Analysing UK Data Protection Adequacy: The Benefits and The Limits

Briefing

The route to the United Kingdom (UK) gaining data protection adequacy has been set out by the European Commission. UK adequacy is a declaration by the EU that the UK’s laws and systems are essentially equivalent to cover the General Data Protection Regulation (GDPR) and the Law Enforcement Directive’s (LED) data flows. The UK uniquely benefits from many years of alignment with European data protection standards including ratifying the Council of Europe’s Convention 108. The UK’s pioneering first law was the UK Data Protection Act 1984. The UK then adopted both the EU Data Protection Directive 1995 and the GDPR of 2016.

Data protection adequacy creates certainty and trust for data flows to and from the EU and UK. There are numerous benefits to data protection adequacy for business, trade, cooperation, security and law enforcement. However, because the UK has left the EU (Brexit), it now stands apart from EU developments and automatic institutional advancements. Inevitably, over time, there will be degrees of divergence, duplication of compliance activities and an evolving dynamic tension between the EU and UK regimes. Despite this, there will be an enduring, broad and deep commonality between the EU and UK data protection regimes, well into the future.

The Benefits: What UK Data Protection Adequacy Means

UK data protection adequacy creates a new status quo:

  • The UK will join Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand and Uruguay as a country with essentially equivalent data protection standards to the EU, the European Economic Area (EEA) countries and Switzerland.
  • The EU will allow the free flow of personal data from the EU to the UK and these will not be considered international data transfers and require the complex additional safeguards listed in the GDPR. The UK has already declared adequate the EU, the EEA, Switzerland and the current list of EU-adequate countries, which creates fully reciprocal personal data flows between the UK and EU.
  • Going forward, the UK will be obliged to ensure that domestic developments in data protection law and systems substantially reflect developments in the EU. This will create a degree of certainty and transparency for companies, organisations and governments.
  • In the future, the Information Commissioner’s Office (ICO), the UK’s GDPR regulator, will be more inclined to interpret and enforce the GDPR in line with EU developments. Though, the ICO must also reflect UK-led changes to the legal framework, UK GDPR interpretation and UK court decisions.
  • Companies and organisations that operate both in the UK and EU must now establish two distinct personal data breach reporting arrangements. UK personal data breaches will need to be reported in the UK, to the ICO. EU data breaches must be reported to one or more of the EU’s twenty-seven GDPR regulators. Bureaucratically, personal data breaches affecting individuals based in the UK and EU must be reported in both regions.
  • International companies and organisation can continue to blend their data protection programmes to cover all EU countries and the UK but specifically allow for future UK variations. This approach will encourage economies of scale, compliance costs savings, interoperability and more transparent European-wide data risk profiles. 

Dynamic Controls

UK data protection adequacy includes several dynamic controls that supervise the EU/UK data relationship into the future. Companies and organisations should note that:

  • UK adequacy decisions are subject to review by the European Commission at four-year intervals. The decisions are re-examined periodically.
  • The validity of the UK’s adequacy decisions could be challenged in the Court of Justice of the European Union (CJEU). This court has the power to invalidate the adequacy decisions, forcing organisations to stop transferring personal data from the EU to the UK. This happened to the EU-US-Swiss Safe Harbour adequacy decision in 2015 and EU-US-Swiss Privacy Shield adequacy decision in 2020, causing much disruption, uncertainty and costs to businesses and organisations.
  • The European Commission can suspend UK adequacy decisions based on a serious violation or series of serious violations that offend the EU’s  rights-based system. This is unlikely. However, a significant UK/EU disagreement about human rights, EU fundamental rights, national security and large-scale surveillance could increase the risk. A significant breakdown in the UK’s internal checks and balances that safeguard the right to personal data protection could negatively affect the stability of UK adequacy.

