EDPB and ICO respond to the Brexit data transfer window

As most in the data community are aware, the EU-UK Trade and Cooperation Agreement (the “Brexit Deal”) was agreed on Christmas Eve and provides for an interim period (up to a maximum of six months ending on 30 June 2021) whereby data transfers from Europe to the UK will not be treated as transfers to a third country subject to Chapter V of the GDPR following the end of the transition period on 1 January 2021, provided the UK complies with certain conditions during the interim period (discussed in our blog here).

Following this, both the European Data Protection Board (“EDPB”) and the UK’s supervisory authority (the Information Commissioner’s Office (“ICO”)) have issued either updated or new responses which provide some more clarity on areas of focus and what to expect over the coming year.

The EDPB’s Response

Prior to the Brexit Deal being agreed, in mid-December the EDPB adopted its ‘Statement on the end of the Brexit transition period’ (here) (the “Statement”) and an ‘Information note on data transfers under the GDPR to the United Kingdom after the transition period’ (here) (the “Information Note”) which highlighted some key considerations of the EDPB.

Following the agreement and implementation of the Brexit Deal from the beginning of 2021, the EDPB has now updated the Statement and Information Note.

  • The interim data transfer window

In line with Article FINPROV.10A of the Brexit Deal, the update to the Statement and Information Note emphasises that data transfers to the UK can continue to take place without the requirement of a transfer tool under Article 46, or relying on the derogations list under Article 49, until 30 June 2021 (at the latest) provided that the UK’s current data protection regime stays in place.

  • Preparing for an adequacy decision (or lack of one)

The EDPB provides no further view on the adequacy of the UK’s data protection regime other than that the timeline for a favourable decision has now been pushed to the end of June. If a favourable adequacy decision is not taken by 30 June 2021, the EDPB emphasises in the Statement and Information Note that transfers between entities regulated by the GDPR to the UK will become subject to Chapter V of the GDPR. This will mean that transfers to the UK will require adequate safeguards such as standard data protection clauses, binding corporate rules, intra-group agreements, codes of conduct etc. to be put in place along with ensuring enforceable data subject rights and effective legal remedies for data subjects as required by Article 46.

The Information Note further reminds controllers and processors that, absent an adequacy decision, from the end of the interim period compliance with other GDPR obligations will come into sharper focus, including:

    • updating privacy notices and records of processing to account for data transfers to the UK;
    • taking caution if intending to rely on grounds under Article 49 in the absence of safeguards under Article 46, as such grounds are to be interpreted restrictively, only being fit for occasional and non-repetitive transfers; and
    • considering whether any supplementary tools may need to be put in place, a relatively complex and time-consuming consideration discussed further here (albeit the fact that the UK’s data law is the application of the GDPR then such consideration should theoretically be straightforward).
  • One-Stop-Shop mechanism

While not affected by the EDPB’s updates, it is worth noting that the Statement and Information Note also clarify the applicability of the One-Stop-Shop (“OSS”) mechanism envisioned by the GDPR within the UK.

The OSS mechanism provides that the supervisory authority in the jurisdiction of an entity’s main establishment will act as the lead supervisory authority and carry out compliance and regulatory functions on behalf of supervisory authorities in each EU jurisdiction in relation to that entity.

From 1 January 2021, the OSS will not apply in the UK so that the ICO will not be able to act as a lead supervisory authority (i.e. the Brexit Deal did not extend this mechanism). The EDPB notes that it has engaged with supervisory authorities and the ICO to ensure a smooth transition of existing cross-border cases.

The Statement and Information Note goes on to remind controllers and processors that they remain free to establish a main establishment in an EU jurisdiction under Article 4(16) to utilise the OSS mechanism (although the feasibility of this for many entities may well be impracticable). If this is not in place, entities will need to designate a representative under Article 27 as long as their activities are subject to the GDPR under Article 3(2).

