As most in the data community know, the EU-UK Trade and Cooperation Agreement (the “Brexit deal”) Was agreed on Christmas Eve and provides for a transition period (a maximum of six months until June 30, 2021) in which data transfers from Europe to Great Britain are not treated as transfers to a third country in accordance with Chapter V of the GDPR after the end of the transition period on January 1, 2021, provided the UK meets certain conditions in the meantime (see our blog here).
Subsequently, both the European Data Protection Authority (“EDPB“) And the UK regulator (the Information Commissioner’s Office (“ICO”)) Have issued either updated or new answers that provide more clarity on the focus and the events to be expected in the coming year.
The EDPB’s answer
Before the Brexit deal was agreed, the EDPB adopted its “Declaration on the end of the Brexit transition period” (here) in mid-December (the “Explanation“) And a” note on data transfers under the GDPR after the transition period to the United Kingdom “(here) (“Note for information”), Highlighting some of the EDPB’s important considerations.
After the agreement and implementation of the Brexit deal from the beginning of 2021, the EDPB has now updated the declaration and the information notice.
- The intermediate window for the data transfer
In accordance with Article FINPROV.10A of the Brexit Deal, the update of the Statement and Information Note emphasizes that data transfers to the UK can continue to take place without the need for a transmission instrument under Article 46 or on the exception list under Article 49 by 30 at the latest. June 2021 saw the UK’s current data protection system remain in place.
- Preparing for an adequacy decision (or the lack of one)
The EDPB gives no further overview of the adequacy of the UK data protection regime other than that the timeline for a favorable decision has now been postponed to the end of June. If no favorable adequacy decision is made by June 30, 2021, the EDPB emphasizes in the statement and note that transfers between companies regulated by the GDPR to the UK are subject to Chapter V of the GDPR. This means that transfers to the UK require adequate safeguards such as standard data protection clauses, binding company rules, intra-group agreements, codes of conduct, etc. to ensure enforceable rights of data subjects and effective remedies for data subjects under Article 46.
The Information Note also reminds controllers and processors that compliance with other GDPR obligations will come more into focus from the end of the interim period, unless there is an adequacy decision, including:
- Update of privacy notices and records of processing to reflect data transfers to the UK;
- Exercise caution if it is intended to rely on reasons under Article 49 without protective measures under Article 46, since these reasons are to be interpreted restrictively and are only suitable for occasional and non-repetitive transmissions; and
- Given whether additional tools may need to be put in place, a relatively complex and time-consuming consideration is further discussed here (although the fact that the UK data law is the application of the GDPR should in theory be straightforward).
- One stop shop mechanism
Although this is not affected by the updates to the EDPB, it should be noted that the Statement and Information Note also clarifies the applicability of the one-stop shop (“US”) Mechanism foreseen by the GDPR in the UK.
The OSS mechanism provides that the supervisory authority in the jurisdiction of the main establishment of a company shall act as the lead supervisory authority and, on behalf of the supervisory authorities in each EU jurisdiction, carry out compliance and regulatory functions in relation to that body.
As of January 1, 2021, the OSS will no longer apply in the UK, so the ICO will no longer be able to act as the lead regulator (i.e. the Brexit deal did not expand this mechanism). The EDPB notes that it has worked with regulators and the ICO to ensure a smooth transition of existing cross-border cases.
The statement and notice reminds controllers and processors that they are still free to establish a main establishment in an EU jurisdiction under Article 4 (16) to use the OSS mechanism (although the feasibility may not be practical for many companies). . If this is not the case, the companies must appoint a representative in accordance with Article 27 if their activities are subject to the GDPR in accordance with Article 3 (2).
The ICO’s answer
In a blog posted on January 22nd (here), the ICO’s Information Commission, Elizabeth Denham, responded to the Brexit deal (the “ICO response”) By welcoming the EU and UK’s long-term commitments, in particular the promotion of high international data protection standards, the development of a regulatory relationship and cooperation on enforcement actions.
In the ICO response, the interim period when data transfers between Europe and the UK are possible was seen as “the best possible outcome for UK organizations” had it not happened, given the risks and implications for digital commerce. Given that this interim period ends in either four or six months under the Brexit deal, the importance of a positive adequacy decision for data flow in the UK is evident in the ICO response, which is indicated by the reference to the EU’s commitment to The UK’s adequacy review is underlined “immediately” position in a statement on the Brexit deal. Although the ICO response also triggers the warning that adequacy is not guaranteed, organizations should take reasonable safeguards in this window.
Finally, some specific comments on law enforcement data exchanges and the finding that the UK needs to inform the EU-UK Partnership Council as much as possible of new international transfers of personal data between authorities for authorities in the ICO response is also highlighted that the process has to be referred to the EU-UK Partnership Council for decisions in a number of areas (including UK adequacy decisions, approval of international submission mechanisms or Standard Contractual Clauses). Given this requirement, it may be that a material departure from the current data protection position in the UK is unlikely in the near future.