The Limits: What UK Data Protection Adequacy does not Mean

UK data protection adequacy does not alter several important issues and so companies and organisations should note that:

  • UK adequacy creates and maintains equivalence for data transfers from the EU to the UK. However, the UK will still need to create new international data transfer mechanisms for UK personal data flows to the rest of the world. These may be different from the EU’s system and may include UK-specific data protection standard contractual clauses. Companies and organisations in the UK and EU must now navigate two systems for international transfers.
  • Companies and organisations that have no presence in the EU but offer goods or services or monitor individuals in the EU will need to appoint an EU Data Protection Representative based in the EU, separate from any UK representative.
  • Companies and organisations that have no presence in the UK but offer goods or services or monitor individuals in the UK will need to appoint a UK Data Protection Representative based in the UK, separate from any EU representative.
  • Post Brexit, the UK is still part of the European Convention on Human Rights (ECHR), with its well-established right to privacy, family life, home and correspondence. This right is reflected in the UK’s Human Rights Act 1998.  However, there is no longer a fundamental right to personal data protection in UK law as it exists in EU law. The UK is no longer a party to the EU Charter of Fundamental Rights, and its specific additional Article 8 personal data protections. As a result, data protection rights in the UK are now narrower in scope than in the EU. 
  • The UK continues to have GDPR embedded into its laws. However, automatic data protection alignment is no longer legally and practically inevitable. Brexit means that the UK is no longer a part of the EU’s governing treaties, democratic institutions, internal single market, digital single market, regulators and courts. Data protection decisions and opinions from the European Commission, European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) no longer have automatic legal force on the UK.

For assistance with GDPR, EU/UK data flows and Brexit, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS022021

Five Key Things to Know about European Data Protection (GDPR) Representatives

Introduction

The General Data Protection Regulation (GDPR) applies directly to companies and organisations located in the European Union (EU) and around the world. The law has a deliberately wide scope, based on how personal data about individuals in the EU are collected, used, monitored and stored. Companies and organisations that do not have an established presence in the EU must appoint a Data Protection Representative (Representative) based in the EU in line with Article 27 of the GDPR. This rule is not new, it has been an EU requirement, in a more limited form, since 1995. The Representative allows individuals in the EU to directly enforce their data protection rights and gives EU GDPR regulators a reliable point of contact within their countries.

The Representative is a strategic role, helping foreign companies and organisations to actively monitor GDPR regulators’ priorities, enforcement and key guidance. It is also practical, allowing individuals, users and consumers in the EU to have an access point in the EU. The Representative is more likely to communicate with them in local languages and appreciate local risks, norms and expectations. The Representative is also legally required to understand data flows that affect individuals based in the EU by being involved with GDPR Records of Processing Activities (ROPAs).

1. What types of companies or organisations need European Data Protection Representatives?

Companies and organisations that have no established presence in the EU but process the personal data of individuals in the EU and carry out activities that are covered by the GDPR. This applies whether the personal data processing takes places inside or outside of the EU. The company or organisation can be a Controller or Processor as defined by the GDPR. However, non-EU based public bodies, government organisations, diplomatic missions and consular posts do not have to appoint European Data Protection Representatives.

2. When does a company or organisation need to appoint a European Data Protection Representative?

Companies and organisations should review their data flows, personal data inventories and GDPR ROPAs on a continuous basis to check if their activities are covered by the GDPR. Where companies and organisations offer goods or services to individuals in the EU, even free services, or monitor the behaviour of individuals based in the EU, the need for a European Data Protection Representatives must be considered. That a non-EU website, email address and other contact details are accessible within the the EU, does not, by itself, mean a Representative is required. Companies and organisations should consider whether they use EU languages in their trading or work, use EU currencies, deploy marketing targeted at EU users and consumers or provide users with direct facilities to order and receive goods and services. The use of geographic targeting technologies, cookies, profiling EU users and other monitoring and surveillance could indicate the need for a Representative. Foreign companies and organisations that employ staff, contractors, distributors and agents in the EU are also likely to need to consider appointing a European Data Protection Representative.

The requirement does not apply if the processing of personal data about those in the EU is occasional, small scale or there is no large-scale processing of special categories of personal data or criminal records data that negatively impact the rights and freedoms of individuals.

3. What are the legal duties and key requirements of European Data Protection Representatives?

EU GDPR Representatives:

(a) Must maintain ROPAs of the Controller’s or Processor’s personal data flows.

(b) Cooperate with EU GDPR regulators (Supervisory Authorities).

(c) Be situated in an EU country where individuals who are offered goods, offered services or have their behaviour monitored, are based.

(d) Be appointed by the foreign-based Controller or Processor and can be contacted by EU GDPR regulators and individuals in the EU, in addition to, or instead of, the Controller or Processor.

(e) Act as the Controller’s or Processor’s Representative, but the Controller and Processor remain responsible, liable and directly subject to legal and regulatory action in the EU.

