A contractor’s guide to EU-UK personal data transfers - the new rules
Now you’re on top of the requirement for your UK contractor business to appoint an EU data Representative, you’re also now familiar with the reciprocal nature which underpins parts of the the EU-UK Trade and Cooperation Agreement.
In fact, if any of your EU-based suppliers or partners provide their goods or services to UK residents like yourself, or monitor the behaviour of UK residents, they too may be required to appoint a UK Representative.
While not forgetting this ‘what I must do for you, you must do for me’ approach, let’s consider in this second installment the regime around personal data transfers between the European Economic Area (EEA) and the UK, including mechanisms that you, and potentially they too, now need to put in place, writes Komal Shemar, legal counsel at Gerrish Legal.
Before we do, remember that the UK is no longer part of the EEA, it is considered a “third country” for the purposes of the EU General Data Protection Regulation. And vice-versa – any EEA member states are now considered “third countries” for the purposes of the UK’s national law mirroring the GDPR, the new ‘UK GDPR’ (tailored by the Data Protection Act 2018).
So as all EEA member states are subject to the EU GDPR, they are deemed to all provide the same level of protection to personal data throughout the region. As such, any transfers of EEA personal data between these countries are seen as ‘internal’ transfers that do not require any additional safeguards to be put in place.
Being in the club: an example for contractors
For example, a contractor based in France sending its EEA-based clients’ personal data to a sub-processor in Germany, does not need to put in place any additional legal mechanisms to ensure that this personal data is treated with the same level of protection as it would be in France. (N.B. the two entities could however sign a data processing agreement or include data protection clauses in their contract for services in order to designate the different roles and responsibilities in relation to that personal data, as well as set out liabilities.)
But following the UK’s de facto departure from the EU on December 31st 2020, at which point
the UK ceased to exist as a member of the EEA, the UK is no longer automatically deemed to provide the same level of protection to personal data. So, as we are now outside the EEA, the UK is now included in the same group as all non-EEA countries -- the US, Canada and China for example, and its personal data transfers are now ‘restricted transfers.’
But the UK is no longer a member, so ready the mechanisms
If it helps, think of it this way. Even though, the UK GDPR is a direct implementation of the EU GDPR, and therefore the same level of protection is technically accorded to personal data in the UK, at the time of writing, the UK is free to amend this legislation as they see fit. And in doing so, the UK could actually deviate from the ‘gold standard’ provided under the EU GDPR.
Therefore, as a UK-based business, your contractor company will have to rely on one of the mechanisms under the EU GDPR, to compliantly receive personal data from the EEA, and rely on a mechanism under the UK GDPR to compliantly send UK personal data outside of the country.
Helpfully, the two versions contain identical mechanisms for such transfers! And even more helpfully for contractors at this tremendously busy time of Brexit intertwining with covid-19, the Trade Agreement provides for a four-month grace period before the new rules on personal data transfers are implemented. That said, the new rules will be in force soon, so it is prudent to make sure your affairs are in order if you transfer personal data between the EEA and the UK. At the very least, you might not want to leave it all until April (which is technically feasible because the four-month period could be extended to six months) -- the month that contentious, upending reforms to IR35 kick in.
What are the safeguard mechanisms, and which one should I rely on?
The mechanisms that are most relevant to your contractor business under the EU GDPR and the UK GDPR are as follows:
- Transfers on the basis of an ‘adequacy decision;’ and
- Transfers using the ‘Standard Contractual Clauses.’
What is an adequacy decision?
An adequacy decision is a finding from the European Commission that a third country offers levels of data protection that are essentially equivalent to that within the EU. Such adequacy decisions have only been awarded to 12 countries so far.
They are -- Andorra, Argentina, Canada (limited to commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
In addition, and potentially worth noting for some contractors, the US’s adequacy decision, which was limited to its Privacy Shield framework, was invalidated last year.
Right now, the UK has the power to award its own adequacy regulations for any transfers of UK personal data outside of the UK. There is some good news for UK businesses on this front, as the UK has decided that personal data transfers from the UK to the EEA and the 12 countries above who have a European Commission adequacy decision will be permitted under new adequacy regulations.
While the UK government could review these regulations at a later date, this essentially means that any UK personal data that you send to EEA countries will be allowed to continue in the same way as before Brexit.
The bridge: and what happens at its end
For EEA transfers to the UK, the European Commission has been assessing the UK for an adequacy award. However, they were yet to reach a final verdict when the Trade Agreement was concluded. As a result, the EU and the UK decided to extend the transition period (known as the ‘bridge’) for the free flow of personal data from the EEA to the UK for a period of four months which, as mentioned earlier, could be extended for an additional two months.
