Just go with the flow? Data flows in a post-Brexit world
This article was co-authored by Sheena Purohit, Trainee Solicitor, London office.
As 2020 was finally drawing to an end, many of us wondered whether the much talked about ‘no-deal’ Brexit would become a reality after many failed negotiations between the UK and EU. With just days before the completion deadline, it was announced on 24 December that an agreement had finally been reached between the parties (some might say it was a Christmas miracle!).
Known as the Trade and Co-operation Agreement, implemented by the European Union (Future Relationship) Act 2020, the instrument sets out the new arrangements to commence on 1 January 2021 upon expiry of the Brexit transition period at 11pm on 31 December 2020.
The management and handling of data flows from the EU and EEA states (Norway, Iceland and Liechtenstein) into the UK is one of many issues dealt with by the agreement and one which many UK SMEs have eagerly been awaiting a definitive decision on.
As the UK has now officially left the EU, the EU GDPR no longer has direct application in the UK which has now gained full control over its data protection laws. As such, from 1 January 2021, UK businesses will be covered by the UK data protection regime which incorporates the GDPR into UK law (known as ‘UK GDPR’) alongside the Data Protection Act 2018. Any data flowing from the EU/EEA to the UK however will still need to comply with the EU data protection laws until an adequacy finding is reached which will allow the continued free flow of data from the EU/EEA to the UK.
While an adequacy finding remains to be reached, the agreement sets out an interim provision known as a ‘bridging mechanism’ which will last for a maximum of six months. The bridging mechanism allows personal data transfers from the EU/EEA to the UK to continue unaffected. However, this is only so long as the current UK data protection regime continues to apply.
This announcement comes as good news to UK SMEs processing personal data from the EU who can now breathe a momentary sigh of relief, however the Information Commissioner’s Office (ICO) issued a statement on 28 December 2020 advising organisations to take precautionary steps to ensure that alternative transfer mechanisms are adopted to avoid any potential interruption to data flows.
Although the bridging mechanism gives SMEs six months’ breathing space, allowing the flow of personal data into the UK from the EU to continue for the time being, it will not do so indefinitely. While we all hope that the EU Commission will make an adequacy finding in the UK’s favour, there is the risk that it may not. So, just as businesses prepared themselves for the implementation of GDPR in 2018, it is once again time for SMEs to take stock and put measures in place to avoid any potential interruptions to the free flow of data that many businesses rely on (although this time the changes should be more minor in nature).
SMEs and SCCs
SMEs who receive data from the EU/EEA have been advised by the ICO to put in place alternative transfer mechanisms as a precautionary measure to avoid any interruption to the free transfer of data. There are various measures businesses can take including implementing the Standard Contractual Clauses (SCCs), implementing Binding Corporate Rules or using one of the derogations available in the GDPR. For SMEs, the best option will likely be to put in place SCCs which allow data to flow freely on EU approved terms.
SCCs are essentially a set of standard terms and conditions entered into by the sender and recipient of personal data in order to help protect personal data being sent outside of the EU/EEA and outside the jurisdiction of the GDPR.
The ICO has helpfully published an interactive tool on SCCs to assist SMEs to understand and select the correct SCCs to allow them to maintain the flow of data from the EU and can be found here.
SMEs that send data from the UK to the EU/EEA only are not affected and do not need to take any additional steps as the UK Government has confirmed that such transfers are not restricted and SMEs do not need to take any additional steps.
Top tips for SMEs:
Related item: The Free Trade Agreement – implications for SMEs