Brexit-deal: GDPR

23/02/21

Post-Brexit implications for EU-UK data transfers

The Brexit deal clarifies how trade relations between the European Union (EU) and the United Kingdom (UK) will look from 1 January 2021. However, one of the issues that has not yet been agreed is the movement of personal data between the EU and the UK. 'Even if your organisation is AVG compliant now, you should consider what the Brexit deal means for your data protection framework and what preparations you need to make,' warn PwC experts Bram van Tiel, Yvette van Gemerden and Sandra Mochèl.

Grace period until 1 July 2021

The deal simply does not solve the point of data transfers between the EU and UK. Instead of an agreement, another transition period applies. When it comes to the transfer of personal data, parties agreed that the UK will not be treated as a third country by the EU during a grace period of six months. This means that personal data can be transferred to the UK on the basis of the GDPR until 1 July 2021. Question that remains to be answered is what will happen after this grace period.

Draft UK adequacy decisions

In recent months the European Commission has assessed the law and practice of the UK on personal data protection. The results of this assessment are published in two draft adequacy decisions for the UK: one under the GDPR and the other under the Law Enforcement Directive. In the draft decisions the EU Commission concludes that the UK provides an adequate level of protection for personal data. The next step towards formal adoption of the draft adequacy decisions is for the European Data Protection Board to provide a non-binding opinion on the EU Commission's conclusions. After that, a committee of representatives from member states have a final say on whether the draft decisions can be formally adopted.

When these procedures have been taken into account, there are two scenarios possible after the grace period ends on 1 July 2021. In the first scenario, the European Commision can take the decision to adopt (the final version of) the draft adequacy decisions, thereby recognizing that UK laws provide a level of data protection that matches the GDPR. The second scenario is no final decision on adequacy will be adopted and alternative data transfer mechanisms are necessary for the transfer of personal data to the UK.

Scenario 1: Adequacy decision

Personal data is not protected everywhere in the world at a level that we are used to in the EU. Within the EU, one set of rules applies: the GDPR. That is why it is possible to process personal data or to have it processed in, for example, Finland or Cyprus. Different rules apply for transfers to a country outside the EU. Third countries are all countries outside the EU with the exception of the countries in the European Economic Area (EEA). Iceland, Liechtenstein and Norway are within the EEA. Transfer of personal data from the Netherlands to a third country is in principle only allowed if the third country offers an adequate level of data protection.

The European Commission can take an adequacy decision if a third country provides an appropriate level of data protection in national law. This means that the European Commission has determined that the country offers a comparable level of data protection as the GDPR does. The list of countries with an appropriate level of protection can be found here.

Since the UK will qualify as a third country after the six months grace period, the EU can designate the UK as a safe country with an adequacy decision. The EU thus determines whether a third country offers an equivalent level of privacy protection as the EEA, ensuring the free flow of personal data. However, whether the European Commission will indeed deem the UK an adequate country before the end of the 6 month grace period remains to be seen.

Scenario 2: UK without an adequacy decision

If no adequacy decision is formally adopted before the end of the grace period, this will have serious consequences for organisations. Should the transition period expire without further agreements being made, European organisations will not be able to ensure that the data transfer to the UK complies with the GDPR. Alternative transfer mechanisms must be implemented, such as the Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR), to enable the transfer of personal data from the EU to the UK.

Standard Contractual Clauses (SCC)

The SCC are in fact model contracts approved by the European Commission and provide the additional, contractual safeguards for data protection when personal data is transferred from the EEA to a third country.

However, SCC cannot be used just like that. Since the Privacy Shield was invalidated, an assessment is needed of the privacy risks that may arise when public authorities of the country to which the data is transferred gain access to personal data and how such risks can be mitigated.

The European Data Protection Board has drawn up a guideline setting out how to identify and assess the risks of third countries. It is expected that new SCC will be introduced in the foreseeable future. It is important to keep a close eye on these developments as well.

Binding Corporate Rules

BCR is the policy of a group of companies for the protection and internal sharing of personal data. Within the group, appropriate safeguards are provided for the transfer of personal data within and outside the EEA.

Are you already using BCR?

Check whether the UK privacy regulator (ICO) has been designated as the lead supervisory authority. A new lead supervisory authority should then be designated for the BCR.

Not using BCR yet?

If you want to implement BCR, the Data Protection Authority (DPA) must first approve it. However the indicated waiting period for approval of BCR by the Supervisory Authority is five to seven years. For this reason, BCR does not offer a short-term solution, but it is a robust long-term solution for multinationals that want to share personal data with offices around the world.

What does this mean for your organisation?

Without an adequacy decision, the transfer of personal data from the EU to the UK, needs alternative transfer mechanisms. In most cases, it would be necessary to put Standard Contractual Clauses in place for every transfer of personal data. As an organisation you can prepare yourself during the grace period by following these five steps to anticipate to the potential outcome that the UK is not deemed an adequate country:

If you do not already have one, make an inventory of the processing activities of your organisation and the sub-processors involved in transferring personal data from the EEA to the UK.
Determine how you can proceed with the transfer of personal data to the UK after the grace period if an adequacy decision will not be provided (yet). You may be able to do this by using Standard Contractual Clauses or Binding Corporate Rules (only if you already use BCR!).
In case you need to implement Standard Contractual Clauses, additional technical and organisational measures may be necessary. Make sure a risk assessment is conducted (or updated) to gain insight in privacy risks and the measures to mitigate those risks (e.g. encryption, pseudonymisation and privacy attestation or certification).
Update your register and record internally on the basis of which the data will be transferred to the UK.
Adjust your privacy statement to inform your data subjects accordingly.

Organisations should prepare for the undesirable situation that there is no adequacy decision after the grace period ends, if they haven't already.

Brexit-desk PwC

The PwC Brexit specialists can help you determine the exact criteria that need to be met. They can also assist in setting up processes in order to ensure your business meets the new requirements for EU-UK data trasnfers.