Brexit and personal data update

Following the decision of the CJEU in Schrems II earlier this year, and with the end of the transition period rapidly approaching, we have been eagerly awaiting guidance on a number of topics relating to personal data transfers outside the UK and European Economic Area (EEA).

This update covers a number of recent developments and is of particular importance for those transferring personal data between the UK and the EU or otherwise overseas.

Schrems II

In this decision in July 2020, the CJEU held that the EU-US Privacy Shield was invalid as a mechanism to enable the transfer of personal data from the EU to the US. Standard Contractual Clauses (SCCs) remain a valid transfer mechanism, but the CJEU stated that controllers or processors, where exporting personal data must verify, where appropriate (and in conjunction with the data importer), if the laws or practices of the importing country impinge on the effectiveness of the appropriate safeguards in Article 46 of the GDPR. This means that exporters may need to take supplementary measures (in addition to using the SCCs) to ensure an essentially equivalent level of data protection. The Court did not specify what those supplementary measures could be, and until recently, we have been waiting for further guidance on them.

On 10 November 2020, the European Data Protection Board (EDPB) published its recommendations on supplementary measures when transferring personal data outside the EEA. These recommendations (available here) are currently open to public consultation and will apply immediately following their publication.

Some example measures include:

• Imposing transparency and accountability measures on the data importer (e.g. any requests for access from public authorities and the importer’s response);
• Limiting the personal data that is exported (i.e. not just exporting all data in a set but making a decision as to what data from a set needs to be exported); and
• An obligation on the importer to notify the exporter of its inability to comply with its contractual commitments and/or the essentially equivalent level of data protection,

although in some cases, it may not be possible to implement supplementary measures.

You must demonstrate the decision making process behind the supplemental measures you have adopted, and what the supplemental measures are, in order to comply with the accountability principle. The accountability principle also means that you must re-evaluate, at regular intervals, the level of protection afforded to the personal data in the importing country.

Although this is yet to be clarified, it would appear that these supplementary measures will  apply to exports of personal data from the UK after the end of the transition period (in circumstances where such measures are required).

Standard Contractual Clauses for the transfer of personal data to non-EU countries

The European Commission has now published new draft SCCs for the transfer of personal data to non-EU countries (which are open for public consultation until 10 December 2020). Once approved, the new SCCs will replace the previous SCCs and organisations will have 12 months from the date the new SCCs enter into force to replace any existing SCCs in use.

The new SCCs cover:

• Controller – controller transfers;
• Controller – processor transfers;
• Processor – processor transfers; and
• Processor – controller transfers.

The new SCCs also include a “docking clause”, meaning that an entity who is not originally a party to the SCCs can be added, either as an exporter or importer, by completing certain Annexes to the SCCs.

In the event that there is no deal between the UK and the EU at the end of the transition period, and/or in the absence of an adequacy decision by the European Commission in respect of the EU, UK-based organisations may need to use SCCs to ensure that personal data can continue to be transferred (however, whether the new SCCs form part of retained EU law in the UK will depend on whether they are operative before the end of the transition period on 31 December 2020. Otherwise, the UK could adopt the new SCCs using regulations under the Data Protection Act 2018).

With the addition of processor-controller SCCs, this means that an EEA-based processor can now lawfully transfer personal data back to its UK-based controller. Given the proliferation of cloud based services based in Ireland and the Netherlands used by UK companies, this should greatly assist the issue of compliance when transferring data into and out of the UK post-Brexit.

The draft implementing decision of the European Commission and draft new SCCs can be accessed here.

Article 28 standard processor clauses

The European Commission has also published standard contractual clauses between controllers and processors located in the EU, pursuant to Article 28(7) of the GDPR. Again, these are open for public consultation until 10 December 2020.

These standard contractual clauses should be used whenever an EU-based controller engages an EU-based processor and should streamline the contractual process between the two parties.

The draft implementing decision of the European Commission and draft new standard contractual clauses can be accessed here.

What to do now

You should make sure you understand where all your data is processed. You need to identify your data flows so that you can make sure that these, and therefore your business, are unaffected.  Having done this, you need to ensure that these data flows will continue to be lawful post-Brexit; a failure to comply with data protection laws in respect of data transfers are subject to a maximum fine of the greater of £17.5m or 4% of your global turnover, so it is worth spending some time getting this right now!

On 18th November data protection specialist Phil Tompkins discussed the implications of Brexit for personal data exports in a webinar, click here to view.