Transferring personal data to and from the UK after Brexit
At a glance
Whilst the General Data Protection Regulation (GDPR) applies across the European Union (EU) and accordingly has no special rules for the transfer of personal data between EU member states, it does have special requirements for the transfer of the personal data of EU data subjects outside of the EU. Since the UK left the EU at the end of 2020, those special requirements now also affect UK data transfers.
In this briefing note, we summarise the key considerations.
Transferring Personal Data from the EU to the UK
The EU’s special requirements for data transfers are intended to apply when the EU is concerned that the laws of the country to which the personal data is to be transferred do not provide a comparable level of protection to that of the GDPR.
Accordingly, where the European Commission (EC) has determined that the laws of another country do provide adequate protection then no special requirements are needed. The EC has previously made a number of such adequacy decisions, including for Canada and Australia, and has now also made an adequacy decision for the UK.
This means that, in principle, personal data may be transferred from the EU to the UK in the same manner as it may be transferred between EU member states, although a UK data controller processing the personal data of EU data subjects and not also established in the EU now needs to appoint an EU Representative under Article 27 of the GDPR.
Transferring Personal Data from the UK to the EU
The UK has adopted the GDPR wholesale into English law merging it into the Data Protection Act 2018 (subject to any logically necessary changes) to create what is called ‘UK GDPR’ and has also, through Adequacy Regulations, effectively made adequacy decisions for both the EU and for the same countries as those on the list of the EC’s adequacy decisions. This means that, in principle, personal data may be transferred from the UK to the EU in the same manner as it was transferred when the UK was an EU member state. However, an EU data controller processing the personal data of UK data subjects and not also established in the UK now needs to appoint an UK Representative under the UK GDPR.
Transferring Personal Data from the UK to Other Countries with ‘Adequacy’ Decisions
As noted above, where it has been determined that the laws of another country provide protection for personal data comparable to that of the UK GDPR then no special requirements are needed to transfer personal data from the UK to that country and the UK’s list of such countries is the same as the EU’s.
Transferring Personal Data from the UK to Countries without ‘Adequacy’ Decisions
For personal data transfers from the UK to a country without an ‘adequacy’ decision, with the US being the obvious example, the UK GDPR follows the GDPR in requiring the use of one of the lawful data transfer mechanisms unless one of the exemptions applies. The most widely used mechanism is the so-called Standard Contractual Clauses (SCCs), although binding corporate rules (BCRs) can also be used by groups of companies, whilst probably the most common exemption is where the consent of the data subject is obtained.
The EC previously published two sets of SCCs: one for a transfer of personal data from a data controller in the EU to a data controller outside the EU and one for a transfer of personal data from a data controller in the EU to a data processor outside the EU. The principle, in each case, is that the party outside the EU is to be contractually bound to protect the personal data shared with it in a manner which seeks to broadly reflect the EU’s data protection regime and to make up for the perceived inadequacies in the local laws.
The UK has continued with the same controller-controller and controller-processor SCCs which have been published by the UK’s Information Commissioner’s Office (ICO) with a few ‘UK tweaks’ so, on the face of it, there is no substantive change in the use of SCC’s for data transfers from the UK to a country without an adequacy decision, and indeed the ICO has confirmed that UK data controllers may continue to rely upon such SCCs which they have previously put in place at least for the time being.
However, it is important to be aware of two issues at an EU level which are also relevant to the UK:
- Following the Schrems II case, which challenged the use of SCCs for the transfer of personal data from the EU to the US, the EU’s European Data Protection Board (EDPB) issued guidance to data exporters in June 2021 as to the due diligence that they might conduct to determine that the use of SCCs to transfer persona data to a particular country does provide protection comparable to the GDPR. The guidance underlines the thrust of the Schrems II case that SCCs can simply be used in isolation but only in the context of a consideration of their effectiveness in each case. Whilst the EDPB guidance is not binding on the ICO or on UK data exporters, it must be expected that it will influence the ICO’s own expected guidance on the use of its SCCs by UK data exporters (not least, taking into account the ICO’s desire that the UK should retain its adequacy decision from the EC). UK data exporters would therefore be well advised to at least be aware of the EDPB guidance, even though it might be considered a ‘gold plated’ approach and many companies in practice may be tempted to ignore the guidance and simply put the SCC’s in place under a ‘catnip’ approach (cheapest alternative terms not involving prosecution).
- In June 2021, the EC published a new set of SCCs. These provide a more flexible and modular approach so that, in addition to controller-controller and controller-processor transfers, they now cover processor-controller and processor-processor transfers. The new SCCs also reflect the Schrems II case noted above by including a basic set of additional contractual obligations on both parties to ensure compliance with the SCCs if they come into conflict with local laws. The new SCCs can be used from June 2021, but old SCCs already in place can continue to be used until December 2022. The ICO has not yet either published its own substantively updated SCCs under the UK GDPR (anticipated for consultation in Summer 2021) or recognised the new EU SCCs as a lawful data transfer mechanism under the UK GDPR. Again, data exporters should at least be aware of the potential for divergence between the UK and the EU in this respect and to consider the need for the use of both UK-based and EU-based SCCs.
Transfers of Personal Data from the UK by Non-UK Data Controllers
Finally, where a data controller outside of the UK is processing the personal data of UK data subjects, it should be appreciated that the extra-territorial scope of the UK GDPR applies to that data controller in the same way as the extra-territorial scope of the GDPR, which means that not only must that data controller comply with the UK GDPR in the same way as a UK data controller, but if that data controller also processes the personal data of EU data subjects then the data controller must comply with both the UK GDPR and the GDPR regimes and will, for example, need to appoint both a UK Representative under the UK GDPR and an EU Representative under Article 27 of the GDPR.
Disclaimer: We at Memery Crystal (and our parent company RBG Holdings plc) support and encourage free/independent thinking in relation to issues which are sometimes considered to be controversial subject matters. However, the views and opinions of the authors of articles published on our website(s) do not necessarily reflect the opinions, views, practices and policies of either Memery Crystal or RBG Holdings plc.
Contact the author
Personal relationships are at the heart of the direct selling business model. So direct selling… Read more
Are your direct sellers more like Uber drivers or more like Deliveroo riders? If you… Read more