Media Centre

Brexit: Data Protection Checklist

13 January 2021

Background

On 1 January 2021, the European General Data Protection Regulation (“GDPR”) ceased to apply in the UK, and a UK version of the GDPR – the “UK GDPR” – applies from that date.

While the UK GDPR is generally similar in all key aspects to the GDPR, it applies as an independent, domestic law. The application of the UK GDPR is also subject to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which applies a number of changes aimed at tailoring the GDPR to the UK.

In parallel to the UK GDPR, the Data Protection Act (“DPA“) 2018, as well as any other EU laws transposed into UK national laws (e.g., The Privacy and Electronic Communications (EC Directive) Regulations 2003, “PECR“) remain in place.

Key Changes & Action Items

This update highlights the key changes to be considered by companies processing personal data in the EU and the UK, as well as the respective steps that should be considered in respect of personal data processed in the UK and in the EU in order to maintain compliance with the applicable data protection regimes in both territories.

The update does not constitute an exhaustive legal opinion or regulatory overview concerning any and all applicable regulatory requirements with regard to the topics that are addressed, but rather outlines the key issues stemming from the abovementioned regulatory requirement.

We will be happy to provide further guidance on their applicability and the specific requirements with respect to each of the topics outlined herein.

What has changed? How should we prepare?

Data Transfers

Transfers from EEA to UK: until the earlier of (i) the date on which the European Commission issues an adequacy decision; or (b) April 1, 2021, potentially extendable to June 1, 2021, personal data can be transferred freely. Afterward, the UK will be treated as a “third country” for data transfer purposes, meaning that data transfers will be subject to the appropriate safeguards requirements, under Chapter V of the GDPR. In any case, the ICO suggests companies transferring personal data to the UK to put in place alternative transfer mechanisms.

Transfers from UK to EEA: the UK currently deems EEA and EU countries as having adequate safeguards, meaning that personal data can be transferred freely.

Transfers from UK to non-EEA countries: essentially the same as under the EU GDPR. Transfers to third countries recognized by the EU commission as not having adequate safeguards are subject to appropriate safeguards requirements. The ICO also generally supports Schrems II ruling, but currently reviews EDPB recommendations in this regard. It still considers whether to publish its own guidance on this matter. Meanwhile, it notes that, for most businesses, the convenient appropriate safeguard is the use of SCCs.

Review and amend your transfer mechanisms. Identify from where and to where you are transferring data (e.g., EEA to UK, UK to EEA, and/or EEA/UK to third country) and amend your transfer mechanisms accordingly.

·         If you are transferring data from the EEA to the UK, you are currently not required to put in place any additional safeguards, but from April 1, 2021 (extendable to June 1, 2021), unless stated otherwise by the European Commission, you would need to put in place additional safeguards (e.g., SCC).

·         If you are transferring data from the UK to non-EEA countries, you can generally rely on the SCC, but should carefully review for any updates from the ICO (those are expected). The ICO is currently reviewing EDPB’s recommendations in this regard and considers whether to publish its own guidance on that matter.

Records

All companies based in/targeting the EU/UK: records of processing activities need to be updated, including to recognize the UK as a third country (meanings that data transfers to the UK should be reclassified), identify a representative (see below), etc. Update your internal records. Those should be updated to recognize the UK as a “third country” for the purpose of data protection laws.

Representatives

UK companies targeting EEA customers, without an establishment in the EEA: need to appoint an EU representative.

Companies targeting UK customers, without an establishment in the UK: need to appoint an UK representative.

Appoint a local representative. Appoint a local representative in the jurisdiction where you process data but have no establishment (e.g., UK companies processing data of EEA customers, but having no physical presence in the EEA, need to appoint an EU representative).

Lead Supervisory Authority (LSA)

Companies targeting the EU: the ICO can no longer be considered as a LSA for the purpose of the EU GDPR. This means that companies targeting the EU that identified the ICO as their LSA need to identify which EEA-based LSA serves as their new LSA.

Companies targeting the UK: companies processing personal data in the UK or of UK citizens will need to register (or remain registered) with the ICO, and will be subject to its supervision with regards to UK-bound data processing activities. This obligation applies in parallel to the obligation under the EU GDPR.

Identify an EU LSA (if possible) and register with the ICO. If you are processing data in the EU and your LSA is the ICO, you need to identify which EEA authority, if any, can be your new LSA. In addition, if you processing data in the UK or of UK citizens you must be registered with the ICO.

