With effect from the end of the transition period following the UK’s departure from the European Union, unless the EU decides that the UK can be treated as an equivalent state for the purposes of data protection law, the UK will become a “third country” for the purposes of EU law and transfers of data from EEA countries (meaning any member of the EU, plus Norway, Iceland and Liechtenstein).
Any UK business that holds personal data relating to EEA citizens or which trades with businesses or individuals in the EEA will need to review their contracts to ensure that they comply with EU law as well as English law. Any transfer of personal data relating to EEA citizens out of the EU will need to be compliant with EU law.
The usual way of meeting this requirement is currently to ensure that Standard Contractual Clauses are included in contracts (Standard Contractual Clauses are a form of wording that has been approved by the EU). Alternative means are available, such as ensuring that Binding Corporate Rules between intra group companies apply, but these must be individually approved by the EU and accordingly are not used so frequently.
The first task of UK companies trading in countries in the EEA should be to identify what, if any, personal data relating to EEA citizens might be transferred out of the EEA. Businesses then need to review their contractual arrangements and privacy notices to ensure that suitable provisions are included in relation to “international data transfers” (which is what data transfers between the EEA countries and the UK will now be considered rather than being transfers of data within the European single market).
Following the recent decision in Data Protection Commissioner v Facebook Ireland Ltd (known as Schrems II), where the Standard Contractual Clauses (or Binding Corporate Rules) are used, businesses will also be expected to carry out a transfer impact assessment relating to data transfers, in order to identify any supplemental measures which should be taken to protect data, in addition to using the Standard Contractual Clauses. The Information Commissioners Office is currently working to provide further guidance following the decision in Schrems II. However, the impact assessment should include an analysis of any laws permitting government surveillance in the jurisdiction to which the data is to be transferred. This is more of an issue for example in relation to transfers of data to the USA, where government surveillance is much more widely permitted than in the UK and EU, but it could become more of a concern if divergence between UK and EU data protection measures increases after the end of the transition period. Businesses may be expected to show they have undertaken a transfer impact assessment as part of the accountability principle which is at the core of GDPR.
If following an impact assessment of a data transfer, businesses conclude that there is an absence of “essential equivalence”, then they may have to suspend their data transfers to these jurisdictions and notify the relevant supervisory authority if they do not do so.
In the longer term, new standard contractual clauses are expected to be published by the EU and further guidance on transfer impact assessments. One of the risk areas is in the use of cloud providers based outside of the EU where protection from government surveillance is less strong. Businesses may accordingly consider Cloud providers based in the EU to be less problematic.
If you need any assistance with reviewing contracts to ensure that they include EU contractual clauses between the UK and EU, please get in touch with David Morrison on 01689 887838 or email david.morrison@cwj.co.uk