On June 23, 2016, the British population voted in favor of Brexit (51.9%). On March 29, 2017, the Article 50 procedure of the Treaty on European Union was invoked by the United Kingdom. Negotiations then began in order to find an agreement that would satisfy the two now opposing sides. Three tumultuous years passed, with the December 31 deadline for the transitional period approaching, and no agreement seemed to be reached. Yet on December 24, 2020, a trade and cooperation agreementbetween the European Union (EU) and the United Kingdom was signed.
Among other things, this agreement provides that the General Data Protection Regulation (GDPR) will remain applicable in the United Kingdom, after its exit from the EU on January 1st, 2021, for a maximum of 6 months, during which time data can continue to be transferred there, i.e., until June 30, 2021.
Until now, the transfer of personal data to and from the UK did not have to be subject to any specific procedure. Because the UK was part of the European Union, the UK necessarily complied with GDPR. However, the European regulation is no longer binding on the UK. It is therefore necessary to verify that the country offers an adequate level of protection.
In addition, the one-stop shop will no longer be applicable in the United Kingdom as of January 1st 2021. This system allows EU member states to designate a supervisory authority that is going to be responsible for coordinating all decision-making on cross-border processing with other personal data control authorities. The designated lead authority will depend on the location of the company’s principal place of business or other entity, i.e., the place where decisions are made.
But in practical terms, what does this mean?
Take, for example, the case of a group headquartered in the UK. Before January 1st, 2021, this multinational benefited from the one-stop shop system. As a result, the UK data protection authority (ICO) was designated as the lead authority and was thus the single point of contact regarding processing activities on European territory. However, as of January 1st, the ICO would no longer be able to be a lead authority. It will therefore be necessary to determine which entity within the EU takes decisions on the implementation of processing and purposes to determine which supervisory authority will be the lead authority.
With respect to the transfer of personal data, until June 30, 2021, companies within the group may make such a transfer without any specific measures from EU member countries to the headquarters. From that date, the transfer is going to be considered as a matter of principle prohibited to the UK in the absence of an adequacy decision adopted by the European Commission or the implementation of additional measures such as standard contractual clauses (SCc) or binding corporate rules (BCRs).
First, it is necessary to assess the relevance of appointing an EU representative according to its activities. Then, in the absence of an adequacy decision in favor of the UK, it will be imperative to put in place additional safeguards to continue transfers to the UK.
The appointment of an EU representative is an obligation for any data controller or processor established outside the EU whose activities are related either to the provision of goods or services to data subjects in the Union or to the monitoring of the behavior of such data subjects (Article 27 of GDPR). The function of the EU representative is to be the point of contact for data subjects and supervisory authorities for any question relating to the processing of personal data.
There are then three scenarios to consider:
In particular, we can be appointed as EU representativeof your organization.
As we have discussed, data transfers to the UK will need to be supervised. These requirements are detailed in Chapter V of GDPR and include:
The adequacy decision is set out in Article 45 of GDPR and allows a third country to request the European Commission to assess whether it provides an adequate level of data protection. An opinion is then issued by the European Data Protection Board (EDPB) before a vote by a Committee of Member States. Such a decision allows a data transfer to take place without specific authorization. The adoption of an adequacy decision is not permanent and can be revoked. Most recently, the U.S. military intelligence and surveillance program notably resulted in the annulment of the Privacy Shield, which had been the subject of an adequacy decision, by the Court of Justice of the European Union in the Schrems Ii ruling.
Questions now arise from this ruling insofar as the United Kingdom is notably part of the “Five Eyes” military intelligence alliance including Australia, Canada and New Zealand. In addition, UK Prime Minister Boris Johnson announced on several occasions that the data protection regulations to be applied in the UK will be lighter than the requirements of GDPR.
A study conducted by the New Economics Foundation think tank and the University College London was published and estimated the cost to companies wishing to continue transferring personal data with the EU in the absence of an adequacy decision to be between £1 and £1.6 billion (€1.1 and €1.8 billion). Among the solutions available to them are the following:
SCCs are adopted by the European Commission and provide a framework for the transfer of personal data outside the EU. These clauses make it possible to contractually guarantee a level of protection adequate to the GDPR. There are currently only SCCs relating to the transfer of data between two data controllers and between a data controller and a data processor. However a draft was published by the European Commission on November 12, 2020to cover a wider range of situations. If the draft is adopted, clauses will then cover data transfersbetween:
The BCRs are a common data protection policy for a group to govern the transfer of personal data outside the EU. Implementing a common policy ensures data protection in compliance with the GDPR at a global level. The procedure for adopting BCRs is as follows:
In addition, other obligations will have to be met in addition to the appropriate safeguards just detailed. For example, a register of processing will have to continue to be updated by UK actors regarding their processing of personal data in the EU. Also, information on websites will have to specify whether there is a transfer of data to the UK. These formalities can be carried out by the Data Protection Officer. In particular, DPO Consulting is able to accompany youas your Data Protection Officer.
Key points of attention and dates to remember:
The appointment of an EU representative can also be an opportunity to verify the compliance of processing with GDPR in order to optimally frame the relationship between the UK and the EU, or to ensure the maintenance of the register of processing, to modify the contact forms on websites, etc. DPO Consulting can assist you in your compliance process.