(f) Carry out the Data Protection Representative Service as specifically agreed with the Controller or Processor.

(g) Are subject to enforcement proceedings for non-compliance by the Controller or Processor.

(h) Are designated and appointed in writing by the Controller or Processor.

4. What are the differences between GDPR-appointed Data Protection Officers and GDPR European Data Protection Representatives? Can the roles be carried out by the same person or organisation?

The Data Protection Officer is largely an internal appointment who must act independently and report to the highest level of management in a company or organisation. The Data Protection Officer should not perform an operational role in charge of data processing in the organisation, at the same time. The Data Protection Representative is largely outward facing, positioned to liaise with individuals whose personal data are being processed and with EU GDPR regulators. The Representative is not restricted from taking part in the operational aspects of the Controller’s or Processor’s data processing activities.

The Representative must act within the terms of the appointment and the mandate of the Controller or Processor, as a type of agent. The Representative is not legally required to be independent but must represent and stand in the place of the Controller or Processor within the EU. If a single entity or person attempted to act as both a GDPR Data Protection Officer and a European Data Protection Representative at the same time, there is likely to be a conflict of interest and practical limitations. However, both roles share the need for ROPA expertise and the ability to work effectively with individuals and EU GDPR regulators.

5. The United Kingdom (UK) has left the EU, should UK Data Protection Representatives be appointed to comply with UK data protection law? Do companies and organisations based in countries that have a data protection adequacy agreement with the EU need to appoint European Data Protection Representatives?

The UK’s exit from the EU means that it is no longer an EU Member State. The UK Information Commissioner’s Office (ICO), the data protection and GDPR regulator, is no longer a GDPR Supervisory Authority or member of the European Data Protection Board (EDPB). The UK has carried forward the GDPR, and so where a company or organisation needs to appoint a European Data Protection representative, if the same or similar data processing activities take place in the UK, a UK Data Protection Representative should be appointed. This requirement will continue even when the UK gains a data protection adequacy agreement from the EU. At present, all companies and organisations in the European Economic Area (EEA) and those based in countries that have an EU data protection adequacy agreement still need to appoint Data Protection Representatives in the EU, if they process personal data, have no established presence within the EU but offer goods, offer services (even for free), or monitor individuals’ behaviour in the EU.  This is true, even where this data processing activity never takes place on equipment that operates within the EU (or the UK).  

To access our European Data Protection (GDPR) Representative services, UK Data Protection Representative services, Data Protection Officer services or Brexit data services, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS012021

Brexit Now: Future Impacts on UK, EU, EEA and Global Personal Data

Briefing

On 24 December 2020, the European Union (EU) and the United Kingdom (UK) signed the EU-UK Trade and Cooperation Agreement (the “Trade Deal”) to provide an ordered and more certain outcome for the end of the transition period on 31 December 2020. A process of ratifications will take place in January 2021.  A no-deal Brexit has been avoided, but this Trade Deal has been described as “thin.” The Trade Deal includes a zero-tariff regime for many goods. The UK economy is approximately 20% in goods, leaving the majority 80% of services sectors with operational uncertainties. The EU’s combined economy is 25% goods and 75% services. From a data protection, General Data Protection Regulation (GDPR) and information security perspective, the Trade Deal provides some clarifications. However, there are still uncertainties to be worked out in the coming months and years.

UK Data Protection Adequacy

The UK will not receive a data protection adequacy decision from the EU before 31 December 2020. As a result, the Trade Deal has extended the data protection status quo that operated during the Brexit transition period, for a further 6 months to June 2021. UK data protection adequacy is not guaranteed in June 2021 and adequacy could be withheld by the EU, but the language of the Trade Deal appears optimistic. An adequacy decision will allow personal data to flow freely from the UK to the EU/European Economic Area (EEA) and from the EU/EEA to the UK, without the need to use the international data transfer mechanisms in the GDPR designed for non-EU third countries. The Trade Deal states that the UK will not be considered a third country for EU/EEA to UK data transfers, for the purposes of EU GDPR, during the agreed extension period. Companies and organisations have a grace period, but still need to plan for the future based on an adequacy decision and also non-adequate third country status.

