Today is the first Data Privacy Day post-Brexit, and in this post Rachael Eyre looks at the impact on international data flows.
While not an awful lot has changed with GDPR (the EU GDPR became the UK GDPR on 1/1/21, with a few tweaks) the biggest area of change is International Data Transfers.
As the UK is not part of the EU, the mechanism for transferring EU data to the UK under EU rules is no longer valid, and the data needs to be transferred under a different mechanism.
Transfers to the USA are also affected as the EU-USA Privacy Shield is not applicable (this is having to undergo major changes in any event as the European Court of Justice declared that the mechanism was invalid in July 2020).
Now is a good time to check on your international transfers, if you haven’t already.
Mechanisms
Until the UK (or the EU) introduce new mechanisms, such as certification schemes, the current mechanisms you may have used back in May 2018 are:
Within the EU/EEA (EU)
Back in May 2018 this will have included transfers of personal data within all EU/EEA countries, including the UK. The UK is no longer part of this mechanism.
Personal data can still be transferred to organisations in the EU / EEA under this, but not transferred to the UK from EU/EEA countries under this mechanism.
Adequacy
The UK adopted all of the EU’s adequacy decisions, and has since promoted Japan to full adequacy status. The UK will begin to make it’s own adequacy decisions and it is hoped the EU will make a finding of Adequacy for the UK (currently the UK is being assessed, there are challenges such as the Investigatory Powers Act).
Binding Corporate Rules (BCR)
Where an organisation is part of a group including countries that are not within the EU/EEA or are without Adequacy findings, the organisation group can enter into Binding Corporate Rules. These have to be approved by a Supervisory Authority, such as the ICO in the UK .
If the BCR contains organisations in the UK and Adequacy or Other Countries, then it should still be applicable, but worth checking. If the BCR involves organisations in EU/EEA countries and the UK, they should be checked to ensure they are still applicable and whether they need any updating.
Standard Contractual Clauses (SCCs)
These are the clauses with wording directly lifted from the EU and will probably have been used in most contracts with Other Country data processors. The ICO are drafting UK based SCCs, and the EU SCCs are being redrafted as they are caught with the same issue as the Privacy Shield.
Post-Brexit, these are probably the easiest mechanism to adopt for EU/EEA based organisations to send data to the UK, unless there is an Adequacy finding.
Privacy Shield (USA)
This may have been relied on in May 2018 for transfers, but is no longer effective. Organisations should look at changing this mechanism to SCCs or BCRs (if available).
Representatives
Where a UK organisation operates in the EU/EEA, offering goods and services to EU/EEA citizens and processing personal data and does not have a branch office within the EU/EEA, they will need to appoint a Representative within the EU (it is the same for EU/EEA organisations offering goods or services in the UK).
The Representative maintains records of local processing, acts as a go between for the organisation with the lead Supervisory Authority in the EU and data subjects. They should be able to communicate effectively with individuals in their own language. There are a number of firms now set up to carry out this role of Representative.
Review
Organisations should review their contracts and Data Flows/Data Maps/Process Flows (whichever you called it) and check whether anything is now out of date due to the changes. If anything is, then this will need to be updated. Organisations will also need to consider whether they need to appoint a Representative.
Below is a quick checklist to ensure your international data transfers are still GDPR compliant. All of the various ways that you transfer or review data from outside of the UK should be listed in their separate contexts, so you may need to add more columns or duplicate rows.
Reference number? | Parties to agreement | Data transferred | Country of Data Origin | Country being sent to | transfer mechanism (choose 1) | Still effective? | If not, action needed to change | Does there need to be a Representative |
UK | EU / EEA | BCR / SCC / Adequacy / EU | ||||||
UK | Adequacy | BCR / SCC / Adequacy | ||||||
UK | Other countries | BCR / SCC | ||||||
UK | USA | BCR / SCC / Privacy Shield | ||||||
EU / EEA | UK | BCR / SCC / Adequacy / EU | ||||||
Adequacy | UK | BCR / SCC / Adequacy | ||||||
Other countries | UK | BCR / SCC / other / local restrictions | ||||||
USA | UK | BCR / SCC / other |
EU / EEA Countries | Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway. |
Adequacy Countries | Gibraltar, Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, Japan, and Canada (partial). |
Other Countries | Everywhere else, including USA, India and Australia |