As far as I can recall in the run up to Brexit, data flows did not capture many of the media headlines. Perhaps understandably, topics that got more airtime included fishing, food, travel documents and queues of export lorries.
However, in our modern data-driven world, it’s just as critical to know how and where data flows between UK and Europe, and the levels of privacy and other rules that apply to that flow.
This article looks at the post-Brexit changes which cover personal data, specifically, about how and where that data can be transferred.
This matters hugely, both to businesses, and to anyone who wants to understand the level of privacy protections that apply to any given flow.
Transferring personal data outside your own country
For many years, any business within Europe has been able to transfer and process personal data anywhere within the whole of the European Economic Area (that is, EU plus Norway, Iceland and Liechtenstein) without taking any precautions above and beyond the requirements around personal data handling which apply under the national legal system in their own country.
This ease of operation has been extended beyond the borders of the EEA to a list of other nation states by means of an official list of countries which the European Commission accept have legal protections for personal data which are sufficiently robust that they meet the minimum European standards without the need for additional safeguards. These are referred to as "adequacy findings". For a long time, these safeguards have been needed to transfer data to other locations such as the USA.
You might already be familiar with these additional safeguards and the complexity that can add to your business processes, as compliant businesses will have already been managing their data storage and processing within the EEA as far as possible. Where there is a compelling business need to transfer data to "out of area" locations, you might have already made additional arrangements, and invested effort and cost to follow the safeguards.
But, even if you have done all this, you have to remember that the UK is now outside the European Union. As such, you can no longer simply assume smooth flows of personal data from the EEA without extra safeguards.
Since the end of the transition period on 31 December 2020, our personal data modesty has been protected by the figleaf of a temporary adequacy "bridge". This will expire on 30 June 2021 unless a longer term adequacy finding is issued by the European Commission before that date.
On 19 February, the European Commission issued a draft decision which would grant adequacy to the UK, and so would allow transfers of personal data from the EEA to the UK to continue.
This is not yet a final decision, so we must not be too hasty to assume that it will be finalised. Indeed, the Information Commissioner's Office points out that the decision will require consideration by the European Data Protection Board and a committee of the 27 EU member governments before the European Commission can formally adopt the legal decision.
The ICO goes on to warn businesses that the UK Withdrawal Act will not be overridden by this bridge and that if the adequacy decision is not finalised, UK businesses should be ready by the end of April to comply with the GDPR restrictions on transfers and management of personal data that apply to such transfers out of the EEA.
Other commentators have also noted that the draft adequacy decision for the UK is for a four-year period and would then need to be renewed. The other non-EEA countries with adequacy decisions have open-ended decisions (although they are kept under review), and do not have a defined period which would be followed by the need to renew and the risk that renewal would not be granted.
For UK businesses, it appears that there is an immediate issue of the formal adoption of the decision. Then, if that goes through successfully, a realisation that the issue will need to be revisited within four years.
What this means for GDPR
The ICO has published guidance for UK businesses, both those who send or receive data to or from Europe, those who have a European presence and / or European customers, and those who do not (but may still have legacy issues and need to be alert to changes in their data management).
A significant element in this guidance, and in the expectation that the adequacy decision will be confirmed, is that the UK has adopted GDPR into local law in the shape of the Data Protection Act 2018, and so currently matches European GDPR. The ICO refers to this as "Frozen GDPR".
The ICO is encouraging businesses to prepare for the possibility that the adequacy decision will not be adopted and that the extra safeguards will need to be in place. It therefore recommends that – for many SMEs – the most appropriate safeguard to apply will be using clauses approved by the EU (called Standard Contractual Clauses).
Remember, other commentators have noted that, even if the adequacy finding is adopted, it is only for four years. Meanwhile, there are privacy campaigners who may mount legal challenges which could impact on the extent or validity of that decision and its ability to lubricate the flows of data, many of which are deeply embedded in business relationships, sales and supply channels.
What this means to you
In essence, it is once again necessary to keep a watching brief on your business's infrastructure and procedures for the processing of personal data and the management of privacy issues. You may also need to update your relevant policies and procedures.
As always, we can help with that.