On 25 May 2018, the Data Protection Act 2018 came into force and represented the UK’s adoption of the EU’s General Data Protection Regulation (GDPR).
As this Act fully implemented the requirements of the GDPR and was considered to be adequate by all EEA countries prior to BREXIT, a reasonable person might have believed that this would automatically continue after the UK left the EU. But that was not the case. As could only happen when a megalithic bureaucracy is involved, the EU did not recognise the UK’s data protection laws at the end of the transition period in December 2020 – indeed there was some talk that they were in some way deficient!
Since then, discussions have been under way on a couple of areas of concern to ATEB and our readers, namely financial services and data protection. It looks extremely unlikely that the EU will grant ‘equivalence’ to UK financial regulations, despite those also having been in lockstep with EU regulations for years. There is, however, better news on data protection.
On 19 February 2021, the European Commission published its draft UK adequacy decisions. Those adequacy decisions are now with the European Data Protection Board (EDPB) who will, in due course, deliver an opinion to the European Commission and representatives from the EU member states. (Did we mention bureaucracy already?) If adopted these decisions will allow for continued free flow of personal data from the EU into the UK as a ‘third country’.
The ‘new’ situation
Restricted transfers from the UK to other countries, including to the EEA, are now subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.
The rules include provisions permitting the transfer of personal data from UK to the EEA and to any countries which, as at 31 December 2020, were covered by a European Commission ‘adequacy decision’. The listed third party ‘countries’ whose data protection is considered adequate are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
The UK government has the power to make its own ‘adequacy decisions’ in relation to third countries and international organisations. In the UK regime these are now known as ‘adequacy regulations’.
There are also provisions which allow the continued use of any EU Standard Contractual Clauses (‘SCCs’), valid as at 31 December 2020, both for existing restricted transfers and for new restricted transfers (see here). There should always be a formal agreement in place between firms sharing data or to whom data is transferred.
Data sharing within a group of firms
Many firms have subsidiaries or are owned by another firm. Care needs to be taken when sharing data ‘within’ the group. Data sharing can apply even where data is shared between firms that are part of the same group of firms. So, the rules on sharing may need to be followed. A useful test is whether firms have (or should have) their own data controller registration with the ICO but there is further guidance in the ICO data sharing code of conduct. That can be found here and provides a pretty good list of all the things that should be considered.
In brief, any ‘third party’ with whom data will be shared must be specifically named on the privacy notice as a potential recipient of shared data, or prior to the sharing of any data with that third party. Then there should be an appropriate contract in place between the principal company as data controller and the secondary firm as data processor (see here). This should specify a lawful basis for sharing and also the safeguards and standards to be implemented.