Businesses urged to review international data transfers to ensure adequate safeguarding measures

At the end of Brexit’s transition period on 31 December 2020, UK will be classed as a third country outside the European Economic Area (EEA). Any data received into the UK from the EEA will then be classed as a restricted transfer. David Edwards, partner and head of Harrison Drury’s regulatory team, outlines the practical steps businesses need to take to ensure they continue to protect client data.

The Information Commissioner’s Office (ICO) has confirmed that the transfer of data from the UK to the EEA will be permitted. If the UK is unable to achieve an adequacy decision from the European Commission regarding the free flow of data from the EEA to UK, there will need to be contractual formalities in place.

Many UK businesses will therefore be required to rely on Standard Contractual Clauses (SCCs) to ensure the free flow of data can continue lawfully from 1 January, 2021 onwards. SCCs will also need to be put in place when sending data from the UK to a non-EEA country which does not have an adequate decision.

As things stand, in order for businesses to continue to lawfully share data with EEA countries and non-EEA countries, it is imperative they:

• Review and document what personal data they hold and/or transfer, and where, by what means and in what countries and then identify the legal basis for it. The data transfer contracts should also include Standard Contractual Clauses unless they are using some other form of legal basis.
• Businesses need to decide whether to implement and update their SCCs now or wail until the Brexit transition period. On 12 November 2020, the EU published a draft implementing decision on new SCCs for transfers of personal data between EU and third countries. However, a four-week period has been set aside for feedback on the drafts, so implementation of the new SCCs will come into effect in 2021. The ICO has confirmed that from 1 January 2021, the UK will be able to put in place UK-specific SCCs.
• If your business relies on the Privacy Shield to transfer personal data in and out of the US, you will need to consider using SCCs.

The ICO recently published some guidance on sending and receiving data between the UK and EEA and sending and receiving data between the UK and non-EEA country, which we discuss below.

Sending and receiving data from the UK to the EEA

After the transition period, the ICO has confirmed that the transfer of data from the UK to the EEA will be permitted.

The UK is currently going through an adequacy assessment and if granted a data transfer from the EEA to the UK will be permitted without any additional measures in place. If the EU does not grant an adequate decision, there will need to be appropriate safeguarding methods in place, such as SCCs.

Sending data from the UK to a non-EEA country

The UK government has confirmed that UK organisations will be able to rely on the same mechanisms as those set out under the EU GDPR, and the same process above of whether a data transfer can be made should be followed:

• Has there been an adequacy decision made on the country you are sending data to?
• If not, have appropriate safeguards been put in place, such as SCCs and BCRs?
• If none of the above apply, can you rely on an exception?

The UK has confirmed they will recognise existing EU adequacy decisions.

The Privacy Shield is no longer valid for data transfers between the UK and USA; therefore, a transfer mechanism will need to be arranged under the GDPR guidance.

Receiving data into the UK from a non-EEA country

UK officials are working with non-EEA countries and territories to make specific arrangements for transfers to the UK, ultimately it would be up to the sender to ensure that they are complying with the rules in their country. UK organisations will need to comply with the data protection rules in the UK (UK GDPR).

It is also worth noting that if a business is accessing or using data whilst it is been stored in a cloud provider, this will amount to an onward transfer, which will need to be detailed in the original transfer mechanism, or even detailed in a completely separate mechanism.

The European Data Protection Board (EDPB) is now advising of the requirement of a far more detailed data transfer risk assessment. The ICO confirmed that although the guidance will no longer be relevant to the UK regime, it will be used as an indication of good practice. The ICO is expected to release a separate detailed risk assessment in 2021, and this is when the position for UK businesses should become much clearer.

Many organisations will be unsure whether to execute SCCs now, or wait for the new, finalised version of the SCCs to be released from 1 January 2021. The ICO have said that any existing SCCs made before January will remain valid, but if no SCCs are in place, organisations will need to make sure preparation has been made to demonstrate they are complying with the GDPR.

This is essential practice for all data exports to EEA countries. The ICO will pay close attention to data importers and exporters, and of the actions that they take, to ensure that the data they import and export is afforded an equivalent level of protection.

In short, the above information is designed to fill any vacuum of regulatory compliance over data, between GDPR jurisdiction, and those countries which sit outside of the GDPR jurisdiction, and we are not simply left with an assessment of utilising SCCs versus Binding Corporate Rules.

If you wish to discuss any issues raised in this article or concerning your business’s data compliance and policies, please contact Harrison Drury’s regulatory team on 01772 258321.