The UK will leave the EU in 21 days on 1st January 2021. This date will also mark the end of the transition period.

With this date on the horizon, businesses must now look to ensure that they are compliant with the new governing rules on international transfers of personal data between the UK and the European Economic Area (EEA).

Though the Withdrawal Agreement is not fully settled upon, existing EU GDPR law is set to be incorporated in the UK domestic law as ‘UK GDPR’. As such, the core principles will generally stay the same and businesses, for the most part, should look to uphold their current compliance standards.

However, there are some changes that will take effect from the 1st January, particularly with regards to incoming data from the EU. As a rough guidance, businesses will fall under one of the three following categories:

 1.      A business with no contacts or customers in the EEA

2.      A business that receives data from contacts in the EEA, or

3.      A business with an office(s), established presence or customers in the EEA

With the former, there is little to do as your business operations will fall under existing GDPR standards. Those in the second category will need to make provisions to allow for the continuation of data from the EEA to your business. Finally, those with more extensive operations in the EEA will need to ensure that they are compliant with both the UK GDPR and EU GDPR and will need to assign an EEA representative, respectively.

This article will examine the main issues to look out for and how businesses can address them to be Brexit-compliant.

Transfers within group companies (compliance with the binding corporate rules (BCR)).

For businesses that have offices or branches in the EEA, operations within those offices will remain covered by EU law after the 1st January 2021. However, you will need to ensure that you have established a lead supervisory authority within the EEA, as you will no longer be covered by the Information Commissioner’s Office (ICO).

Businesses that hold a Binding Corporate Rule (BCR) issued prior to 25th May 2018 can continue to use their BCR as a mechanism to transfer data between their groups. Nonetheless, after the transition period, they must secure a new supervisory authority within the EEA. In this instance, no approval from the new EEA authority will need to be issued.

However, any business who attained a BCR approved by the ICO after the 25th May 2018 will not automatically have the appropriate safeguard mechanisms in place to transfer data between groups after the 1st January. Instead, businesses will have to attain a new approval from an EU member state. The necessary changes that businesses will need to implement in order to gain new approval can be found on the European Data Protection Board (EDPB) website.

In any scenario, a business established in the UK which processes data from within the EEA in relation to goods, services or the behaviour of EEA data subjects, will be required to elect a local representative as a contact point for the EEA supervisory authority. 

The Transfer of Personal Data between the UK, EU & Third Countries

From 1st January 2021, outbound data transfers from the UK will be subject to UK GDPR, which incorporates the existing EU GDPR as such businesses will be able to continue transferring data from the UK to their EU counterparts.

However, following the transition period, the UK’s relationship with the EU will change to third-country status. This will have a significant impact on the transfer of personal data from EU Countries to the UK (inbound transfers) – even if both the controller and the recipient of the data are part of the same corporate group. An incoming data transfer will only be able to take place if certain conditions are met (see Article 44, GDPR)

When contextualised, this could cause implications for many UK businesses. For example, businesses may have issues accessing or retrieving their data from cloud based servers (such as CRMs) hosted within the EU.

The UK may resolve this issue if it reaches an Adequacy Decision (Article 45(1), EU GDPR) with the EU, whereby the EU permits data transfer to the UK. An adequacy decision would essentially allow the UK the same rights to collect and process personal data as an EEA country. However, until a trade agreement is in place, it is unlikely that the EU will grant an adequacy decision to the UK.

Until the UK reaches an agreement with the EU, the UK government advises that any business receiving inbound data from the EU needs to implement the necessary safeguards. In this case Standard Contractual Clauses (SCCs).*

According to guidance from the ICO, businesses who share data internationally outside of the EEA, will not need to make any provisions at this stage.

What are the penalties for not complying with rules for international data transfers, including not dealing with this in your privacy policy?

If an adequacy decision has not been made with regards to the UK by the end of 2020, transfers of personal data from the EEA to the UK will be illegal. The ICO advises that businesses use SCCs to safeguard their data transfer operations as time is running out for an adequacy decision. You can view further guidance on the ICO website.  

This article by Fox Williams on the impact of Brexit for UK business gives a good general overview.

Companies that do not comply with the new UK or EU GDPR requirements may find themselves subjected to harsh penalties.

A note from UK Government issued 6th June 2018, [i]warned that companies found flouting the new rules “would face investigation by the EU and UK regulator as well as two sets of large fine – up to EUR 20 million or 4% of global turnover – for the same breach” (HM Government: Benefits of a new data protection agreement).

With the ICO keen for the UK to achieve an adequacy decision from the EEA, they will likely take an efficient approach to the enforcement of any penalties for GDPR non-compliance.

Action

Businesses should check the current provisions for international data transfers in their privacy policy is compliant. Are compliant BCRs in place for intragroup data transfers? Do you need SCCs? If your privacy policy has not been updated for some time make sure you do due-diligence on data transfers particularly if personnel for data management has recently changed.

To obtain an accurate, opinion from me about your case or matter please contact me on (020) 7305-7491 or at peter@pailsolicitors.co.uk we would be delighted to assist you.

The writer is an Internet and digital technologies + entertainment law specialist, owner and principal solicitor at PAIL® Solicitors. Peter Adediran's specialist niche areas of practice are digital media business SMEs and IP, both contentious and non-contentious. (Charge rates may vary)

[i] *though further safeguards may be needed where organisations cannot guarantee the same level of data protection outlined by EU GDPR.