The need for new EU and UK Data Protection Representatives

Whatever the outcome of UK data protection adequacy decision and its timing, the UK remains outside the EU. This has been a legal reality since 31 January 2020. Companies and organisations (though, not public bodies) without a presence in the EU, offering goods, services or monitoring EU citizens in the EU, will need to appoint an EU Data Protection Representative, in one of the EU’s member states, as soon as possible. This is a legal requirement under Article 27 of GDPR. The EU-UK Withdrawal Agreement and related changes to UK data protection laws require UK Data Protection Representatives for organisations based outside the UK, without a presence in the UK, who offer goods, services or monitor UK citizens in the UK. Companies and organisations, in the UK, EU, EEA and around the world should conduct gap analysis and determine whether these services are legally required.

The UK Information Commissioner’s Office (ICO) reduced role

The ICO is one of the largest and most active data protection and GDPR regulators. Its English language output has a substantial impact on large parts of the world and on international organisations. Brexit means that it is no longer an EU Supervisory Authority under GDPR and so companies and organisations should repatriate key EU GDPR roles to other Supervisory Authorities based within the EU. Ireland’s Data Protection Commission is a near-neighbour substitute. These EU GDPR roles include registering Data Protection Officers, registering Binding Corporate Rules (BCRs), making referrals to the Court of Justice of the European Union (CJEU) and participating in the work of the European Data Protection Board (EDPB) and European Commission. The ICO’s future output will bind UK companies and organisations and foreign companies doing business in the UK. The extent to which most EU, EEA and international companies, who have an EU lead GDPR Supervisory Authority, will be bound by its guidance, codes of practice, decisions and enforcement is uncertain. It is also unclear how closely the ICO will consider or follow the opinions, recommendations and decisions of the EDPB, CJEU and the European Commission. The ICO will have very little direct legal obligation to do so, going forward. The ICO’s role in the maturing and development of the EU’s GDPR will reduce over time.

The Trade Deal: Clear for Goods, More uncertain for Services

The service sectors in the UK and EU generate, use and share a lot of personal data and special categories of personal data. The Trade Deal is focused primarily on goods, security cooperation, trade dispute resolution mechanisms and other discreet areas of trade and cooperation. Data flows in many services sectors such as financial services, information technology, business services, professional services, ecommerce/online retail, leisure, tourism, travel, sports, the arts, entertainment and personal services are affected by Brexit. Established data flows will be changed by new trading restrictions, new processes and limits on data sharing. New data flows will be created that companies and organisations must map, risk assess, manage and add information security protections. Businesses and organisations in the UK may increasingly turn to non-EU partners, suppliers and customers as UK government policy promotes global trade and new international trading corridors. This will create both challenges and opportunities and require better management of international data transfers, supply chain risks, information security resilience, human rights compliance risks and geopolitical risks.

Complexities in Information Security and Cybersecurity

As the UK is no longer a member of key EU institutions, the immediate future will be uncertain as security, information security and cybersecurity relations are re-established or reconstituted. The UK will lose direct member access to the European Union Agency for Cybersecurity (ENISA), Europol and Eurojust. Cooperation on cross-European cybersecurity threats, risks and responses will be negatively affected in the short to medium term. Companies and organisations should monitor these relationships and bolster their individual cyber defence capabilities. Businesses operating in or enabling critical national infrastructure or regulated sectors such as financial services, healthcare, pharmaceuticals and high value engineering, will need to adopt more substantial measures. Will there be future conflicts over whether UK or EU/EEA cybersecurity standards will apply between UK and EU/EEA partners?  In the longer term, will international businesses choose to mandate EU/EEA information security standards over UK standards, or adhere to both at additional costs? Companies and organisations will need to strategize about appropriate solutions and sector norms.

Other Immediate and Future Impacts: Work, Travel, Employee Data, Procurement, Immigration, Professional Qualifications and related areas

Personal data requirements, collection, storage and sharing are affected in many common areas, impacting many companies, organisations, supply chains and staff mobility. Human Resources departments, already facing data protection and cybersecurity challenges from the coronavirus pandemic, will faces new, fast changing and unresolved data flows of employee data, including proof and authorisation of professional qualifications. Work permits, visa applications and new immigration rules will diversity data sets and introduce high risk data processing. Other departments and functions like sales, marketing, finance, compliance, legal, audit, information security and procurement will face immediate and longer term data and cybersecurity challenges. Companies and organisations will be in a constant process to realign, overcome uncertainties and fill gaps. The future will require embracing new ways of working together, doing business and sharing data and information between the UK, EU, EEA and globally.

