Data Privacy, International Data Transfers and Brexit: what next in 2020?

Posted on 24 January 2020

Throughout 2019 we did our best to keep up with Brexit (Would it happen? When would it happen? What form might it take?).

You can read our attempts here.

Since the result of the UK general election on 12 December 2019, we have a much clearer idea of how Brexit will impact on data privacy, with Boris Johnson expected to use his majority of 80 to “Get Brexit Done” and pass the EU (Withdrawal Agreement) Bill imminently.

So, it seems, the UK will leave the EU at 11pm UK time on 31 January 2020. And there will then be a ‘transition period’ of 11 months, to 31 December 2020. The transition period can be extended by agreement with the EU and it’s is very possible an extension will be necessary.

What does this mean for the GDPR? Will we still need to comply?

The GDPR stays in its current form during the transition period and applies to all organisations processing personal data in the UK.

After the transition period, the GDPR will be incorporated into UK law, so there will be an ‘EU GDPR’ (the original law) and a ‘UK GDPR’ (the law passed by Parliament in the UK) – both of which will contain substantially the same rules (at least for the time being). This does mean that, for some organisations, there will be overlapping requirements such as:

The need to appoint a ‘representative’ in the EU and/or in the UK for organisations based outside, but subject to, the two laws. For instance, if you are an organisation based in Ireland but targeting individuals online in the UK, you’d need to appoint a representative in the UK (under the UK GDPR). Likewise, if you are an organisation based in the UK but targeting individuals online in France, you’d need to appoint a representative in France (under the EU GDPR). Bear in mind that there are exceptions to the requirement to appoint a representative as well.
Reporting data security breaches to both the UK ICO and one or more relevant EU regulators.

How do we lawfully transfer personal data from the EU to the UK?

During the transition period, these data transfers will be unaffected and can continue without you having to take any further steps.

The European Commission’s ‘Task Force’ for relations with the UK gave an encouraging update earlier this month. The Task Force indicated that it will endeavour to adopt an ‘adequacy decision’ for the UK by the end of 2020. If the Commission decides that the UK is ‘adequate’, then data transfers from the EU to the UK can continue without further steps.

But if the UK is not awarded ‘adequacy’, then you would need to take additional steps to transfer personal data from the EU to the UK – most likely, by using the Standard Contractual Clauses (model data transfer agreements approved by the EU).

Will the UK be deemed ‘adequate’ by December 2020?

Hopefully. The Task Force notes that these will be ‘complex and politically sensitive negotiations’. The adequacy process is designed to ensure that personal data leaving the EU remains subject to essentially equivalent protections. A number of countries, most recently Japan, have been deemed ‘adequate’, but the quickest negotiation (Argentina) took 18 months. And the UK only has 11 months.

The UK is (currently) in an unprecedented state of alignment with the EU’s data privacy rules, which should help. But there are also concerns about the UK Government’s access to personal data under the Investigatory Powers Act 2016 (the ‘Snooper’s Charter’) which will need to be considered.

An Updates by an Advocate General of the European Court of Justice (CJEU) a few days ago made the likelihood of the UK receiving adequacy status harder. While not a decision by the court itself (which will follow and could deviate from the Updates), the Advocate General recommended that the UK’s requirement on telephone and internet companies to retain data for the surveillance purposes of intelligence agencies is unlawful. If the court agrees, the UK legal regime will have failed under EU law to properly protect individuals’ privacy. We will need to wait and see how critical this aspect is for the European Commission when it assesses the UK data privacy regime for adequacy.

How do we transfer personal data from the UK to the EU?

During the transition period, this will also be ‘business as usual’.

The UK Government has indicated that it is committed to granting reciprocal ‘adequacy’ status to the EU, so the aim will be for the free flow of data to continue after 2020.

How do we transfer personal data from the UK to the rest of the world?

Again, during the transition period, nothing will change. Transfers to countries declared ‘adequate’ by the European Commission can continue without steps being taken, and transfers to other third countries will require safeguards such as the Standard Contractual Clauses.

After the transition period, the UK has indicated it is committed to, at least initially, adopting existing EU adequacy decisions and safeguards such as the Standard Contractual Clauses. Over time, the UK will develop its own processes for reviewing these transfer mechanisms and for approving new adequacy decisions.

Is there anything we can be doing now?

Now might be a good time to review any standard data privacy wording in your contracts – references to the EU, to Member States, and to the EU GDPR could soon be out of date depending on whether the contract is only focussed on activities in the UK. Any precedent contracts that will be used in the future should be reviewed to see what changes should be made.

It is still too early to confirm whether Standard Contractual Clauses will be necessary for EU to UK data transfers (since the UK could still be declared adequate), but it would be sensible to identify whether your organisation in involved in such data flows, and what the contract says about them (for example, it might prohibit the transfer of personal data to countries outside of the EU – from February 2020, technically, that could include the UK).

A final word about the Standard Contractual Clauses

For some time the sword of Damocles has been hovering over the Standard Contractual Clauses due to a challenge to their legitimacy in the CJEU. Privacy activists had argued that the Standard Contractual Clauses fail to protect the privacy of individuals when relied upon for personal data transferred to third countries whose public authorities were involved in surveillance practices.

In an Updates in December 2019, an Advocate General recommended that the CJEU uphold the Standard Contractual Clauses as valid. Given how many organisations rely on the Standard Contractual Clauses for international data transfers, this Updates is highly significant and helpful. There’s no guarantee that the CJEU will follow the Advocate General’s Updates but, for the time being, organisations can confidently continue to rely on the Standard Contractual Clauses.

If you have any questions, our data privacy team would be happy to discuss the latest developments, and recommended approaches with you.

Watch again | Balancing responsibility & innovation – How can we develop and implement ethical AI? | 4 July

A recent explosion in innovation has meant AI has become more popular and powerful. AI and automated decision-making, especially in …

Practical tips for deploying AI

With AI integration becoming increasingly common, it is vital that businesses deploy AI systems in a way that complies with …

Data Protection and Digital Information Bill

Summary Ministers have set out a vision for the UK’s technology strategy. The UK is to become a “tech superpower” …

Election ’24: The data protection considerations of political campaigning (part two)

Communicating with individuals and processing personal data are an essential part of campaigning and advocacy. Read our latest Election '24 factsheet on the data protection rules that you should bear in mind.

EdTech and the application of the ICO Children’s Code

In this factsheet, we briefly outline when the ICO's Children's Code applies to Edtech providers and other key data protection considerations for schools and Edtech service providers.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others