Implications of Brexit, navigating data transfers – Legal Monitoring Letter #2

/ Brexit

/ EU-UK Trade and Cooperation Agreement [1]

On 24 December 2020, the EU and UK reached a Trade and Cooperation Agreement which came into effect on 1 January 2021. The Agreement provides that transmission of personal data from the EU to the UK shall not be considered as transfer to a third country for the duration of the specified period (Article FINPROV.10A). The “specified period” begins on the date of entry into force of the Agreement and ends:

–    on the date on which adequacy decisions in relation to the UK are adopted by the European Commission,

or

–    on the date four months after the specified period begins, which period shall be extended by two further months unless one of the Parties objects; whichever is earlier.

The condition is that the data protection legislation of the UK on 31 December 2020, as it is saved and incorporated into United Kingdom law by the European Union (Withdrawal) Act 2018 and as modified by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the applicable data protection regime”), applies and provided that the UK does not exercise the designated powers without the agreement of the Union within the Partnership Council.

[1]https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/948119/EU-UK_Trade_and_Cooperation_Agreement_24.12.2020.pdf

---

/ Data Transfers

/ Transfers of personal data from the EU/ EEA to the UK

Personal data can be transferred freely between the EU/ EEA and UK without the need for parties to implement additional safeguards (e.g. Standard Contractual Clauses) for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier).

If an adequacy decision is not adopted before the end of the abovementioned period, data transfers from the EU/ EEA to the UK will require additional safeguards.

/ Transfers of personal data from the UK to the EU/ EEA

Personal data can be transferred freely from the UK to the EU/ EEA without the need for parties to implement additional safeguards because the UK has already designated EEA member states as providing an adequate level of protection of personal data.

/ Transfers of personal data from UK to non-EEA member states

Specific UK-Non EEA member state regulations apply.

/ Transfers of personal data outside the EEA[1]

On 10 November 2020, the European Data Protection Board (EDPB) published draft Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“the Recommendations”). The Recommendations provide a roadmap of the steps to take in order to find out if the controller or processor acting as data exporter, processing personal data within the scope of application of the GDPR, need to put in place supplementary measures to be able to legally transfer data outside the EEA. The suggested steps are as follows:

Step 1: Know your transfers

Mapping all transfers of personal data to third countries. When mapping transfers, the organizations shall not forget to also take into account onward transfers, for instance whether their processors outside the EEA transfer the personal data they entrusted to them to a sub-processor in another third country or in the same third country. It shall also be kept in mind that remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA, is also considered to be a transfer.

Step 2: Identify the transfer tools

The controller or processor acting as data exporter, shall identify the transfer tools they are relying on amongst those Chapter V GDPR lists and envisages. These tools may include:

Adequacy decisions

The effect of such an adequacy decision is that personal data can flow from the EEA to that third country to which the decision relates without any Article 46 GDPR transfer tool being necessary. Adequacy decisions may cover a country as a whole or be limited to a part of it. They may cover all data transfers to a country or be limited to some types of transfers. If the controller or processor acting as data exporter transfer personal data to third countries, regions or sectors covered by a Commission adequacy decision they do not need to take any further steps described in the Recommendations.

Article 46 GDPR transfer tools

Article 46 GDPR lists a series of transfer tools containing “appropriate safeguards” that exporters may use to transfer personal data to third countries in the absence of adequacy decisions. The main types of Article 46 GDPR transfer tools are:

– standard data protection clauses (SCCs);

– binding corporate rules (BCRs);

– codes of conduct;

– certification mechanisms;

– ad hoc contractual clauses.

Whatever Article 46 GDPR transfer tool is chosen, must be ensured that, overall, the transferred personal data will have the benefit of an essentially equivalent level of protection.

Derogations

Subject to specific conditions, controller or processor acting as data exporter may be able to transfer personal data based on a derogation listed in Article 49 GDPR.

Step 3: Assess whether the Article 46 GDPR transfer tool is effective in light of all circumstances of the transfer

If organizations rely on Article 46 transfer tool, they must ensure that the tool is effective in practice. Effective means that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA. It must be assessed whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool. Where appropriate, the data importer should provide with the relevant sources and information relating to the third country in which it is established and the laws applicable to the transfer.

Step 4: Adopt supplementary measures

If the assessment under step 3 has revealed that your Article 46 GDPR transfer tool is not effective, then shall be considered adopting supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. It must identify on a case-by-case basis which supplementary measures could be effective for a set of transfers to a specific third country when using a specific Article 46 GDPR transfer tool. The supplementary measures may have a contractual, technical or organizational nature. The recommendations contain a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective.

Step 5: Procedural steps if effective supplementary measures have been identified

The procedural steps that may have to be taken in case you have identified effective supplementary measures to be put in place may differ depending on the Article 46 GDPR transfer tool.

Step 6: Re-evaluate at appropriate intervals

At last, controller or processor acting as data exporter must monitor, on an ongoing basis, and where appropriate in collaboration with data importers, developments in the third country to which they have transferred personal data that could affect their initial assessment of the level of protection and the decisions they may have taken accordingly on their transfers.

[1]https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en

---

/ New Data Sharing Code of Practice [1]

On 17 December 2020, the Information Commissioner’s Office published a new Data Sharing Code of Practice, prepared under Section 121 of the Data Protection Act 2018, which is a practical guide for the organizations about how to share personal data in a way that complies with data protection law. The Commissioner must take the code into account when considering whether the organizations have complied with their data protection obligations when sharing data, especially regarding questions of fairness, lawfulness, transparency, and accountability. The Code is mainly aimed at organizations that are controllers sharing personal data. It provides data sharing check list (a step-by-step guide to deciding whether to share personal data), data sharing request form template (for the organization making the request for data sharing) and data sharing decision form template (for the organization taking the decision to share data).

[1] https://ico.org.uk/for-organisations/data-sharing-a-code-of-practice/

https://ico.org.uk/for-organisations/data-sharing-a-code-of-practice/about-this-code/

/ What to Expect in 2021?

/ Asia and Australia [1]

In 2021 and the next few years, are expected new or updated laws enacted or introduced into India, Indonesia, China, Australia, Hong Kong, Malaysia, Sri Lanka and Vietnam.

/ North and South America [2]

In 2021 the data protection laws in Bermuda, Barbados and Jamaica are expected to enter into effect and in the next few years there may be changes of the existing legislation in Argentina, Chile and Canada.

[1]https://www.mofo.com/resources/insights/210104-transformation-privacy-landscape-asia.html

[2]https://www.mofo.com/resources/insights/210106-future-privacy-landscape.html