Since March this year we have given a lot of focus to Covid-19 both in our personal lives and also what this means for franchise businesses and the commercial contracts they have entered into, but we are now less than three months away from the end of the transition period following the UK’s departure from the EU.
We need to think carefully about what we can be doing to prepare for the end of the Brexit transition period and how it affects our data protection obligations.
The current position
The UK is currently subject to the General Data Protection Regulation (GDPR) which was automatically incorporated into domestic law via the European Union Act 1972 (ECA 1972) and the Data Protection Act 2018 (DPA 2018) which must be read together.
On 31 January 2020 the UK left the EU and section 1 of the European Union (Withdrawal) Act 2018 (Withdrawal Act) repealed the ECA 1972 but at the same time the Withdrawal Act saved, in modified form, most of the ECA 1972 up to 31 December 2020, being the end of the transition period. The GDPR continues to apply during this transition period and according to the Information Commissioner’s Office (ICO) during the transition period it is “business as usual for data protection”.
The future
Although the repeal of the ECA 1972 allows the legislature to review the legislation on data protection to amend or improve EU law for the future, care is likely to be taken to ensure that any such amendments cannot be interpreted as reducing individuals’ data protection rights that are currently afforded under GDPR. Any reduction in protection could harm the UK’s ability to secure an adequacy decision from the European Commission in respect of its domestic data protection law. As such, the current expectation is that the GDPR rules will continue to apply.
In order to achieve this, secondary legislation has already been passed and at the end of the transition period the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 will take effect (DP Exit Regulations). The DP Exit Regulations will introduce a new UK GDPR and the GDPR will then be known as the EU GDPR in the UK. The DP Exit Regulations will merge the EU GDPR and the applied GDPR which arises under the DPA 2018 into the UK GDPR with the aim of replicating important features of the EU GDPR.
What changes will be made?
1. The Secretary of State takes on the ability, in consultation with the ICO and European Data Protection Board (EDPB) to designate a third country or international organisation as providing an adequate level of protection for personal data for the purposes of UK GDPR.
2. The Secretary of State may approve standard contractual clauses (SCCs) and can delegate this to the ICO. Following on from the decision of the European Court of Justice in Schrems II care needs to be taken to ensure that SCCs are assessed on a case by case basis to ensure that they adequately protect the rights of the data subject.
3. The DP Exit Regulations will revoke the EU’s existing adequacy decisions and SCCs and insert transitional provisions into the DPA 2018 for adequacy decisions, SCCs and Binding Corporate Rules so that these can continue to be used in the flow of data.
4. The ICO will no longer be a party to the EU GDPR consistency mechanisms and will no longer sit on the EDPB.
What does this mean for transfer of personal data?
At the end of the transition period the UK becomes a third country which will impact on data flows from the EU. Personal data being transferred from a controller or processor in the EU to a recipient in a third country (including the UK) may only take place if one of the following applies:
1. the recipient country is subject to an adequacy decision issued by the European Commission. The UK is not currently in receipt of an adequacy decision but current indications are that the European Commission will endeavour to adopt decisions regarding the UK’s adequacy by the end of 2020 if they are satisfied the UK data protection regime adequately protects personal data.
2. the controller or processor has provided adequate safeguards such as:
(a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules;
(c) SCCs;
(d) an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards; or
(e) an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards.
3. binding corporate rules that are legally binding and apply to and are enforced by every member of the corporate group concerned.
4. subject to one of a number of strict derogations.
What should you be doing now?
There is no guarantee that the European Commission will make an adequacy finding in relation to the UK prior to the end of the transition period so organisations transferring data from the EEA to the UK should take the following steps to ensure that data flows can continue uninterrupted after the end of the transition period:
1. consider your existing data flows to identify those where data comes from the EEA into the UK;
2. look at the contractual position between your organisation, third party controllers and processors and data subjects;
3. consider whether the transfer is covered by a derogation;
4. if no derogation is applicable, look at putting place SCCs between EEA and UK entities.
If your organisation cannot put in place additional supplementary measures in the absence of an adequacy finding then there is a possibility that data transfer cannot take place.
For organisations that process personal data in relation to the offering of goods and services to data subjects in the EEA, (i.e may franchise in Europe or have branched in EU territories or otherwise monitor their behaviour, you will need to appoint a representative in the EEA.
Consideration must also be given to the processing activities that will take place. Organisations should ensure that their register of processing activities is up to date along with procedures for notification/reporting of personal data breaches and the relevant authorities.
Look at your commercial contracts more generally to understand whether there are restrictions on transferring data outside the UK and whether any amendments to references to EU laws are required.
If you have any questions in relation to data transfers after 31 December 2020 or how best to prepare in advance, please get in touch with us at Knights plc.
