The impact on UK's data protection regime and steps UK charities need to take to ensure personal data can continue to flow across UK-EEA borders.
The European Commission has published a draft adequacy decision in respect of the UK's data protection regime. This means that, assuming the adequacy decision is adopted, personal data can continue to flow between the European Economic Area ("EEA") and the UK on the basis of this adequacy decision.
The above is the technical legal part. Below we explain in more detail what this means practically for UK charities.
What has been the position on data protection post-Brexit so far?
Moving away from the EU GDPR to a new UK GDPR
On 31 December 2020, the transition agreement between the UK and the EU ceased to apply and the new trade and co-operation agreement took effect. From this point, the UK was no longer subject to EU regulations, including the EU's General Data Protection Regulation ("EU GDPR").
The UK, as part of its post-transitional measures implemented its own, UK General Data Protection Regulation ("UK GDPR"), which is broadly similar to the EU GDPR but with minor changes (e.g. to change references to EU institutions to the equivalent UK body).
Being a third country under the EU GDPR and the UK GDPR
The end of the transition period means the UK has, from 31 December 2020, been a third country for the purposes of the EU GDPR (and the countries within the EEA have become third countries for the purposes of the UK GDPR).
Under both sets of regulations (which, remember, are broadly identical), transfers of personal data to third countries can only take place if specific protections are in place (save for specific circumstances, e.g. where the explicit consent of the data subject has been received).
The two most common protections are:
(i) an adequacy decision (now known as adequacy regulations in the UK GDPR), certifying that the third country's data protection regime provides sufficient protection to the rights of the data subject; and
(ii) where standard contractual clauses (in standardised form, approved by the relevant authority) are in place between the two parties sharing the personal data.
Practically speaking, standard contractual clauses are much more onerous to put in place.
Given that parties based in the UK and EEA share a lot of personal data between one another and the UK GDPR and the EU GDPR are about as similar as comparable international regulations get, it was hoped that both parties would issue an adequacy decision in respect of the other's data protection regulation.
Adequacy decisions and regulations
The UK has already accepted that the EU's data protection regime is adequate and has therefore made an adequacy regulation. Personal data being shared from the UK to the EEA is therefore possible under the UK GDPR through this adequacy regulation.
The European Commission wanted more time to assess the UK's data protection regime before granting an adequacy decision. Given the amount of personal data shared between the UK and EEA, it was agreed that a temporary permission would be given for data to continue to be shared between the EEA and the UK for up to 6 months after the end of the transition period, in effect allowing personal data to be shared between the two territories as if the UK was still a member of the EU.
The draft adequacy decision, assuming it is finalised, will bring the UK in line with other third countries who share data freely with the EEA based on adequacy decisions.
What does an adequacy decision mean for my organisations?
Whilst an adequacy decision from the European Commission and an adequacy regulation from the UK allows for the transfer of personal data without the need for standard contractual clauses or other additional measures, there are still differences to the old GDPR regime now that the UK sits outside of EU regulation:
- All organisations will need to make sure that they review their privacy information and documentation to identify any minor changes that need to be made by the end of the transition period, e.g. updating references to correct regulations. As we approach the third anniversary of the introduction of the GDPR, it is an ideal moment to carry out a health check of data protection compliance documentation.
- UK organisations with an office, branch or other established presence in the EEA will need to comply with both UK and EU data protection regulations at the end of the transition period. The UK and EEA establishments will each be responsible for ensuring compliance with their respective data protection regimes.
- Organisations without a base in the UK, but who offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, will still need to comply with the EU GDPR in relation to these activities.
In most cases such organisations will also need to appoint a suitable representative based in the EEA to act on the organisation's behalf in respect of the EU GDPR compliance, normally through an agreement with the EEA-based entity to provide such services. Given the potential fines under the EU GDPR and the UK GDPR were something to go wrong, the terms of this agreement will be crucial to provide protection to both the EEA representative and the UK organisation.
EEA data subjects will need to be notified of the EEA representative, which can be done through an update to the UK organisation's the privacy notice.
Rules for sharing data with countries outside the EEA will remain similar for the time being.
Could the adequacy decision be revoked?
The adequacy decision of the EEA still need to be formally adopted. It is hoped that the draft decision will be adopted without problem moving forward, but nothing is secure until that the adequacy decision is adopted in full.
Even after adoption, there is a chance that the decision could be challenged in the European courts. Privacy activists have raised concerns about the use of personal data under the UK's surveillance legislation.
The recent Schrems case overturned an adequacy decision with the EU-US 'Privacy Shield' scheme, something which could happen to the EU-UK adequacy decision in a worst-case scenario.
If organisations are concerned about crucial personal data being prevented from being shared in the event of a Schrems-like decision in respect the EU-UK adequacy decision, further steps could be taken to protect against such a scenario. For example, standard contractual clauses could be put in place between UK and EEA organisations to provide a failsafe method through which to transfer personal data between the two territories in the event of a judgment striking down the EU-UK adequacy decision. However, the standard contractual clauses are currently being revised by the European Commission, so it might be best to hold off putting such arrangements in place for the time being.
As it stands, the publication of the draft adequacy decision by the European Commission should be seen as a significant step towards ensuring that UK-EEA personal data transfers can continue to flow.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.