The Brexit data bridge and what you need to know
Countdown to expiry of the EU/UK Data Bridge and navigating the new rules on Data Breach notification.
UK-EEA Data Transfers and Brexit: The Brexit Deal only provided a short term reprieve for dataflows and urgent preparations should commence now to ensure your business is not interrupted over the next few months.
As you will be aware, the Brexit transition period ended on 31 December 2020. The threatened data transfer ‘cliff-edge’ did not fully materialise – although it was only a temporary reprieve, not a permanent solution. As the ICO recommends, UK businesses who transfer personal data to and from the EEA should take stock now and complete their preparations prior to the end of April 2021.
To a certain degree, the UK regained autonomy of data protection laws from 1 January 2021. This has entailed that certain European data protection laws have been converted into UK law – for example, the ‘UK GDPR’ (which largely reflects the EU GDPR) sits alongside the Data Protection Act 2018 and governs the protection of personal data.
In practice, many of the principles, rights and obligations have not been altered, however there are major implications for your business and cross-border UK-EEA dataflows.
From the end of the Brexit transition period, the UK became a ‘third country’ for the purposes of the transfer of personal data from the EEA. This entailed that the free flow of personal data between the UK and the EEA would be subject to additional regulatory restrictions and safeguards, requiring in many cases, additional contractual documentation (for example EU Standard Contractual Clauses) between the parties to continue dataflows which are essential (and often routine) to the relevant businesses. Such restrictions would be in place until a finding of adequacy by the European Commission – which may take some time.
The UK Government has confirmed that it considers that the continuance of personal data transfers from the UK to the EEA are potentially lawful without additional safeguards. However, the converse is not the case – transfers of personal data from the EEA to the UK would be subject to additional restrictions and safeguard requirements.
Thankfully, as part of the EU-UK Trade and Cooperation Agreement, the EU has delayed such data transfer restrictions for a period of 4 months from the end of the Brexit transition period (with an ability to extend for a further 2 months) (the “Bridge”) while the UK seeks an adequacy decision from the EU. The Bridge was negotiated to permit the free flow of personal data from the EEA to the UK during the period the Bridge is in force.
If adequacy is not determined or the UK unilaterally amends its data protection legislation during this period, the Bridge will cease and the dataflow restrictions will come into force. There is no time like the present to commence your preparations (which the ICO recommends are finalised prior to the end of April 2021) and we are here to help.
Data breach notifications
Similarly, whilst business will have taken steps to implement appropriate organisational and technical measures to protect against the risk of any incident involving a breach or compromise of personal data – such as a cyber-attack, systems failure or even just human error – even the best defences can be overcome, so it is important also to understand the regulatory impact on cross-border processing now that the Brexit transition period has ended.
If your business is established in the UK but processes data of individuals, such as its customers, who live in the European Economic Area (“EEA”), there are new rules on which data protection authorities you need to deal with. That’s because the one-stop-shop regime and lead authority arrangements which apply between EU member states no longer apply to the UK since the end of Brexit transition period.
In the event of a compromise or breach of customer data, UK businesses need to be clear about the supervisory authorities to whom notification should be made, the possibility that they may be required to make notifications to multiple supervisory authorities in the UK and across the EU/EEA and the prospect also that they may be exposed to the risk of multiple sanctions (including fines) imposed by each one.
The following guidance, based on five examples, is not exhaustive but is likely to capture the majority of UK businesses. It explains to which supervisory authority or authorities notification should be made in the event of a breach or compromise of customer data and by whom sanctions (including fines) may be imposed:
- Business A: has its HQ and only premises here in the UK. All its customers are UK residents and all data affecting those customers is processed here in the UK.
A breach or compromise of Business A’s customer data should be notified to the UK’s Information Commissioner (“ICO”), and would be investigated pursuant to UK data protection law. Business A may be sanctioned or fined only by the ICO.
- Business B: has its HQ here in the UK but also further premises in one EEA member state, e.g. Belgium. Its sales are to customers in the UK and Belgium. All customer data is processed here in the UK.
A breach or compromise of Business B’s UK and Belgian customer data should be notified to the UK’s Information Commissioner (“ICO”) and Belgium’s equivalent called “the Data Protection Authority”. The ICO’s investigation would be carried out pursuant to UK data protection law, whereas the Data Protection Authority would investigate under EU GDPR. Business B may be sanctioned or fined by both the ICO and the Data Protection Authority.
