Brexit and Schrems II follow up: what’s on the horizon for data protection?

Posted: 13/11/2020

As the UK prepares to leave the EU at the end of the transition period, the most important question that remains is whether or not the European Commission will make an ‘adequacy decision’ in favour of the UK in time for the end of the transition period.

To add to this, the Court of Justice of the European Union’s (CJEU) recent Schrems II decision has created additional confusion for organisations regarding the steps they need to take to prepare for 31 December 2020.

Businesses should therefore start to review their data protection policies and processes now (if they have not done so already) to ensure they will be compliant with the new regime from 1 January 2021.

New UK regime

The obligations created by the EU General Data Protection Regulation (which will be referred to as the ‘EU GDPR’) currently are directly applicable in the UK as well as EU member states. These are supplemented through domestic legislation, which in the UK is chiefly the Data Protection Act 2018. On expiry of the transition period, the UK will incorporate a slightly amended version of the EU GDPR into UK domestic law (the ‘UK GDPR’) through the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This will create a ‘dual regime’ of EU GDPR and UK GDPR, both of which have extra-territorial impact. Therefore, organisations will need to know how they are impacted by this dual regime. We have created the table below to assist:

Where is the organisation?	Whose data is being processed?	Dual regime impact
UK	Personal data of UK data subjects only	‘Business as usual’ for UK-only data processing. The UK GDPR is very similar to the existing EU GDPR. Therefore, businesses in the UK that are collecting and processing data of UK data subjects in compliance with the existing legislation are unlikely to need to make significant changes to prepare for the end of the transition period.
UK	Personal data of EU27 data subjects	Businesses that are based in the UK and process data of EU27 data subjects will now be bound by the EU GDPR by virtue of its extra-territorial effect to such UK businesses, rather than directly. This will apply in addition to compliance requirements under the UK GDPR relating to processing data of UK data subjects.
EU27	Personal data of UK data subjects	Businesses that are based in the EU and process personal data of UK data subjects will need to comply with the UK GDPR (which will have extra-territorial effect on such EU27 businesses). This will apply in addition to existing compliance measures for EU GDPR relating to processing data of EU data subjects.
Outside UK and EU27	Personal data of UK and EU27 data subjects	Businesses that are based outside the UK and EU27 and are currently caught by the extra-territorial impact of the EU GDPR will need to consider the extent to which they will now need to comply both with the EU GDPR and the UK GDPR (which also has extra-territorial impact).

International transfers of personal data

A key area that will need to be considered is international data transfers.

Adequacy – transfers from the UK

Under the EU GDPR (unless a derogation applies), any transfer of data to a third country (ie a non-EEA country) must be a transfer to a country which is the subject of an adequacy decision by the European Commission. If this is not the case, the parties transferring and receiving the personal data must ensure that ‘adequate safeguards’ are in place so that the personal data continues to benefit from high standards of protection. The UK GDPR regime will require consideration of whether or not recipient countries are subject to a UK adequacy decision in respect of transfers of data from the UK.

In this regard, the UK Information Commissioner’s Office (ICO) confirms that it is the UK Government’s intention that:

transfers of data from the UK to the EEA will be permitted (this will be kept under review); and
EU Commission adequacy decisions made before the end of the transition period will be recognised by the UK, and so far 11 of the 12 third countries deemed adequate by the EU have informed the UK that they will maintain unrestricted personal data flows with the UK (negotiations between the UK and Andorra are currently ongoing).

This provides some comfort in relation to transfers from the UK to the EEA itself, and to the countries listed below that are covered by a European Commission adequacy decision:

Andorra (as noted above, negotiations between the UK and Andorra are currently ongoing);
Argentina;
Canada (in respect of data covered by specific Canadian regulations);
Faroe Islands;
Guernsey;
Israel;
Isle of Man;
Japan (private sector organisations);
Jersey;
New Zealand;
Switzerland; and
Uruguay.