Data protection policies and agreements

All companies: Privacy notices, privacy policies, DPIAs, and Data Processing Agreements should be amended to (i) recognize the UK as a third country; (ii) refer to the UK GDPR; (iii) refer to the newly appointed representatives; (iv) reflect the appropriate safeguards that are in place for international data transfers; and (v) more generally, replace or add references to the UK, where applicable. Review and amend your data protection policies and agreements. Those include your privacy policy, DPAs, DPIA, and privacy notices. Those policies should reflect the changes in applicable laws, transfer mechanism, the status of the UK, your representatives.

Applicable laws

In the UK: EU GDPR ceased to apply, but a domestic version of the GDPR – the UK GDPR – applies. The DPA and any other EU law transposed into the UK (e.g., PECR) remain in place.

The EU laws retained by the UK (e.g., the UK GDPR) will be interpreted in line with the principles and decisions laid down by the Court of Justice of the European Union (CJEU). However, the UK Supreme Court and High Court of Justiciary may depart from those decisions, by applying their own tests for deciding whether to depart from their own case law. The draft European Union (Withdrawal) Act 2018 (Relevant Court) (Retained EU Case Law) Regulations 2020 proposes extending the list of courts that may depart from CJEU case law.

In the EU: unchanged.

While the key principles, rights, and obligations under the UK GDPR remain substantially the same as the EU GDPR, the exercise and monitoring of the company’s compliance should be now assessed accordingly, including taking into consideration local amendments, regulatory updates, and enforcement actions.

 

Binding Corporate Rules (BCRs)

Companies with UK BCRs authorized by the ICO: need to (i) identify a new lead Supervisory Authority (SA) which is based on the EEA and must have transferred to them amended versions of their BCRs, in accordance with the EDPB’s Guidance; (ii) produce UK versions for their BCRs, in accordance with the ICO Guidance, and file those with the ICO before June 30, 2021.

Companies with EU BCRs not authorized by the ICO: need to produce a UK version of their BCRs and file those with the ICO before June 30, 2021.

Companies with EU approved under the GDPR, but not authorized by the ICO: need to contact the ICO to discuss the process and the ICO’s exact requirements (BCR@ico.org.uk).

Update your BCRs. You need to produce a UK version for your BCRs and file those with the ICO by June 30, 2020. In addition, if your lead SA is the ICO, you need to appoint a new SA in the EEA and amend your BCRs in line with the EDPB guidelines (you should have done this already). If your BCRs are approved by the EU GDPR, you should contact the ICO for guidance.

 

Data Transfers

What has changed?

Transfers from EEA to UK: until the earlier of (i) the date on which the European Commission issues an adequacy decision; or (b) April 1, 2021, potentially extendable to June 1, 2021, personal data can be transferred freely. Afterward, the UK will be treated as a “third country” for data transfer purposes, meaning that data transfers will be subject to the appropriate safeguards requirements, under Chapter V of the GDPR. In any case, the ICO suggests companies transferring personal data to the UK to put in place alternative transfer mechanisms.

 

Transfers from UK to EEA: the UK currently deems EEA and EU countries as having adequate safeguards, meaning that personal data can be transferred freely.

 

Transfers from UK to non-EEA countries: essentially the same as under the EU GDPR. Transfers to third countries recognized by the EU commission as not having adequate safeguards are subject to appropriate safeguards requirements. The ICO also generally supports Schrems II ruling, but currently reviews EDPB recommendations in this regard. It still considers whether to publish its own guidance on this matter. Meanwhile, it notes that, for most businesses, the convenient appropriate safeguard is the use of SCCs.

How should we prepare?

Review and amend your transfer mechanisms. Identify from where and to where you are transferring data (e.g., EEA to UK, UK to EEA, and/or EEA/UK to third country) and amend your transfer mechanisms accordingly.

·         If you are transferring data from the EEA to the UK, you are currently not required to put in place any additional safeguards, but from April 1, 2021 (extendable to June 1, 2021), unless stated otherwise by the European Commission, you would need to put in place additional safeguards (e.g., SCC).

 

·         If you are transferring data from the UK to non-EEA countries, you can generally rely on the SCC, but should carefully review for any updates from the ICO (those are expected). The ICO is currently reviewing EDPB’s recommendations in this regard and considers whether to publish its own guidance on that matter.

Records

What has changed?

All companies based in/targeting the EU/UK: records of processing activities need to be updated, including to recognize the UK as a third country (meanings that data transfers to the UK should be reclassified), identify a representative (see below), etc.

How should we prepare?

Update your internal records. Those should be updated to recognize the UK as a “third country” for the purpose of data protection laws.

Representatives

What has changed?

UK companies targeting EEA customers, without an establishment in the EEA: need to appoint an EU representative.

Companies targeting UK customers, without an establishment in the UK: need to appoint an UK representative.

How should we prepare?

