With the US Presidential election having dominated news headlines and the second Coronavirus lockdown now in place until early December, it is easy to forget about the issue that once dominated our minds. Brexit is still happening and there is now just over seven and a half weeks left until the transition period ends. Many export businesses have put strategies in place to deal with the new border restrictions and the Home Office is dealing with hundreds of new applications for UK Sponsor Licenses, which allow employers to continue to hire EU/EEA (and non-EU/EEA) talent. However, amidst the pressures of Brexit and Coronavirus preparations, many organisations have missed the issues around the EU General Data Protection Regulations (GDPR) compliance which also need to be addressed before 31 December 2020.
If you do business within the EEA, there are changes you need to be aware of, including the requirement to appoint an EEA-based representative and the new EU Court of Justice (CJEU) decision concerning the European Commission’s Standard Contractual Clauses (SCCs)
Appointing an EEA-based representative
The Information Commissioners Office (ICO) will no longer act as a one-stop-shop, whereby UK organisations can rely on it as their Lead Supervisory Authority (LSA) for data protection matters. At present, if a breach occurs, the ICO will take the lead and you do not need to contact supervising authorities in the other EEA States. After 1 January 2021, if you do not have an office or other form of base in an EEA Member State, you will need to appoint a representative. This can be an individual or company (such as a Solicitor or GDPR consultant), as long as they are based in a State where some of your data subjects are located. The appointment must be made in writing and your relationship with the representative clearly set out.
Data transfers may be affected by a new CJEU decision
At the end of the transition period, the UK will become a third country (a name given to any country that is not a member of the EEA except for Switzerland). The European Commission grants third countries what is known as an ‘adequacy decision’, that is whether or not that particular nation has adequate data protection measures in place to allow data to flow to and from parties in each country without further safeguarding measures being necessary. You may be thinking that because the UK is already subject to the GDPR the granting of an ‘adequacy decision’ would be a mere formality. Unfortunately, this is not the case. In the recent decision of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, known as Schrems II, the CJEU illustrated that law and practice around government surveillance is a key factor in the EU’s assessment of third-country data protection regimes. Under the Investigatory Powers Act 2016, the British authorities have broad powers to intercept communications and demand access to data. Therefore, it is no guarantee an ‘adequacy decision’ will be granted to the UK.
If an ‘adequacy decision’ is not awarded, several other data transfer mechanisms can be used, principally the European Commission’s SCCs, Article 49 derogations, or Binding Corporate Rules (BCRs). However, the CJEU in Schrems II placed an extra burden on data exporters using SCCs, ruling that case-by-case assessments of the extent to which personal data will be protected in the destination country must be carried out. Particular emphasis must be paid to the rights of public bodies to access personal data. The European Commission is considering the Schems II decision in relation to SCCs, and until matters are clarified, Article 49 derogations and BCRs are safer alternatives.
If you require any advice on Data Protection or GDPR matters, please get in touch with Ann-Maree Blake.
Please note – this article does not constitute legal advice.