We are interrupting our series of bulletins on Quebec's Draft Bill 64 in order to bring to your attention the fact that the United Kingdom appears to be leaving the European Union without recognition of its data protection framework as adequate. This means that after December 31, 2020, the UK will have the status of a third country for data transfer purposes. Our special bulletin spells out the consequences.
We will resume our regular series on the draft Quebec legislation next week.
If the United Kingdom's transitory period for concluding an agreement with the European Union ends on December 31, 2020 without having an agreement concluded that the EU recognizes the UK as adequate for data protection purposes, businesses should make adjustments now for a new regulatory reality. In September 2019, Fasken published a bulletin on Brexit and data protection, advising businesses who are sending or receiving data from the UK to prepare for this.
More than a year later, the United Kingdom has not yet been recognized as having adequate status by the EU. Given the length and complexity of the adequacy process, this seems unlikely to happen before December 31, 2020. The UK Information Commissioner's Office warns:
The GDPR will be brought into UK law as the "UK GDPR", but there may be further developments about how we deal with particular issues such as UK-EU transfers. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review.
International data flows
One area where the rules will change is in international data transfers. If your organization sends personal information from Canada to the EU at the present time, you currently do not need specific additional safeguards to ensure the protection of the data. And if you now send personal information from the EU to Canada, the latter's adequacy status (as applied only to the processing subject to the Protection of Personal Information and Electronic Documents Act) means information flows as if it was within the EU.
However, once the UK leaves the EU without special arrangements, it becomes a third country for data protection purposes, until and if the EU eventually judges it to be adequate in the protection it affords to personal information. So personal information can no longer circulate between Canada (commercial sector adequate), the continental EU and the broader European Economic Area (EEA) and the UK in a continuous loop. Data from a business in the EU or the EEA cannot be simply transferred to the same or another business in the UK in the identical manner as before.
The advice which we gave in September 2019 is even more applicable in the present context.
Things to do before December 31, 2020
1. Inventory all current data flows in your business. Pinpoint those going from the EEA and the EU to the UK. These are the data flows which will require particular attention when the UK becomes a third country from the perspective of the GDPR.
More specifically, if the UK does not receive adequacy decisions by the end of the transition period, the data protection provisions set out in the Withdrawal Agreement (data protection provisions set out in Part Three, Title VII, Article 71(1) signed by the UK and the EU in December 2019) will come into force. This means organisations in the UK will need to comply with EU data protection law (as it stands on 31 December 2020) when processing personal data that was gathered before the end of the transition and relates to individuals who live outside the UK. Therefore, the ICO recommends to take stock of personal data you hold so that you can distinguish between data acquired before the end of the transition period and after.
2. Inventory the flows from Canada to the UK. Canada continues to require that data flowing to other jurisdictions be guaranteed the same level of protection as it enjoys in Canada. Pay attention to the progress of draft legislation in Quebec (Bill 64) which would, when adopted, require GDPR-like assessments and special procedures and protection for personal information leaving Quebec.
3. Identify, given your particular needs, how to support your existing data flows to the UK given that from January 2021 the UK will be considered a third country by the EU. What additional safeguards could be attached?
Unless you have binding corporate rules (BCRs) in place throughout your organization (bearing in mind that BCRs can only be used within a group of related organizations, approved by the relevant data protection authority), adding standard contractual clauses to the documentation which applies to the data flowing from the EEA and EU to the UK may be the simplest approach. Such clauses are to be found on the website of the European Commission.
This being said, whatever the instrument used for the transfer, due to the Schrems II decision, before transferring personal data from the EEA to a third country which is not recognized as adequate, which may be the case for the UK, a data transfer risk assessment of the adequacy of the level of protection in a third country shall be made.
Data flowing from the UK to the EU and the EEA will now have to respect the obligations imposed on third countries by the European Union, such as hiring a European representative.
4. Data flowing to the UK from Canada is no longer flowing between two adequate jurisdictions. You will most likely need to create new conditions around these data flows to ensure data originating in Canada and destined for the UK is sufficiently safeguarded.
5. Data flowing from the UK to Canada should not require immediate review of transfer conditions as Canada (commercial sector) is recognized as adequate. The General Data Protection Regulation has been incorporated into UK law. At the present time, data arriving in the UK from jurisdictions recognized as adequate by the EU are subject to no special conditions. However, this may change in the future as the UK modifies it own data protection rules.
6. Review your arrangements for a lead supervisory authority. If you have chosen the UK and you do business in the EU and the EEA after December 2020, you will have to evaluate your activities in the newly configured EU to see where your new lead data protection authority is within the European Union. This is important in order to benefit from the one-stop-shop policy in case of complaints within the EU.
8. Continue to monitor the evolving situation. It is foreseen that the UK data protection regime will adapt over time.
BILL 64 RESOURCE CENTER - Visit our Bill 64 Resource Center for all the information you need to help you to cope with the changes that might be made to the legislation.
DISTRIBUTION LIST - If you do not want to miss our next bulletins and any other relevant information on this subject, sign up now on our distribution list to receive all communications related to this new Bill.