- Business C: has its HQ here in the UK but also further premises in one EEA member state, e.g. Spain. Its sales are to customers in the UK and Spain but also via its online store to customers in other EEA member states, e.g. Austria, Portugal and the Netherlands. All customer data is processed here in the UK.
A breach or compromise of Business C’s UK customer data should be notified to the ICO and would be investigated pursuant to UK data protection law.
Meanwhile, EU GDPR treats Business C as cross-border processing in respect of its Spanish, Austrian, Portuguese and Dutch customer data. Since Business C’s only European premises are in Spain, in the event of a breach affecting all its European customer data the Spanish supervisory authority, Agencia Española de Protección de Datos (the “AEPD”), would be the lead EU supervisory authority to whom notification should be made.
The ICO’s investigation would be carried out pursuant to UK data protection law, whereas the AEPD’s investigation would be under EU GDPR. Business C may be sanctioned or fined by both the ICO and the AEPD.
- Business D: has its HQ here in the UK but also further premises in two EEA member states, e.g. Austria and Sweden. It has customers who are resident in all three countries. All customer data is processed here in the UK.
A breach or compromise of Business D’s UK customer data should be notified to the ICO and would be investigated pursuant to UK data protection law.
Meanwhile, EU GDPR treats Business D as cross-border processing in respect of its Austrian and Swedish customer data. Since Business D has European premises in both Austria and Sweden, in the event of a breach affecting all its European customer data EU guidelines on how to select the correct lead supervisory authority would apply. In this instance those guidelines provide that the larger customer base determines the outcome. Assuming that were in Austria, then the Austrian supervisory authority, Datenschutz Behorde (the “DSB”), would be the lead EU supervisory authority to whom notification should be made.
The ICO’s investigation would be carried out pursuant to UK data protection law, whereas the DSB’s investigation would be under EU GDPR. Business D may be sanctioned or fined by both the ICO and the DSB.
- Business E: has its HQ and only premises here in the UK. All its sales activity is conducted via an online store. Its customers are resident in the UK and across the EEA. All customer data is processed here in the UK.
A breach or compromise of Business E’s UK customer data should be notified to the ICO and would be investigated pursuant to UK data protection law.
In the absence of any European premises, Business E is not treated by EU GDPR as carrying on any cross-border processing. Its data processing activities are therefore subject to UK data protection law and supervision by the ICO. Nevertheless, all Business E’s sales and marketing activities to EEA customers will be subject to EU GDPR. As a result, a breach affecting all Business E’s European customer data may be investigated by any of the EEA member state supervisory authorities whose residents are amongst the affected customers.
The ICO’s investigation would be carried out pursuant to UK data protection law, whereas the investigation by each EEA member state supervisory authority would be under EU GDPR. Business D may be sanctioned or fined by the ICO and each EEA member state supervisory authority whose residents are amongst the affected customers.
What should you do now?
As the ICO recommends, businesses should prepare for the worst case scenario and have measures in place prior to the end of April 2021. Such measures include:
- Taking stock
You should understand your businesses international data flows and identify international dataflows (including those between the EEA and the UK). This is a key step in your preparations;
- Determine and consider your contractual and regulatory requirement
You should work with your clients, suppliers and any other data importers to put in place alternative transfer mechanisms, if required, to safeguard against dataflow interruption at the end of the Bridge. For example, amendments may be required to your contracts, together with the incorporation of EU Standard Contractual Clauses, or exceptions may be applied to permit the dataflow to lawfully continue;
- Distinguish between relevant datasets
You should determine which personal data was obtained prior to, and after, 1 January 2021. Importantly, personal data acquired prior to 1 January 2021 will remain subject to the EU GDPR (as it stood on 31 December 2020), however personal data acquired from 1 January 2021 will be subject to UK data protection laws.
- Review incident response plans and how your business would handle a data breach
Preparation is key to a fast, efficient and effective response and recovery if the worst were to happen. Now is the time to reflect on the adequacy of current plans (if any) and options for managing and mitigating the impact of a data breach. Consider in particular whether your business may have changed since its last review – e.g. has the IT estate grown, has its customer base diversified or supply chain partners changed – and whether it needs help to identify possible weaknesses and/or the need for new or enhanced protective measures.
Don’t delay your preparations any longer, the ICO recommends that they are completed prior to the end of April – the clock is ticking. The Bridge is a temporary measure, so speak to a data protection specialist now.
Our data protection experts are here to help.
Data protection and GDPR
Expert advice in relation to all aspects of data protection, information governance, privacy, cyber liability and electronic communications.Get in touch