June 10, 2022
For most of us in the UK, it has taken a while for the effects of Brexit to set in and for us to notice the differences between life as part of the European Union and life no longer being a member. You’ve no doubt had to join a different queue at airport security, or had your packed lunch nabbed…
In the world of data protection, the changes for your business may have been harder to spot, because:
Whilst there was a change, most day-to-day activities felt the same.
One of the rules that applies in both the original European GDPR and the new UK GDPR, is that you can only send personal data to a third country if you and the organisation / person receiving the personal data have put a legal safety net in place.
A third country means any country which is not part of the European Economic Area for the EU GDPR, so taking that copy + paste approach for the UK GDPR, any country outside the United Kingdom.
Now, the UK and EU have actually agreed that (at least for the time being), since we have similar data protection laws, you can send information between them. So that means, whenever personal data is sent outside of the European Union or the United Kingdom – there needs to be a safety net in place. The safety net you need depends on the country the personal data is being sent to.
The first question is whether you’re sending personal data to a country which is formally recognised as looking after personal data to an acceptable standard. A country might not make the list if it doesn’t have any local data protection laws which provide individuals similar legal rights to that which the GDPR and UK GDPR do, or because – even though it has those laws – it doesn’t have a good track record of sticking to them or its government can easily bypass them.
In the UK, it’s up to the Secretary of State to formally recognise a country as having acceptable data protection practices whereas in the European Union, it’s up the European Commission. As at the time of writing, the UK and the European Union recognise each other and the same list of other countries (e.g. Canada, Japan) as being adequate.
If you can’t rely on Safety Net 1, don’t worry – you may be able to rely on Safety Net 2 (which is actually a combination of a few different options, but there’s only really one which you’re likely to come across).
So, if a country you’re sending personal data to hasn’t made the officially recognised list, then you (the sender) and the person / organisation located in that country (the receiver) can put in place an alternative mechanism which ensures people’s information is kept safe when it lands abroad. There are a few alternatives to choose from here, but we are going to focus on the most popular option. That is where the sender and receiver sign a contract which essentially promises they’ll treat personal data the same way they would if they were subject to the GDPR / UK GDPR.
Because contracts can be like snowflakes (totally unique, with no similarities), in order to make things consistent, this is a contract where only very limited changes can be made – it is known as the standard contractual clauses (SCCs). These clauses can either be signed as a standalone document or included as an appendix to the main agreement (e.g. the contract dealing with the services or goods being provided).
When Brexit happened, things started to get complicated. After a few years of being in circulation, everyone acknowledged that the SCCs did a pretty good job but there was also room for improvement (e.g. making clear the sender might not always be the controller in the relationship). So the European Commission decided they needed a revamp. The problem was, because the UK was now out of the club, those revamped SCCs didn’t apply to us so we carried on using the old version which we called – again, very creatively – the UK SCCs.
That was until recently, when the UK decided we wanted to launch our own version of this contract. But with no Ss and no Cs to be found – the International Data Transfer Agreement (IDTA). Doing exactly what it says on the tin, same as before (except UK-style) this is a legal document both sender and receiver sign to make sure that when personal data is sent internationally (outside the UK) that people still have effective rights and protections when it comes to their information.
However, because we’re all still waiting for the smoke to clear now the Brexit bomb has detonated, there is also the option to use the newly published Addendum as well. So whereas the IDTA is a standalone, shiny new document which covers personal data transferred from the UK, the Addendum is a really helpful tool where the parties are sending both EU and UK personal data since it acts like a bolt on the EU SCCs. So when do you need to start using these snazzy new standard contracts? Well, the UK and EU standard contracts come with different deadlines too. But don’t worry, we’ve got a snazzy flowchart for you which means you’ll have no trouble knowing which document you need (and by when) if you’re sending personal data outside the UK.
In addition – yes, there’s more – as well as signing a contract, you also need to carry out a risk assessment. You have to do that for both GDPR and UK GDPR, but again there’s a slight difference between the assessments you need to conduct.
Under the GDPR (sending personal data outside the European Economic Area), you’ll need to do a transfer impact assessment but under the UK GDPR (sending personal data outside the UK), you’ll need to do a transfer risk assessment. They are pretty similar, but the nuance here is that whilst both assessments get you to think about whether relying on the contract actually protects the individuals’ whose personal data you’re sending – the UK version appears to focus on whether the risk posed to individuals will materialise (e.g. actually happen) whereas the European equivalent appears to focus on the fact the risk to individuals exists in the first place (e.g. it doesn’t matter how frequently the power is used, the fact a foreign government can demand access to personal data at any point might be enough to mean the transfer shouldn’t go ahead).
As a last resort, where the last two safety nets cannot be relied upon, there are seven limited circumstances where you’re able to send personal data abroad even though it’s being sent to a country without adequacy status and you’re not signing up to a contract with the receiver (or using one of the other rarely used alternatives, i.e. Binding Corporate Rules). The GDPR and UK GDPR highlight that these can only be used in very specific, limited circumstances – e.g. the individual whose personal data will be transferred, has been told of the potential risks to their information being sent to a specific country, have given their permission for you to send their information for that one transfer.
If you send people’s information outside the UK, you need to know that things aren’t the same as they were before Brexit – and in most cases you’ll need to make sure your international data transfers either have safety net 1 or 2 in place. Safety net 2 can be a bit of a headache, which is why we’ve turned it into a flowchart for you.
And if it’s STILL hurting your head, don’t worry – our data protection team is here to give you a hand. They eat this stuff up for Brexit-fast.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.