Data Protection: What can we expect from 1 January 2021?

With the UK's exit from the EU edging closer, businesses must look to futureproof their operations. Here, we answer some of the most frequently asked questions (so far) relating to data protection post-Brexit.

What data protection law will apply in the UK after 1 January 2021?

Good question. We will no longer be part of the EU so what happens to the GDPR? The applicable law from 1 January 2021 will be a consolidated and amended version of the GDPR and the UK’s Data Protection Act 2018, to be known as the UK GDPR. The intention is that the UK’s data protection laws, at least on 1 January, and subject to a couple of exceptions around law enforcement and intelligence services, will more or less be “aligned” to those of the EU. There is, however, no guarantee that the UK’s data protection legislation will remain always to be aligned with that of the EU GDPR – this is a “watch this space” matter. So all the obligations you have now, such as valid legal bases for processing and providing privacy notices, will stay the same.

We receive personal data in the form of customer details from [insert country of your choice from within the EEA]. We have been told that the UK is likely to be a “third country” from 1 January 2021. What does being a “third country” mean and what impact will that have on us if we want to continue to trade?

The UK’s status as a third country means that the GRDR no longer applies to the UK and personal data cannot be transferred from the EEA to the UK, or vice versa, unless there is another data protection mechanism in place.

To ensure that your business can continue to trade, we recommend working with your EEA contacts to ensure compliant transfers of personal data using additional mechanisms such as the addition of standard contractual clauses (SCCs) which must be inserted into contracts, or added as an appendix to existing contracts. Standard contractual clauses are pre-agreed (by the Commission) provisions which will enable you to continue to share data. They will require you to have an understanding of the personal data that is shared along with the purposes for which it is used and the security applied to it. If you are compliant with current data protection rules, this should not be significantly onerous.

We are based in the UK, will we still be able to send or share personal data with our colleagues in [insert name of any country in the EEA]?

The short answer is yes, but there is always a “but”...

The long answer: All EEA countries will, as of 1 January 2021, become third countries under the UK data protection legislation; however the UK Government has confirmed that it will recognise that all EEA states have adequate data protection mechanisms for personal data. This means that personal data can flow freely from the UK to the EEA. The UK Government has also confirmed that this recognition extends to the 12 countries outside the EEA (with which the EU has signed adequacy agreements) – so this will include Argentina, Japan, New Zealand, Switzerland and so on.

But remember: should you wish to transfer data to countries other than those ones listed above, you will still need to ensure there is some form of mechanism in place – such as the standard contractual clauses mentioned above. We understand that the UK Government will for the time recognise and continue to use standard contractual clauses as an appropriate mechanism.

Further, a business that is based in the UK and does not have a branch in the EU or EEA and offers goods or services to individuals in the EEA, or monitors the behaviour of individuals in the EEA, will have to comply with EU GDPR and appoint an EU representative in the EEA.

Our company deals with customers in the EU and we have been asked, who will be our representative in the EU when the transition period comes to an end? What is a representative?

It is highly likely that the UK will come to the end of the transition period and there will be a “no deal” scenario. In such a case, the UK will deemed to be a third country for data protection purposes (and for many other trading areas) under EU data protection laws. For the purposes of EU data protection your company will then be a “Non-EU entity”.

Non-EU entities that are subject to the territorial scope of the EU GDPR without being established in the EU have to appoint a representative in the EU.

When are you caught by the territorial scope? Where you (whether you are a controller or a processor) are offering goods or services to data subjects in the EU or are monitoring the behaviour of the EU data subjects you are likely to be caught by the extra – territorial jurisdiction of the EU GDPR under Article 3(2) and be required to appoint a Representative in the EU (in one country).

What is a Representative? Art 27 of the EU GDPR provides that a Representative is “a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation {the EU GDPR}”. It is about offering a contact point to data subjects in the EU. Your company will still remain liable or responsible for your processing activities.

So, does your company need to appoint an EU Representative? Yes, if Art 3(2) applies to you, unless you are a public body, or your processing of personal data is only occasional, does not include large scale processing of special category data and is unlikely to result in a risk to the rights and freedoms of those data subjects.

What is involved in appointing a Representative?

The Representative can be an individual, company, or organisation.

Article 27(3) of the GDPR states that “representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.”

When appointing a Representative, you should consider the following points:

  • Locate and appoint a Representative in a Member State that your business operates in.
  • When appointing the Representative make sure to put in place a Services Agreement (you have to appoint a Representative in writing) and clearly set out the Representative’s obligations.
  • Ensure the Representative can be easily accessible to all data subjects located in Member States.
  • Ensure the Representative can communicate in the languages of the data subjects, supervisory authorities, and Member States.
  • If the Representative is a company, an individual should be assigned to be in charge of the function.
  • Ensure the details of your Representative are available by, for example, including their details on the business’ website or privacy notice.
What obligations can we expect to get hit with in our [contract] [terms and conditions] [data processing agreement]?

If you are already processing personal data which originates from the EEA (i.e. non-UK data subjects), the EU GDPR continues to apply to those data but you will need to take extra steps from 1 January 2021. For many organisations, this means putting in place additional contractual measures, including SCCs to ensure the data can continue to flow from the EEA country to you in the UK. See above for more details on SCCs.

When can we expect to get an adequacy decision from the European Commission on the UK’s data protection legislation?

We await a decision from the European Commission on the adequacy of UK data protection legislation. It is quite uncertain as to whether the European Commission will be in a position to give its decision on adequacy before the end of the transition period. Should there be no adequacy decision on the end the transition period, this will have serious implications for any business who is a data importer from the EU. Where your business is in the UK and you are receiving personal data from the EU – you will need to demonstrate, in the absence of an adequacy decision, that the transfers are the subject of appropriate safeguards (Art 46). The most likely safeguard for a trading entity will be the SCCs discussed above.

We are based in [insert country of your choice from within the EEA]; will we be able to lawfully transfer data to our Scottish distributor in the absence of an Adequacy Decision?

Implement SSCs is the answer here; however, there may be other methods which you may be able to rely on, depending on the nature of the transfer.

Although there may be other methods that your business can rely on depending on the nature of the data transfer, SCC’s should be at the forefront of a business’ mind. SSC’s are a standard set of contractual terms and conditions which the sender and the recipient of the personal data both agree to.

Will I still be able to send or share data personal data with my head office in the USA?

Following the Schrems II decision, the Court of Justice of the European Union (CJEU) invalidated the EU-USA privacy shield and raised questions surrounding the use of SCCs. SSCs can still be utilised for transferring personal data to/from the USA, however the onus is the businesses to decide whether the SCCs in place between the parties adequately protect the data, and implement additional protective measures when required. For example, date could be anonymised or encrypted. A failure to put adequate measures in place could lead to action by supervisory authorities, who may prohibit the transfers of personal data.

How can we help?

If you have any questions about preparing your business for Brexit and updating your data protection practices and procedures, please contact a member of our GDPR & Cyber Security team.

GDPR & Cyber Security

Cyber security and key changes under the GDPR and UK Data Protection Act 2018 affect almost all businesses. Our online hub contains a wealth of information and insights on what your businesses should be doing to ensure full compliance with the law.

Latest updates from @MacRoberts