Privacy & Brexit: What privacy actions are needed?
With its departure from the EU, the United Kingdom (England, Scotland, Wales and Northern Ireland) has become a ‘third country’ from a European privacy perspective. On 24 December 2020, the Brexit deal was concluded which has implications for the transfer and processing of personal data in the UK. Organisations that wish to (continue to) transfer or process personal data in the UK will need to conclude various privacy actions before 1 May 2021 (or 1 July 2021).
Transitional period of up to 6 months
The Brexit deal allows the continued transfer of personal data to the UK until 1 May 2021, provided that the UK maintains its existing privacy rules. This transitional period can be extended by a maximum of two months, i.e., until 1 July 2021.
Transfer after the end of the transitional period. What are the options?
Adequacy Decision
The European Commission (EC) may adopt an adequacy decision for the UK. With such a decision, the EC confirms that the legislation of the UK provides an adequate level of data protection equivalent to that of the European Economic Area (EEA). In that case, no additional arrangements need to be made for the (further) exchange of personal data with the UK. Although the EC is currently preparing an adequacy decision, it is doubtful whether the adequacy decision will be made before the end of the transitional period. We recommend not waiting for this decision but taking proactive privacy actions.
No adequacy decision; take appropriate measures to maintain your transfer of personal data
In the absence of a (timely) adequacy decision for the UK, you must take appropriate and timely measures to ensure a continued transfer of personal data to the UK.
The GDPR offers the following two transfer tools that you may use for this purpose: concluding Standard Contractual Clauses (SCC’s) or using Binding Corporate Rules (BCR’s). Also, in specific exceptional cases incidental transfers may be allowed.
Risk assessment after Schrems II
As a result of the Schrems II judgment of the Court of Justice of 16 July 2020, you need to assess whether the UK legislation provides an adequate level of data protection, in addition to concluding SCC’s or using BCR’s as a transfer tool. If this assessment concludes that no adequate level of protection is provided, you must take additional measures to protect your personal data and mitigate privacy risks. In November 2020, the European Data Protection Board (EDPB) published recommendations on how such an assessment should be carried out and what additional contractual, technical and organisational measures could be considered, for example with regard to encryption. To ensure an adequately level of data protection you are obliged to implement the necessary additional measures or to require your service provider (acting as processor) to do so. If it is not possible to implement adequate measures, the transfer must be suspended.
New SCCs expected in early 2021
Also, in November 2020, new (draft) SCC’s were published which are expected to be approved by the EC in early 2021. When the new SCC’s are approved by the EC, these will replace the current SCCs and you must use the new SCC’s for further transfers to the UK. If you are now considering using SCC’s for transfers to the UK, you may use the current versions if the new SCC’s are not yet in force, but we recommend that you closely monitor the adoption of the new SCC’s to ensure that you replace the current SCC’s in a timely manner.
Binding Corporate Rules (BCR)
You may continue to use your already approved BCR’s for the exchange of personal data within the corporate group. If your organisation has not yet implemented BCRs, and is considering devising BCRs, you should expect a significant delay before your organisation can put the BCRs into use. If the Dutch Data Protection Authority (DPA) is the lead authority for your organisation, you must submit the BCRs to the DPA for approval. The DPA has a serious backlog, delaying approval by five to seven years.
Privacy actions – do not wait until 1 May 2021 (or 1 July 2021)
The current transition period allows you to identify what privacy actions are needed to ensure that your organisation can continue to exchange personal data with the UK without impediments.
Our advice:
- Map all transfers of personal data: Map all transfers of personal data between the EEA and the UK (and vice versa) within your organisation. Also check whether your processors (or their sub-processors) process data in the UK.
- Define a transfer strategy if a UK adequacy decision is not approved by 1 May 2021 (or 1 July 2021). Make sure that you have identified the appropriate transfer tools and additional measures so that your organisation does not have to suspend its data transfer to the UK in the absence of an adequacy decision.
- Check and update your privacy documents: Check whether your organisation’s privacy documentation, such as the processing register and the privacy statement, as well as existing privacy agreements need to be amended to reflect updated transfer tools and or necessary contractual, technical, and organisational measures to be taken.
- One-stop-shop principle / lead supervisor: If your organisation had designated the UK regulator (the Information Commissioner’s Office, ICO) as the lead supervisor based on the one-stop-shop principle under the GDPR, you must designate a new lead supervisor in the EEA.
- UK privacy law: If your organisation processes personal data of data subjects in the UK, these processing operations are likely to be governed by UK privacy law. If your organisation does not have a registered office in the UK, your organisation may also need to appoint a UK representative.
- Data breach notification: If you process data within the EEA and the UK then you must report a data breach to all relevant privacy regulators. This may include both the EEA and UK regulator(s). After reporting the incident, both the ICO and the European regulators can impose fines. It is recommended that you check and if necessary, revise your organisations data breach policy to avoid failing to notify to the competent regulators.
Sanctions
Non-compliance with the GDPR obligations can lead to fines of up to 20 million euro or 4% of your global annual turnover. For the Netherlands, the penalty policy rules of the Dutch DPA are normative. See also the Brexit dossier of the Dutch DPA for more information on the topic.
Your contact
The privacy specialists at Doorne will be pleased to help you. We work closely with privacy specialists in the UK, so that we can offer you tailored assistance on matters that concern European, Dutch or UK privacy law.
See also the articles on the impact of Brexit in other practice areas. Do not hesitate to contact one of our experts for a more detailed analysis of the impact of Brexit on your business.