Appoint a local representative. Appoint a local representative in the jurisdiction where you process data but have no establishment (e.g., UK companies processing data of EEA customers, but having no physical presence in the EEA, need to appoint an EU representative).

Lead Supervisory Authority (LSA)

What has changed?

Companies targeting the EU: the ICO can no longer be considered as a LSA for the purpose of the EU GDPR. This means that companies targeting the EU that identified the ICO as their LSA need to identify which EEA-based LSA serves as their new LSA.

Companies targeting the UK: companies processing personal data in the UK or of UK citizens will need to register (or remain registered) with the ICO, and will be subject to its supervision with regards to UK-bound data processing activities. This obligation applies in parallel to the obligation under the EU GDPR.

How should we prepare?

Identify an EU LSA (if possible) and register with the ICO. If you are processing data in the EU and your LSA is the ICO, you need to identify which EEA authority, if any, can be your new LSA. In addition, if you processing data in the UK or of UK citizens you must be registered with the ICO.

Data protection policies and agreements

What has changed?

All companies: Privacy notices, privacy policies, DPIAs, and Data Processing Agreements should be amended to (i) recognize the UK as a third country; (ii) refer to the UK GDPR; (iii) refer to the newly appointed representatives; (iv) reflect the appropriate safeguards that are in place for international data transfers; and (v) more generally, replace or add references to the UK, where applicable.

How should we prepare?

Review and amend your data protection policies and agreements. Those include your privacy policy, DPAs, DIPA, and privacy notices. Those policies should reflect the changes in applicable laws, transfer mechanism, the status of the UK, your representatives.

Applicable laws

What has changed?

In the UK: EU GDPR ceased to apply, but a domestic version of the GDPR – the UK GDPR – applies. The DPA and any other EU law transposed into the UK (e.g., PECR) remain in place.

The EU laws retained by the UK (e.g., the UK GDPR) will be interpreted in line with the principles and decisions laid down by the Court of Justice of the European Union (CJEU). However, the UK Supreme Court and High Court of Justiciary may depart from those decisions, by applying their own tests for deciding whether to depart from their own case law. The draft European Union (Withdrawal) Act 2018 (Relevant Court) (Retained EU Case Law) Regulations 2020 proposes extending the list of courts that may depart from CJEU case law.

In the EU: unchanged.

How should we prepare?

While the key principles, rights, and obligations under the UK GDPR remain substantially the same as the EU GDPR, the exercise and monitoring of the company’s compliance should be now assessed accordingly, including taking into consideration local amendments, regulatory updates, and enforcement actions.

Binding Corporate Rules (BCRs)

What has changed?

Companies with UK BCRs authorized by the ICO: need to (i) identify a new lead Supervisory Authority (SA) which is based on the EEA and must have transferred to them amended versions of their BCRs, in accordance with the EDPB’s Guidance; (ii) produce UK versions for their BCRs, in accordance with the ICO Guidance, and file those with the ICO before June 30, 2021.

Companies with EU BCRs not authorized by the ICO: need to produce a UK version of their BCRs and file those with the ICO before June 30, 2021.

Companies with EU approved under the GDPR, but not authorized by the ICO: need to contact the ICO to discuss the process and the ICO’s exact requirements (BCR@ico.org.uk).

How should we prepare?

Update your BCRs. You need to produce a UK version for your BCRs and file those with the ICO by June 30, 2020. In addition, if your lead SA is the ICO, you need to appoint a new SA in the EEA and amend your BCRs in line with the EDPB guidelines (you should have done this already). If your BCRs are approved by the EU GDPR, you should contact the ICO for guidance.

Herzog’s Technology & Regulation Department 

Herzog’s Technology and Regulation Department is a recognized market leader in its field. We advise on privacy and data protection, cybersecurity, artificial intelligence law, digital finance regulations, content and advertising regulations, digital transformation, computer and software protection, mobile and other app marketplaces compliance.

Our clients vary between different industries and sectors including: eCommerce; adtech, e-marketing, and media; online gambling and gaming; financial technologies, digital payment solutions and cryptocurrencies; cybersecurity and privacy compliance; content platforms and social networks; data enrichment and authentication tools; digital health and lifestyle technologies.

Our group’s sector-dedicated teams are headed by leading legal experts advising on all applicable technological, regulatory and compliance considerations. We lead through our thorough knowledge and diverse experience with the increasing volume of regulations, enforcement actions and legislative trends in a myriad of jurisdictions; with heavily “regulated” platforms such as mobile app marketplaces and social networks; as well as with the respective industries’ best practices and leading self-regulatory guidelines. This enables us to offer unique and practical solutions for often complex situations and to assist in mitigating legal and business risks.

Team leaders

  • Ariel Yosefi | Partner, Head of Herzog’s Technology & eCommerce Regulation