The ICO’s Response

In a blog posted on 22nd January (here), the ICO’s Information Commission Elizabeth Denham responded to the Brexit Deal (the “ICO Response”) by welcoming the long-term commitments made by the EU and UK, most notably, to promoting high international standards of data protection, developing a regulatory relationship, and co-operating on enforcement activity.

The ICO Response considered the interim period allowing data transfers between Europe and the UK as the “best possible outcome for UK organisations” in light of the risks and impacts to digital trade if this had not been put in place. However, given this interim period will end in either four or six months under the Brexit Deal, the importance of a positive adequacy decision for UK data flows is clear in the ICO Response, emphasised by the reference to the EU’s commitment to considering the UK’s adequacy position “promptly” in a declaration accompanying the Brexit Deal. Although the ICO Response also sounds the warning that adequacy is not guaranteed and so organisations should be putting in place appropriate safeguards during this window.

Finally, as well as some specific commentary regarding data sharing in the context of law enforcement  and noting that the UK must also notify the EU-UK Partnership Council, as far as reasonably possible, of any new international transfers of personal data between public authorities for international transfers of personal data, the ICO Response also highlights that the process for any decisions in a range of areas (including UK adequacy decisions, approving international transfer mechanisms, or standard contractual clauses) must be put before the EU-UK Partnership Council. Given this requirement, it may be that material departure from the current UK data protection position is unlikely in the imminent future.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Claire Wiseman
Claire Wiseman
Professional Support Lawyer, London
+44 20 7466 2267
Alasdair McMaster
Alasdair McMaster
Associate, London
+44 20 7466 2194
Asmita Singhvi
Asmita Singhvi
Trainee, London
+44 20 7466 3697

EU-UK Brexit Deal grants an interim data transfer window

On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.

However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.

The interim data transfer window

Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.

The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.

Implications for adequacy

It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Brexit, Data, Brexit

As we all continue to try to grapple with the implications of a no-deal Brexit, the last week or two has seen the publication of a few things of interest from a data protection perspective:

The EDPB’s view of data transfers in a no-deal Brexit scenario

On 12 February 2019, the European Data Protection Board (the “EDPB“) published a general information note on data transfers under the GDPR in the event of a no-deal Brexit (available here). In summary, the information note provides that organisations must comply with the GDPR when transferring personal data from the EU to the UK, which will become a “third country” for GDPR purposes (from 00.00 am CET on 30 March 2019). No new or additional safeguards are contemplated by the EDPB which effectively means that organisations must choose between:

  • Standard contractual clauses (which the EDPB acknowledges are “ready to use”);
  • Binding corporate rules;
  • Codes of conduct or certification mechanisms (although none are yet approved/available under the GDPR); or
  • Derogations such as individual explicit consent (although the EDPB emphasises that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive).

For further information regarding the potential impact of a no-deal Brexit on data transfers, including an analysis of worked examples, please see our previous blog post available here.

Continue reading

UK Government note clarifies “no deal” and data protection

The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK.

Continue reading

Brexit Withdrawal Agreement: Impact for data protection

Following a UK Cabinet meeting on 14 November 2018, the UK Government has announced support for the text of a draft Withdrawal Agreement and an outline of the Political Declaration on the Future Relationship agreed with EU negotiators. The Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29 March 2019 and includes a transition period through to 31 December 2020, during which EU law will continue to apply in and to the UK (the “Transition Period”). Data protection features in both the draft Withdrawal Agreement and the outline Political Declaration, reflecting the significance of the data protection rules to both the EU and the UK.

Continue reading

Data protection if there’s no Brexit deal

On 13 September 2018, the UK Government published a series of technical notes setting out the implications in various sectors and areas of a ‘no deal’ scenario (i.e. a scenario in which the UK leaves the EU without an agreement), including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.

Transferring data from the UK to the EU

Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders.

The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place – meaning that this could potentially change in the future.

Continue reading