mechanisms such as Standard Contractual Clauses (SCCs) (for inter group agreements) or Binding Corporate Rules (BCRs) to send and receive data in a multinational group.
BCRs are a set of rules (policies) for data transfers within multinational companies and are ideal for those operating complex international data transfers.
With regards to implementation, they are typically costly and require ongoing maintenance, with any amendments subject to approval from the relevant SA.
This process, which involves in depth assessment and review by the lead SA in co-operation with others, can take 12-36 months and requires significant upfront investment. Businesses will need to prove to SAs that high levels of data protection are embedded consistently and robustly across its global operations.
The UK Government has stated that they will recognise BCRs authorised under the EU process. However, please note that organisations will need to update EU BCRs by listing the UK as a third country outside the EU.
What steps could I take to prepare for the end of the transition period?
- Map data flows to obtain an overview as to the extent and scope of international data transfers
- Identify and assess key data transfers to understand which should be prioritised (i.e. business critical or relating to special category data) through e.g. Data Protection Impact Assessments (DPIAs).
- Review existing transfer frameworks and consider how they can be maintained post-transition, e.g. review relevant contracts and ensure they include SCCs
- Evaluate existing operations in the EU (including structure and volume of processing) to consider alternative options such as the relocation of data processing centres, use of different suppliers and partners outside of the UK
- Review internal documentation to identify details that will require updating when the transition period ends, including privacy notices, breach notification procedures and third party contracts.
The ICO has further guidance specifically for small or medium organisations.
What could happen if I do not prepare for the end of the transition period?
It is a responsibility of individual companies to comply with data protection rules.
If you fail to comply your data flows could be disrupted and your organisation may lose access to the personal data it needs to operate, possibly leading to the loss of customers, enforcement and fines from regulators and/or the materialisation of contractual liabilities.