Brexit and data protection: can personal data still be transferred from the EU to the UK?
Kellsey Logue explains how data protection regulation is likely to change after the end of the Brexit transition period, and how businesses can prepare for it.
We’ve now officially left the EU. Yet, so far, very little has changed for data protection law. That’s because the EU-UK withdrawal agreement provides for a ‘transition period’ which lasts until 31 December 2020.
During this time, the existing laws and arrangements for data protection and transfers of data between the EU and the UK will continue to apply. However, beyond that date, things will change.
One of the key restrictions in the GDPR is that personal data cannot be transferred outside of the EEA unless certain criteria is met. Once the transition period ends, transfer of personal data from the EU to the UK will be caught by this restriction.
Nothing has changed for now, but the transition period gives businesses who collect or receive personal data from EU citizens an opportunity to put in place the necessary protections to ensure that personal data can continue to flow.
Transferring personal data after the transition period?
The flow of personal data between the UK, the EEA, and the rest of the world, is essential for the functioning of many businesses.
After the transition period ends, the UK will be considered a ‘third country’ to the EU and EEA. So, unless the European Commission grants the UK an adequacy decision (meaning it considers the UK provides an adequate level of protection for personal data), the free flow of personal data from the EU to the UK won’t be allowed.
While the European Commission said it would start to assess the UK’s adequacy as soon as possible after exit day, adequacy decisions can take up to a few years. In the absence of an adequacy decision, further safeguards would need to be implemented.
How can you prepare?
To prepare for potential new safeguards, you should consider introducing standard contractual clauses and appointing a legal representative.
Standard contractual clauses
Given the uncertainty around the timing of any adequacy decision businesses would be wise to implement standard contractual clauses into their contracts with organisations based in the EEA, where personal data is being transferred.
Standard contractual clauses are recognised by the EU as an appropriate safeguard under EU GDPR, and include contractual obligations to protect personal data.
Appointing a local representative
After the end of the transition period, if you, as a data controller:
- collect or process personal data of individuals based in the EEA,
- do this in connection with offering goods or services to those individuals,
- and do not have any offices in the EU,
you will need to appoint a designated local representative based in the EU.
The local representative will act as a ‘go-to’ contact, for the individuals whose personal data is being processed, and for supervisory authorities in the EU.
The representative should be appointed in writing to act on your behalf for the purposes of EU GDPR compliance. They should also be allowed to deal with supervisory authorities on your behalf.
As recent guidance from ICO pointed out, though, there is no need to appoint a local representative at this stage or until the transition period is closer to an end.
How can we help?
If you would like advice on standard contractual clauses, or further advice on preparing for compliance with data protection laws post- transition period, then please contact Kellsey Logue at k.logue@capitallaw.co.uk.