Adequacy – transfers from EU/EEA to UK

After expiry of the Brexit transition period on 31 December 2020, the UK’s ‘third country’ status from an EU perspective will take effect.

If the UK is granted an adequacy decision by the European Commission before the end of the Brexit transition period, personal data to the UK from the EU/EEA will continue to be able to flow freely without any interruption.

The UK Government has confirmed that the EU's data adequacy assessment of the UK is underway. However, whether the European Commission will grant an adequacy decision by the end of the transition period is by no means certain, particularly in light of a recent CJEU decision highlighting that the bulk collection of communications data for national security purposes is incompatible with EU law. The reference to the CJEU joined a number of cases, including one brought by the rights advocacy charity Privacy International against the UK Government. In the case, the CJEU considered the broad powers granted by the UK’s Regulation of Investigatory Powers Act to government agencies to intercept and retain digital communications for the purposes of combatting crime or safeguarding national security. The CJEU found that such national legislation, which requires electronic communication service providers to disclose traffic data and location data to the security agencies by means of general and indiscriminate transmission, was in excess of what is strictly necessary and cannot be justified even where the objective is to safeguard national security.

Schrems II - the impact on data protection post transition period

In Schrems II, the CJEU considered the Privacy Shield, a scheme established between the EU and US to put in place the necessary ‘adequate safeguards’ to enable transfers of personal data between organisations in these two territories. Citing concerns over the US Government’s bulk surveillance of incoming data and lack of routes for EU-based data subjects to challenge this in the US courts, the CJEU invalidated the EU-US Privacy Shield. Consequently, organisations that previously used the Privacy Shield now need to find an alternative method of transferring personal data to the US.

After the end of the transition period the UK will, like the US, be a third country from an EU perspective. As noted above, the CJEU’s recent decision in the Privacy International case found that laws relating to the surveillance of data for the purposes of national security in the UK, as well as other EU member states, were contrary to the Charter of Fundamental Rights of the European Union.

As a result of these two recent CJEU decisions, there are concerns that the European Commission may not make an adequacy decision in respect of the UK, or that this may not be made in time for the end of the transition period. Organisations should start to prepare for this possibility since transfer safeguards (such as standard contractual clauses (SCCs)) will need to be put in place to cover transfers of data from the EU/EEA to the UK.

Transfers from the EU/EEA to the UK

In a recent article (see here), we set out that binding corporate rules (BCRs) and SCCs - also known as ‘model clauses’ - may continue to constitute ‘adequate safeguards’ when transferring personal data outside the EU/EEA provided that this is assessed on a case-by-case basis. In Schrems II, the CJEU noted that in order for the SCCs to be an adequate method of data transfer, parties to the SCCs must review the relevant transfer to ensure that the SCCs do in practice ensure the effective protection of transferred personal data, especially “where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates.” The decision in Schrems II also applies to the use of BCRs as a transfer mechanism.

As a result of the Schrems II decision, organisations need to conduct transfer impact assessments in relation to existing and future uses of SCCs and BCRs for transfers both to the US and other third countries to identify potential risks in the receiving country’s data protection laws and to determine if the SCCs are sufficient by themselves. From 31 December 2020, the UK will be a third country from an EU perspective and so this will include any transfers of data from the EU/EEA to the UK made in reliance on the SCCs or BCRs.

The European Data Protection Board (EDPB) has, following Schrems II, adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection on personal data and recommendations on the European Essential Guarantees for surveillance measures. The recommendations apply now, but are open for public consultation until 30 November 2020 and include a roadmap of six steps data exporters should take when carrying out a transfer impact assessment:

step 1 – identify what data is being transferred outside the EU/EEA;
step 2 – identify the transfer tool you intend to rely on (such as SCCs or BCRs);
step 3 – assess whether the transfer tool you are relying on is effective (in particular, if there is anything in the law or practice of the third country that may impinge on the effectiveness of the transfer tool you are relying on, in the context of your specific transfer);
step 4 – if the prior step reveals that your transfer tool is not effective, identify and adopt supplementary measures to bring the protection up to a level essentially equivalent to that guaranteed within the EU;
step 5 – take any formal procedural steps required to adopt the supplementary measures; and
step 6 – monitor developments in the third country to which you have transferred personal data and re-evaluate at appropriate intervals your assessment of the level of protection.

