New law: Issues for UK businesses transferring personal data about EEA individuals to the UK mount up as end of Brexit transition period approaches
Businesses that transfer personal data about individuals in the EEA (the European Economic Area, which means EU member states, plus Norway, Iceland and Liechtenstein) to the UK should be taking action now to prepare for the end of the Brexit transition period, when the UK becomes a ‘third country’.
This update was published in Legal Alert - October 2020
Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.
EU data protection law limits the transfer of the personal data of EEA individuals to ‘third countries’ – countries outside the EEA - unless that data is either protected in prescribed ways or the transfer falls within a narrow range of exception.
UK businesses that transfer personal data of EU individuals into the UK after the end of the Brexit transition period – 11pm on 31 December 2020, when the UK becomes a third country - will need to have addressed a number of issues before then.
EU/UK data transfers are currently allowed if, for example (1) the relevant agreements to transfer data include prescribed, standard contractual clauses (SCCs) covering data protection issues and/or (2) the organisations involved observe binding corporate rules (BCRs) approved by appropriate authorities and follow codes of conduct certified by appropriate authorities.
A recent ‘Notice to Stakeholders: Withdrawal of the UK and EU Rules in the Field of Data Protection’ from the European Commission clarifies how such rules will be affected when the transition period ends – for example, that corporate rules on data transfer approved by the UK authorities as providing adequate data protection safeguards after 25 May 2018 will no longer be effective unless a competent EU authority provides a fresh approval; and that approval of data protection Codes of Conduct and Certification by UK authorities will no longer be recognised.
- Particularly, SCCs may need to be reviewed following a recent legal ruling in the European Court of Justice relating to data transfers involving the USA. This has prompted the Information Commissioner’s Office (ICO) to issue an initial statement, the European Data Protection Board (EDPB) to issue FAQs, and the ICO to launch an interactive tool to help small and medium-sized businesses determine whether SCCs are applicable, select the right one, understand it and implement it. The tool can be accessed from the ICO’s online guidance ‘Data protection at the end of the transition period’.
- Also, businesses using BCRs where the ICO is lead supervisory authority, but which have an office in another member state may need to swap the ICO for an EU regulator instead.
- Businesses which do not already have a presence in the EU may need to appoint a representative within the EU from the end of the transition period.
- Businesses may wish to review the wording of the consents they obtain from EEA individuals to use their personal data – for example, from visitors to their websites – to ensure they are still obtaining valid consents once the UK becomes a third country.
- It is still unclear whether consents already given will remain valid for EEA individuals whose details are already held. Businesses may need to seek fresh consents after the end of the transition period.
- Businesses may wish to redraft their privacy policies to make it clearer where personal data is moved to and from.
- 1 January 2021
Businesses transferring personal data of EEA individuals to the UK after the end of the transition period should:
- Check out the European Commission’s Notice, the ICO’s initial statement, the EDPB’s FAQs and the ICO’s online guidance (which links to the ICO’s interactive tool for small and medium-sized business).
- Consider consents, SSCs, privacy policies, staff training and other relevant systems and processes.
- Consider whether they need to appoint an EU representative if they do not already have a presence there.
- Appoint a data protection officer to take control of data protection issues arising at the end of the transition period, and going forward.
Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.
Copyright © Atom Content Marketing