How Brexit Will Affect UK Data Flows

So, as we all know, on March 29, 2019, the UK might leave the European Union. For British residents who have lived their whole life in the European Union and take many situations for granted, it’s probably hard to imagine what it means to be part of a "third" country outside multiple European legal frameworks. To think that suddenly planes could stop landing in the UK due to the lack of legislation, or that British citizens might need a visa to travel to the European Union, or that trucks with goods could queue at customs for 5 days. As a person with Russian roots, who spent the childhood in the Soviet Union without the opportunity to go abroad at all, I remember such situations, and many of them still occur in third countries. As a result I can easily predict any worst case scenarios. But let's focus on the personal data and privacy issues:

One of the things that was a part of the common set of rules of the European Union is that personal information was able to flow freely between organisations in the UK and European Union without any specific commitments. That’s because we have had a common set of rules - the GDPR.

But this two-way free flow of personal information will no longer be the case after the UK leaves the EU. It is particularly relevant to UK businesses and organisations which:

- operate in the European Economic Area (EEA), which includes the EU; or

- send personal data outside the UK; or

- receive personal data from the EEA.

The Government has already made clear its intention to permit data to flow from the UK to EU countries. But transfers of personal information from the EU to the UK will be affected and the EU institutions will now have to decide whether they consider United Kingdom to be a country with adequate personal data protection.

Depending on how the UK and the EU implement the withdrawal, there might be several scenarios:

1. Scenario (1) “Transition  Period”: The UK and EU preliminarily agree that from March 30, 2019 until December 31, 2020, there will be a Transition Period during which EU law, including EU data protection law, and the European Commission’s decision on the adequacy of the protection provided by the United Kingdom will continue to apply. Also, during the Transition Period, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.

This means, UK businesses will not need to follow the steps described in the Scenario 2 until December 31, 2020 and probably all the legal gaps in data protection legislation arising from the Brexit will be covered by December 31, 2020.

2. Scenario (2) “No Transition Period” or "No deal Brexit scenario": In the event that the UK and the EU do not finalise an agreement on the Transition Period, each UK business must take the steps below by March 29, 2019.  

2.1 Review your data flows and identify where you receive data from the EU or whether you are sending any data to the United States. This includes your suppliers, processors, customers, contractors, employees and any software tools you are using.

2.2 If you only operate within the UK and with individuals in the UK. You may not need to do much to prepare for data protection after we leave the EU.

2.3 If your company is based in the UK, and not in any other EU state, but you offer goods or services to individuals in the EU, or you monitor the behaviour of individuals located in the EU, then you will need to comply with the EU regime. 

Example: A marketing company established in the UK provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking. The analysis of a customers’ movements within the centre through Wi-Fi tracking will amount to the monitoring of individuals’ behaviour. In this case, the data subjects’ behaviour takes place in the Union since the shopping centre is located in France. The marketing company based in UK is the data controller.

In such cases, to comply with the EU regime and GDPR you will need to do 2 things:

2.3.1 You will need to do appoint a suitable Representative in the EEA under article 27 of the GDPR:

The EU Representative will act as your local representative with individuals and data protection authorities in the EU. This is separate from your DPO obligations, and your representative cannot be your DPO or one of your processors. You do not need to appoint a representative if you are a public authority, or if your processing is only occasional, low-risk, and does not involve special category or criminal offence data on a large scale.

The EDPB (European Data Protection Board) confirms that the criterion for the establishment of the representative in the Union is the location of data subjects whose personal data are being processed. The place of processing where most of the data subjects are located is the relevant factor for determining the location of the establishment of the representative.

Therefore, if you have customers, suppliers, contractors in the EU, or offer marketing or any analytic services about individuals located in the EU, this will be the case.

2.3.2 Appropriate safeguards:

Currently there are several countries, territories or sectors about which the European Commission has already made an adequacy decision. This means personal data can be transferred and processed under such decision without any additional security or legal requirements. This includes:

Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay or USA (under Privacy Shield only)

If there is no adequacy decision made by the EU commission about UK by March 29th, and until such a decision is made, the UK will be considered a "not safe" country for the European Union. During this period, until the adequacy decision is made, you should consider putting in place one of the appropriate safeguards to cover the restricted transfer under articles 44 and 46 GDPR in order to be able to receive personal data from European Union and remain compliant.

Often a relatively simple way to provide an appropriate safeguard for a data transfer outside the EU is to enter into standard contractual clauses between the sender (EU organisation) and receiver of personal data (UK organisation).

The UK Information Commissioner's Office published an interactive tool to help you decide: if you need to use standard contractual clauses for transfers from the EU to the UK, available here:

https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/

And also template contracts:

Controller to controller: https://ico.org.uk/media/2553982/ico-guidance-controller-to-controller.docx

Controller to processor: https://ico.org.uk/media/2553983/ico-guidance-controller-to-processor.docx

Multinational corporate groups can also consider their use of existing EU approved binding corporate rules to make transfers into and out of the UK.

Some of the derogations for specific situations under article 49 GDPR for the transfers of personal data to a third country (from EU to UK) are the following:

- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

- the transfer is necessary for the establishment, exercise or defence of legal claims;

2.4 Brexit and the EU-US Privacy Shield framework

Those UK organisations transferring data to the US under EU-US Privacy Shield framework will be required to adhere to the following:

Public commitments (external privacy statements, Data Processing Agreements and other data protection related documents) must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield.  If an organisation plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy. Model language for these updates is provided below:

"[Your organisation name] complies with the [T EU-U.S. Privacy Shield Framework] [and the Swiss-U.S. Privacy Shield Framework] as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the [European Union and the United Kingdom and/or Switzerland, as applicable] to the United States in reliance on Privacy Shield.  [Your organization name] has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/."

An organisation that does not modify its privacy commitment documents as listed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after the Applicable Date (either March 29, 2019 if there is no Transition Period or December 31, 2020, at the end of the Transition Period).

Elena can be contacted via info@quick-gdpr.co.uk if you are looking for additional consultancy or want to appoint an EU rep in France, Spain, Germany or Ireland.

Find out more about the Quick GDPR tool here.