On June 23rd, 2016, the British population voted in favor of Brexit (51.9%). On March 29th, 2017, the United Kingdom invoked the procedure provided for by Article 50 of the Treaty on the European Union. Negotiations then began to find an agreement that would satisfy the two now opposing sides. Three tumultuous years passed, with the December 31st 2021 deadline for the transitional period approaching, no agreement seemed to be reached. Yet on December 24th 2020, a trade and cooperation agreement was signed between the European Union (EU) and the United Kingdom.
This agreement provides for that the General Data Protection Regulation (GDPR) will remain applicable in the United Kingdom, after its exit from the EU on January 1st 2021, for a maximum period of 6 months, during which time personal data can keep being transferred there, i.e. until June 30th, 2021.
Until now, the transfer of personal data to and from the United Kingdom did not require any specific procedure. As the United Kingdom was part of the European Union, it necessarily complied with the GDPR. However, European regulations are no longer binding the UK. It is therefore necessary to verify that the country offers an adequate level of protection.
In addition, the one-stop shop will no longer be applicable in the UK from January 1st 2021. This system allows EU member states to designate a supervisory authority that will be responsible for coordinating all decision-making on cross-border processing operations with other personal data supervisory authorities. The designated lead authority will depend on the location of the entity’s main office, i.e. the place where decisions are taken.
But what does this mean in practice?
Let’s take, for example, the case of a group with its headquarters in the United Kingdom. Before January 1st 2021, this multinational benefited from the one-stop-shop system. As a result, the UK Data Protection Authority (ICO) was designated as the lead authority and was thus the single point of contact for processing activities in the EU. However, as of January 1st the ICO will no longer be able to be the lead authority. It will therefore be necessary to determine which entity within the EU takes the decisions on the implementation of the company’s processing operations and purposes to determine which supervisory authority will be the lead authority.
Concerning the transfer of personal data, until June 30th 2021, subsidiary companies located in the EU could make such a transfer without any additional measures to the group headquarters in the UK. From that date, the same transfer will be considered prohibited in the absence of an adequacy decision adopted by the European Commission or the implementation of additional measures such as standard contractual clauses (SCC) or binding corporate rules (BCR).
First, it is necessary to assess the relevance of appointing an EU representative according to its activities. Then, in the absence of an adequacy decision in favor of the United Kingdom, it is imperative to implement additional guarantees to continue the transfers to this country.
The appointment of an EU representative is an obligation for any controller or processor established outside the EU whose activities are related either to the provision of goods or services to data subjects in the Union or the monitoring of the behavior of those data subjects (Article 27 of the GDPR). The function of the EU representative is to be the contact point for data subjects and supervisory authorities for any question relating to the processing of personal data.
Therefore, three scenarios are to be considered:
– Either the UK organization has an establishment in the EU, then there is no need for an EU representative,
– Or the UK organization is established only outside the EU, so the appointment of a representative is necessary,
– Or an EU representative had been appointed in the UK before January 21st 2021, in which case a new appointment in an EU member state needs to be made.
We can be appointed as your organization’s EU representative.
As mentioned above, data transfers to the UK will need to be framed by a transfer tool. These tools are detailed in Chapter V of the GDPR and include:
– The adoption of an adequacy decision by the European Commission, allowing the status quo to be maintained,
– The implementation of appropriate safeguards such as SCCs or BCRs.
Adequacy decisions are set out in Article 45 of the GDPR and allow a third country to ask the European Commission to assess whether it provides an “adequate level of data protection”. An opinion is then issued by the European Data Protection Board (EDPB) before a vote by a Committee of EU Member States. Such a decision allows a data transfer to take place without specific authorization. The adoption of an adequacy decision is not permanent and can be revoked. Recently, the U.S. military intelligence and surveillance program, among other things, led to the cancellation of the Privacy Shield, which had been the subject of an adequacy decision, by the Court of Justice of the European Union in the Schrems II ruling.
Questions are now being raised because of this ruling, as the UK is part of the “Five Eyes” military intelligence alliance with the U.S., Australia, Canada, and New Zealand. In addition, former UK Prime Minister Boris Johnson has repeatedly announced that the data protection regulations to be applied in the UK will be lighter than the requirements of the GDPR.
A study by the think tank New Economics Foundation and the University College London was published and estimated the cost to companies wishing to continue transferring personal data with the EU in the absence of an adequacy decision at between £1 billion and £1.6 billion (€1.1 billion and €1.8 billion). The available solutions are the following:
SCCs are adopted by the European Commission and provide a framework for the transfer of personal data outside the EU. These clauses make it possible to contractually guarantee a level of protection that is adequate to the GDPR. Depending on the chosen module, SCCs can cover data transfers between:
– Controller to controller,
– Controller to processor,
– Processor to processor,
– Processor to controller.
BCRs are a group-wide data protection policy meant to govern the transfer of personal data outside the EU. Implementing such a common policy ensures a data protection in compliance with the GDPR at a global level. The procedure for adopting BCRs is as follows:
– An examination of the request is carried out at the national level by the competent supervisory authority,
– After modification of the draft, it is submitted to two other supervisory authorities for comments,
– The file is transferred to all the supervisory authorities to suggest modifications,
– The final draft is then submitted to the EDPB,
– If the BCRs are adopted, the opinion of the EDPB and the deliberation of the competent supervisory authority are published.
In addition, other obligations will have to be met in addition to the appropriate safeguards that have just been detailed. For example, a record of processing operations will have to continue to be maintained by UK actors regarding their processing of personal data in the EU. Furthermore, information on websites will have to specify whether personal data is transferred to the UK. These formalities can be carried out by the Data Protection Officer. Specialized companies such as DPO Consulting can assist you as Data Protection Officer.
Essential points and key dates to remember:
The appointment of an EU representative can also be the occasion to verify the compliance of the processing operations with the GDPR in order to optimize the relations between the UK and the EU, or to ensure the maintenance of the record of processing operations, to modify the contact forms on websites, etc. DPO Consulting can assist you in your compliance process.
– Alexis Dessaints