Since the United Kingdom (“UK”) officially left the European Union (“EU”) at the end of January, clients must consider the legitimacy of their EU to UK personal data transfers, as well as the legitimacy of their personal data transfers from the UK to non-EU countries.
The EU General Data Protection Regulation (GDPR) restricts personal data transfers to non-member countries, unless the European Commission has determined that the non-member country provides “adequate” protection for individuals’ rights and freedoms under its law. By leaving the EU, the UK, and businesses operating within the UK, will no longer enjoy status permitting the transfer of personal data to Europe without safeguards.
Consequently, businesses collecting or processing personal data and conducting data transfers to and from Europe or the UK must consider the following:
1. Can we legally transfer personal data between the UK and Europe?
Before the UK left the EU, the UK Parliament passed a Withdrawal Agreement outlining procedures for a post-Brexit transition period. Under the Withdrawal Agreement, the GDPR will continue to apply to data transfers between the UK and EU until December 31, 2020. During this transition period, businesses may operate as usual with respect to data transfers to and from the UK, so long as they are compliant with the GDPR. The UK Information Commissioner’s Office (ICO) will remain the lead supervisory authority in the UK. The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will also continue to apply.
2. Can we legally transfer personal data from the UK to the United States?
U.S. companies can still legally transfer personal data from the UK to the U.S. either under the EU-U.S. Privacy Shield Framework, standard contractual clauses or binding corporate rules - all legal transfer mechanisms permitted under the GDPR. The EU-U.S. Privacy Shield Framework is a valid legal mechanism allowing data transfers for those companies who apply for and obtain certification with the U.S. Department of Commerce. Only those U.S.-based companies who complete the Privacy Shield certification process can utilize the Privacy Shield as an option to legally transfer data from the EU to the U.S. For U.S.-based companies not certified under the Privacy Shield, those companies can use standard contractual clauses or binding corporate rules to legally transfer data from the EU to the U.S. Standard contractual clauses, which are contractual clauses that have been pre-approved by the European Commission, are frequently used to legitimize data transfers. These clauses may be incorporated into data processing agreements between two companies that transfer information between the EU and the U.S. Binding corporate rules are utilized by large international companies to facilitate the transfer of data between the companies’ various corporate groups.
During this transition period, U.S.-based companies participating in the EU-U.S. Privacy Shield Framework and receiving personal data from the UK should take the following steps before December 31, 2020:
Maintain Privacy Shield Certification and recertify annually. Companies recertifying to the Privacy Shield after December 31, 2020, agree to cooperate and comply with the UK ICO in dealing with personal data transfers from the UK.
3. Will the UK adopt its own data protection law similar to the GDPR?
Prior to Brexit, the UK government represented that it would incorporate the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the ‘UK GDPR’). However, on February 3, 2020, Prime Minister Johnson asserted in a written statement to the House of Commons that the UK will develop separate and independent policies in certain areas including data protection. It is unclear at this time what data protection policies and laws the UK will pursue.
Despite these new assertions by the Prime Minister, the UK will seek to obtain an adequacy decision to secure data transfers between the EU and UK after December 31, 2020. There is some risk that the UK and EU will not agree to an adequacy decision before the end of the year. If an adequacy decision is not secured during the transition period, personal data transfers from the EU to the UK will constitute data transfers to a third country with inadequate data protection laws, which would require companies to implement sufficient safeguards, such as standard contractual clauses or binding corporate rules, in order to legitimatize transfers.