Memorandum on Personal Data Flow After Brexit
Agnieszka Sciegosz, Senior Legal Specialist, Attorney at law KCR
The below insight describes the key points relating to cross-border personal data transfers affected by Brexit, as well as the practical steps that our clients operating in both the UK and the EU should consider.
The United Kingdom formally departed from the European Union on Friday, January 31, 2020 (Exit Date) on the basis of a UK-EU deal called “Withdrawal Agreement”. The deal ensures legal consistency in data protection laws and the free flow of data in both directions throughout the transition period that began on the Exit Date and will last until December 31, 2020.
During this time, the UK remains subject to the General Data Protection Regulation (GDPR) and related EU laws on data protection. The UK Data Protection Act 2018 (based on GDPR) will remain in place as GDPR supplementary legislation. What is more, any new EU laws that come into force during this time will also apply in the UK. The only significant exception is that the UK will no longer participate in EU decision-making or in the activities of EU bodies.
What will really change on January 1, 2021?
Upon the lapse of transition period, GDPR will cease to have direct effect in the UK and the UK will be considered a “third country” by the EU (like the U.S., Australia or Israel). Any personal data transfers from the EU to the UK will need to be subject to the same safety mechanisms to legitimize the transfer of personal data outside the European Economic Area (EEA), e.g. by putting in place a contract between the EU-based sender and the UK-based receiver on EU-approved terms, known in the EU as “standard contractual clauses”.
In respect of the data transfers from the UK to the EEA, the UK declared to permit data flows to other EEA countries without additional safety measures in place.
In respect of data transfers from the UK to other countries, the UK law will keep similar restrictions to those contained in the GDPR in relation to transfers outside the EEA. The European Commission could make an adequacy decision for the UK, which would constitute the primary basis for data transfers from EEA. However, deciding that a third country offers an adequate level of protection will require preparation and a comprehensive survey of the third country’s justice system and it is hard to assess whether such solutions will be possible during the transition period.
Most importantly, formal negotiations on new partnership agreements with the UK are set to begin in March 2020, but, according to political declarations, issues related to personal data transfer will not be covered there-under.
The Withdrawal Agreement agreed with the EU in January 2020 ensures that the UK is able to fulfill its international obligations and that the movement of the personal information across borders is not affected during the first 11 months following the Exit Date. The Withdrawal Agreement states specifically that during this time:
· The GDPR and related EU privacy laws continue to be applicable in the UK;
· Any and all changes in EU law are to be followed by the UK;
· The UK will not be subject to restrictions on data transfers and will not be discriminated by EU Member States;
· EU residents will not lose protection when it comes to the personal data collected in the UK. The GDPR rules will continue to be applicable within
the UK to any personal data that have their origin within the EU,
if the processing activities started before 31 December 2020.
2. Data transfers from UK to EEA and to the US (from January 1, 2020)
The UK declared that following Brexit, it does not intend to apply additional restrictions on transfers of personal data from the UK to the EEA and it will allow for the continued free flow of personal data. Most recently, however, the UK government declared that it will conduct assessments of the EEA countries under an independent international transfer regime, which means that the smooth data transition in a post-Brexit world may be interrupted.
For the time being, controllers and processors from the UK can rely on the UK government’s declaration that all EEA countries are adequate for the purposes
of personal data flows and that additional safeguards are not required.
The UK Data Protection Act 2018 (based on GDPR) will remain in place with minor amendments to reflect Brexit.
3. Data transfers from the EEA to the UK (from January 1, 2020)
In February 2020, the EU announced that it will work on the future partnership with the Great Britain and Northern Ireland. According to political declarations, the new trade deal is expected to have limited scope (only certain goods, the free movement of data will not be covered) or that there will be no deal at all. Therefore, personal data flows from the EEA to the UK will be restricted.
The UK will become a ‘third country’ for EU data protection purposes. Data controllers and data processors operating in EEA will need to adopt specific legal safeguards to support the lawful transfer of personal data to the UK, consistent with GDPR.
The UK declared that they will prepare an independent policy on data protection at the end of the transition period and would like to be recognized within the EU as providing adequate levels of data protection based on the European Commission’s adequacy decision to maintain the continued free flow of personal data from the EU to the UK.
Under the GDPR, alternative legal bases for transfers of personal data outside the EEA include also:
· Standard contractual clauses (SCCs) which are approved by the EU as a legal basis to safeguard the transfer of personal data to third countries;
· Binding Corporate Rules that allow the transfer of data between the company located inside and outside the EU;
· Approved Codes of Conduct, or approved certification mechanisms.
4. Data transfers from the UK to the US (from January 1, 2020)
From January 1, 2021 a company that will rely on Privacy Shield when transferring the personal data between the US and the UK, will need to cooperate with the UK Information Commissioner’s Office (ICO).
An organization that does not modify its commitment as required by the US will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after the end of the transition period.
5. What to do now?
In order to achieve compliance with the new post-Brexit regime, we encourage you to do the following:
· Use the transition period as an opportunity to prepare any needed updates
to your privacy documents;
· Identify where you receive data from within the EU or where you transfer data to the EU, so that you can name the basis for those transfers;
· Review your documentation for transferring data, such as privacy information to identify content that will need updating after the end of the transition period (including contact details of your data protection officer, local representative and/or supervisory authority);
· Check if all references in your international contracts are updated to reflect the post-Brexit position of the UK being outside the EU;
· Continue to monitor further updates and/or guidance on UK withdrawal
from the EU;
· Seek external legal advice where necessary in relation to processing
of personal data.
What will happen with data flow after December 31, 2020?
About the Author:
Agnieszka Sciegosz, attorney-at-law, is a Senior Legal Specialist at KCR CRO with over 8 years of professional experience.
Her area of expertise includes personal data protection, employment law and compliance matters. She regularly advises on implementing GDPR-compliant policies and privacy issues relating to clinical trials. She is also an experienced contract negotiator and trainer.
In case of any questions on how Brexit will affect personal data flow in your studies, you may also reach out directly to our Team at: firstname.lastname@example.org.