For assistance with Brexit, GDPR and EU data flows, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS122020

Five Key Actions to Protect Post-Brexit Personal Data Flows

Briefing

Over time, the personal data impacts of the United Kingdom (UK) leaving the European Union (EU) will be revealed. The scope of any free trade deal that addresses data protection will set the scene for immediate and long-term personal data flows. In the short to medium term, any adequacy decision will minimise costs and disruption to companies and organisations. The impact of the Court of Justice of the European Union’s Schrems II decision on Privacy Shield, as it applies to the UK, will also become clearer as decisions are made. The future will include new European Commission data protection Standard Contractual Clauses (SCCs) for personal data transfers to non-EU countries. It is likely that the UK Information Commissioner’s Office (ICO) could seek to adopt its own international personal data transfer mechanisms and arrangements over time. It is important for companies and organisations to be strategic, measured and deliberate in choosing the way forward.

Strengthen long-term Data Protection Strategy

Companies and organisations should be very clear about their ongoing data protection strategy. For UK companies with limited EU / European Economic Area (EEA) and foreign operations, they must decide their level of proximity to the EU’s General Data Protection Regulation (GDPR) or adopt a more flexible ad hoc approach to anticipate changes to UK data protection laws. For EU and EEA companies and organisations that do business or offer services to UK customers, they must decide and confirm which data protection standard will be their baseline. They must decide the level of deviation that they will permit while accommodating emerging UK data protection norms while staying true to EU GDPR. International companies and organisations must decide on the level of exceptionalism that their data governance programmes will allow for the UK. They should decide whether the UK will be treated as a default EU member state for GDPR purposes and be held to evolving EU data protection standards, despite changes to their domestic or the UK data protection regimes.   

Engage with key suppliers and high risk high value contracts

It is important that companies and organisations create and maintain clear channels of communication with their extended supply chains to coordinate their future approaches to data protection. Contracts should be reviewed to ensure that terms which directly or indirectly rely on the UK’s membership of the EU should be reviewed and updated. Key definitions for “applicable data protection law” and many other EU / EEA-centric information should be reviewed to reflect the new realities. Standard Contractual Clauses (SCCs) should be considered for large scale and high risk EU / EEA to UK data transfers.   

Monitor as the UK becomes an international data adequacy deal maker

The European Union fiercely protects its allocation of data protection adequacy decisions to countries outside the European Union. The UK is fast becoming a broker in the expansion and allocation of data protection adequacy, beyond the EU’s direct remit. Most of the countries included on the EU’s data protection adequacy list have declared that the UK has data protection adequacy. This includes the larger economies like Switzerland, Argentina, Israel and Canada. Japan and the UK have agreed mutual data protection adequacy, which is linked to a new free trade deal. In time, it is likely that the UK and the USA will come to an arrangement on broad data protection adequacy or create a mutual Privacy Shield-type arrangement to accommodate their future economic relationship.  Companies and organisations should watch these developments, constantly assess personal data risks, analyse the longer term effects of the Schrems II decision and evaluate the proximity of new adequacy arrangements to EU GDPR.

Get value from EU Data Protection Representatives

Companies and organisations should use the end of the UK ICO’s role as an EU Supervisory Authority under GDPR as an opportunity for strategic thinking about their EU / EEA GDPR exposure. Data Protection Representatives should be appointed within the EU not just to comply with Article 27 of the GDPR, but to stay connected to EU / EEA customers and users, monitor the work and priorities of other EU based Supervisory Authorities and monitor key policy changes taking place in Brussels. EU Representatives should represent non-EU based (and UK) companies and organisations from within the EU, but also feedback to UK and international companies useful insights, trends, strategic positioning and information about enforcement priorities.  

Interact with and educate Users and Consumers

Companies and organisations should take the opportunity to update the places where they meet their users, transact with customers and provide information to them. This includes data protection policies and procedures, data protection notices, information security protocols, websites, publications, social media and staff training initiatives. GDPR Records of Processing Activities (ROPAs) should be updated to maintain transparency and accountability. Supply chains, consumers and users should not be surprised on 1 January 2021 with the sudden impacts of the end of the Brexit transition period, but should steadily receive information and guidance so that practical and strategic choices can be made by all parties.

PS112020