In assessing if there is anything in the law or practice of the third country that may impinge on the effectiveness of a particular transfer tool (as required by step 2 above) organisations need to look at relevant and objective factors. In particular, the recommendations state that organisations must not rely on subjective factors, such as the likelihood of public authorities accessing their data in a manner not in line with EU standards. Organisations should conduct this assessment with due diligence and document it thoroughly, since they will be held accountable for decisions they take on the basis of it.

As set out in step 4 above, if organisations find that the SCCs or BCRs alone do not provide adequate protection, then they must implement ‘supplementary measures’. The annex to the recommendations includes examples of technical, contractual and organisational measures that might be considered. For each of these categories the recommendations set out appropriate additional safeguards, together with scenarios where the supplementary measures may be effective. Importantly, the recommendations also include scenarios in which the EDPB considers no effective measures could be found. The recommendations further provide that where it is not possible to implement suitable supplementary measures then the transfer should not be made.

Technical measures – the recommendations note that strong encryption may be an effective safeguard for data storage in a third country if there is no access to decrypted data at the destination and the keys are held by either the data exporter, another trusted entity in the EEA or a third country that is considered to have an adequate level of data protection. Organisations should refer to the list set out in the annex of six requirements that encryption must meet to be sufficient. Organisations should also note the scenarios for which the EDPB has found no effective safeguards. These include transfers to cloud service providers which require access to the data in the clear (ie unencrypted data) or remote access to data in the clear for business purposes, such as for the provision of intra-group human resource services or to communicate with EU customers of the data exporter by phone or email.
Contractual measures – the recommendations note that these will only generally be effective as part of a wider package of supplementary measures, but do discuss some examples of potential clauses data exporters might use to supplement their SCCs, such as contractual commitments to challenge government access to data and, where legally possible, not to disclose data to public authorities without first notifying and obtaining the consent of the data subject.
Organisational measures – these may comprise internal policies, organisational methods and standards to complement the technical and contractual measures. What is appropriate will depend on the specific circumstances of the transfer, but the EDPB particularly notes the importance of training those in charge of managing requests for access to personal data from public authorities.

BCRs

Organisations that currently use BCRs as a data transfer mechanism and have the ICO as their BCR lead supervisory authority (SA) will need to identify a new BCR lead SA in the EEA and amend their BCRs before the end of the transition period (the EDPB has provided a checklist of the required amendments in the annex to its information note). For BCRs already approved under the GDPR, the new BCR lead SA will need to issue a new approval decision following an opinion from the EDPB. However, for BCRs approved by the ICO pre-GDPR under Directive 95/46/EC (the GDPR’s predecessor), no such approval is required. It is important that organisations review their BCRs and make the necessary changes (including obtaining a new approval (if applicable)) before the end of the year – otherwise they will not be able to rely on the BCRs as a valid transfer mechanism for transfers of data outside the EEA.

Transfers from the UK to the EU/EEA

At the moment, personal data flows freely from the UK to the EU/EEA and the UK Government has not expressed any intention to change this following the end of transition period.

Representatives

GDPR

As the UK will no longer be part of the EU following the end of the transition period, organisations based in the UK will need to consider the requirements set out in Article 27 of the GDPR. This will mean that UK-based organisations that do not have a branch, office or other establishment in the EU/EEA will need to appoint a representative in an EU member state if the processing activities that they carry out (whether as a controller or a processor) relate to:

the offering of goods or services to individuals in the EU/EEA, whether or not such individuals make any payments in connection with such goods or services; or
the monitoring of their behaviour as far as such behaviour takes place in the EU/EEA.