In this grace period, the UK will be hoping that they will be awarded a finding of adequacy – in which case, cross-border data transfers from the EEA to the UK will be able to continue in the same way as they did before Brexit happened.
This would be great news for UK contractors and businesses, as both would be able to continue with their current business affairs without any substantial further steps to take (apart from updating privacy policies and wording in relevant contracts).
While it would make sense for an adequacy decision to be awarded – as the UK GDPR is a mirror image of the EU GDPR and there is a significant volume of business conducted between the two territories – this is in no way guaranteed to happen.
The UK has always been considered controversial in its position on intelligence surveillance laws and sharing of data with the Five Eyes alliance for national security purposes, which does not help its case for an adequacy finding. Furthermore, such assessments usually take several years – with the average period being five years. The fastest assessment on record is 18 months, for Argentina.
If an adequacy decision is not awarded by the end of the bridge period, or is delayed beyond this bridge period, then there will be an interruption to the free flow of personal data from the EEA to the UK. In such a case, you will have to look at using the Standard Contractual Clauses.
What are the Standard Contractual Clauses?
The Standard Contractual Clauses (SCCs) are standard sets of T&Cs written by the European Commission which provide contractual safeguards for international transfers of personal data.
The UK GDPR has also adopted the SCCs to be used for UK personal data transfers to third countries. The SCCs are to be entered into and signed by the data sender and the data recipient. As they are model clauses, they must be adopted in their entirety and must be unaltered.
There is a possibility for additional safeguards and commercial terms to be added, either in the designated sections in the SCCs or in an additional data processing agreement. However, these additional terms must not contravene the provisions of the SCCs.
Therefore, as a UK-based business, you will have to review your existing contracts (or lack of) with any clients, partners or vendors from whom you receive EEA personal data or to whom you send UK personal data and who are not covered by an adequacy regulation as detailed above (for example to the US or China).
The Schrems case: what it was about, and why it matters
However, it is unfortunately not as simple as signing a piece of paper and throwing it in the back of your drawer! Following a recent judgement from the European Court of Justice, called ‘Schrems II,’ entering into the SCCs and ensuring that the parties can indeed comply with its terms must be reviewed on a case-by-case basis.
This decision came after an Austrian data privacy activist, Max Schrems, challenged Facebook and its international data transfers in the Irish courts. The result was the invalidation of the EU-US Privacy Shield, which was the US’s partial adequacy decision for companies who had attained Privacy Shield certification, and a requalification of the SCCs.
Following this decision, when parties enter into the SCCs, they must review a whole host of factors such as the type of data being transferred, the recipient country and its national surveillance laws, in order to ensure that there is not a risk to the personal data being transferred. Of course, this ‘risk assessment’ is an extremely difficult thing to ask non-legal professionals to do, given that such reviews are usually reserved for specialist governmental bodies. As such, it has now become increasingly important to seek legal advice when entering into the SCCs, if you are sending or receiving ‘high-risk’ data (such as personal data that national authorities would be interested in), or sending data to countries that are known for strong (or non-transparent) national surveillance laws that conflict with the EU/UK GDPR.
In response to the new requirements, the European Commission have released new draft SCCs which are currently undergoing consultations and reviews before being formally adopted. Additionally, the UK could one day introduce their own SCCs instead of using the existing EU versions. Therefore, it will be important to make sure you sign the most up-to-date versions!
In a nutshell…
We appreciate that a lot is changing in the world of data privacy, and quickly. However, placing data protection at the core of your business will not only protect you from hefty fines and reputational damage in the case of any breaches, but will also strengthen your brand!
Privacy is a concern for consumers and companies alike and having your affairs in order will mean that your clients will trust you and ultimately want to keep working with you. Therefore, reviewing your personal data transfers is a must. To recap:
- You can continue to send personal data from the UK to the EU under the UK’s adequacy regulation;
- You can continue to receive personal data from the EU for the next four (possibly six) months under the bridge period; and
- Following the end of the bridge period, you can continue to receive personal data from the EU either on the basis of an adequacy decision for the UK, or failing that, by entering into the SCCs.
Understood! What’s next?
In our next instalment, we will be discussing the impact of the Trade Agreement on digital trade! In the meantime, please do not hesitate to contact us if you have any questions or concerns in relation to your data privacy regime.