This representative then acts as the point of contact between the UK-based organisation and designated supervisory authority for compliance with the GDPR.

UK GDPR

After the end of the transition period, organisations that are based outside of the UK will need to appoint a UK-based representative to be the point of contact for the UK ICO if they carry out processing activities (whether as a controller or a processor) in relation to:

the offering of goods or services to individuals in the UK, whether or not such individuals make any payments in connection with such goods or services; or
the monitoring of their behaviour as far as such behaviour takes place in the UK.

Select an alternative lead supervisory authority (LSA)

After the end of the transition period, UK-based organisations will no longer be able to appoint the UK ICO as their lead supervisory authority for EU GDPR compliance. Although the ICO intends to continue to collaborate with EU supervisory authorities, it will no longer be part of the one-stop shop mechanism and will act independently. Consequently, UK organisations that carry out cross border data processing across multiple EU member states and that currently have the ICO as their lead supervisory authority (LSA) will need to consider if an alternative EU lead supervisory authority can be appointed to allow the organisation to continue to take advantage of the one-stop shop mechanism.

Data Protection Officers

Organisations that have appointed a Data Protection Officer (DPO) and are established in both the UK and the EEA will need to ensure that their DPO is easily accessible from each of its locations in the UK and EEA. The DPO will also need to be sufficiently skilled in both EU and UK data protection law. If the organisation is designating a new LSA, it should notify the LSA about its DPO.

Update data protection documentation

Organisations will need to review and update their data protection documentation; in particular, data processing records and privacy notices will need to be amended to reflect any changes made to how transfers of data between the EU/EEA and UK are handled after the end of the transition period. If a new EEA and/or UK representative is appointed or a change to the DPO made, the contact details set out in privacy notices will need to be updated. References to EU law may also require updating. Internal data handling policies will need to be updated to deal with the additional safeguards needed for transfers outside the UK and changes to procedures (such as for notifying data breaches) that require co-operation with the supervisory authorities. Contracts that refer to data transfers within the EU/EEA will also need to be updated.

Checklist

In summary:

you should continue to watch for further developments, including in respect of the European Commission’s adequacy decision in respect of the UK;
review your cross-border data flows, and consider the transfer safeguards (such as SCCs) you need to be put in place to ensure that your business partners in the EEA can continue to share personal data with you if no adequacy decision in favour of the UK is received by the end of the transition period. Be aware of your status in relation to any such transfers (whether (independent or joint) controller or processor) and also consider if the laws of any other jurisdictions are relevant to the data flows;
if you are relying (or intend to rely) on SCCs or BCRs to transfer personal data, you should conduct a transfer impact assessment in line with the EDPB's six step roadmap and consider whether the local laws limit or prevent UK or EEA data subjects from enjoying an adequate level of protection. If the transfer impact assessment is unable to give the required comfort that the fundamental rights of the UK or EEA data subjects will not be negatively impacted, put in place effective supplementary measures. If you determine that supplementary measures are not effective to bring the level of data protection to that required under EU and UK law, the transfer must be suspended or an alternative transfer mechanism put in place;
you should review and update any BCRs in place across your group - if you currently have the ICO as lead SA you will need to appoint a new BCR lead SA in the EEA and amend your BCRs before the end of the transition period;
if you currently transfer personal data to the US in reliance on the EU-US Privacy Shield, switch to an alternative transfer safeguard (such as SCCs);
appoint an EEA representative and/or UK representative as necessary and update your privacy notices to include contact details of such appointment(s);
establish which EU supervisory authority will become the new LSA for cross-border data transfer within the EU;
consider if you need to make any changes to your DPO appointment;
update your data processing records and privacy notices to ensure that these are transparent about your organisation’s handling of transfers of data between the EU/EEA and UK;
update internal data handling policies so that these deal with the additional safeguards needed for transfers outside the UK and changes to procedures; and
update contracts that refer to data transfers within the EU/EEA.