Data Protection Law
Data compliance is an essential part of everyone’s business. There have been several shifts in UK law’s data compliance regime following Brexit and the ruling in Schrems II. This means that plenty of businesses’ privacy policies are not up to date. Changes range from simply swapping in different references to legislation, to considering the effect that Brexit has had on cross-border transfers of data. For those transferring data to the US, the invalidation of the Privacy Shield framework should also be considered. Here is our guide on the updates businesses should consider making to their privacy policies (and the issues we frequently spot when dealing with clients’ data protection documentation or doing due diligence on other companies’ privacy policies).
Data compliance post Brexit
With the start of 2021, and the end of the EU-UK transition period, the retained EU law version of the General Data Protection Regulation ((EU)2016/679), called the UK GDPR, applies in the UK, along with the Data Protection Act 2018 (DPA 2018). Therefore, the main body of data protection law in the UK is now made up of the UK GDPR and the DPA 2018.
So as a simple starting point for updates that need to be made to privacy policies, it should be made sure that all references to GDPR are changed to the UK GDPR. There may also be references to ‘Applicable Data Protection Laws’ and so the definition of these applicable laws needs to be changed to include the UK GDPR and the DPA 2018.
It is important to note that the EU GDPR (the data protection regime in the EU) will continue to have extra-territorial effect and so may apply to UK controllers or processors who have an establishment in the EU, or who offer goods or services to data subjects in the EU, or who monitor their behaviour as far as their behaviour takes place within the EU. So, if you operate in the EU as well as the UK you should consider including references to the EU GDPR. Additionally, it is important to be aware that even though your privacy policy may now refer to the UK GDPR, if you operate in the EU, you should consider the consequences of operating in two data protection regimes. This may include a review of your mechanisms for cross-border transfers of data to the EU.
Data compliance: cross-border transfers of data
Now that the UK has left the EU, all data transfers from the UK to the EU or vice-versa are defined as cross-border transfers for the purposes of data protection law. This means that to address data compliance additional safeguards need to be in place, for example Standard Contractual Clauses or reliance upon an adequacy decision (a decision made by a relevant authority that data protection is adequate in a particular country and hence data can flow there freely). As it stands, in June 2021, the UK has granted the EU an adequacy decision but the EU are yet to grant one to the UK.
In relation to updating your privacy policy, it will now be important, if transferring data to and from the EU, to show which safeguards you are relying upon to do so. It should be noted, however, that on 24th December 2020, the UK and the EU reached a trade and co-operation agreement addressing the arrangements following the end of the Brexit transition period on 31st December 2020. The agreement includes an interim provision (bridging mechanism) for transmission of personal data from the EU to the UK which could last up to six months. Therefore, under the current circumstances (as in June – the time of this blog), companies do not need to have additional safeguards in place for transfers of personal data to the EU. Regardless of these developments businesses should, however, state in their privacy policies that they are relying upon these provisional agreements and adequacy decisions to transfer data to the EU. This could start by including a simple acknowledgement in a privacy policy that any personal data transfers from the UK to the EU, are transfers taking place between two separate data protection regimes.
Privacy Shield invalidated
The EU-US Privacy Shield was a framework constructed by the US Department of Commerce and the European Commission to enable transatlantic data protection exchanges for commercial purposes. The Privacy Shield enabled companies from the US to comply with data protection requirements and enable free flows of personal data to and from the EU, without the need for additional safeguards (such as those expected for third countries – countries not deemed to have adequate levels of protection by the EU for personal data – such as the US).
The Privacy Shield was invalidated in July 2020 following the ECJ’s preliminary ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) and should therefore no longer be relied upon for transfers to the US. The standard contractual clauses controller-to-processor were not invalidated and so organisations can still rely upon them when transferring data to the US. This means that any reference to the Privacy Shield in a privacy policy needs to be erased and the mechanisms which an organisation is now using to transfer data to the US need to be clearly stated. In the majority of cases this will mean mentioning the use of standard contractual clauses.
Data compliance checklist
Here is a list of things to consider when editing your privacy policy to ensure data compliance:
- All references to UK data protection laws and legislation needs to be a reference to the UK GDPR and DPA 2018.
- Transfers of data to the EU need to be treated as cross-border data transfers and so the legal basis for making these transfers needs to be stated (such as an adequacy decision, the current bridging mechanism, standard contractual clauses, binding corporate rules etc.).
- Any reference to the EU-US Privacy Shield need to be erased for data transfers to the US and if standard contractual clauses are now being used this needs to be mentioned.
Data Compliance and Transparency
As part of the UK GDPR principles, businesses must comply with the transparency requirements set out in Articles 13 and 14 of the UK GDPR. The transparency principles require all controllers to notify data subjects about their personal data handling practices through a privacy policy, at the time that data is collected. It therefore follows that if your business has changed the way it processes the personal data of its customers, due to developments discussed in this blog, and is relying on a new basis for that processing (i.e. UK GDPR instead of the previous regime), it goes without saying that, in order to comply with the transparency principles, such businesses should update their privacy policy to reflect this. For an online business, that will usually mean updating their website privacy policy.
Multiple jurisdictions
Organisations with entities in multiple jurisdictions face data compliance challenges when trying to implement website privacy policies as part of a global privacy compliance programme. Multinationals must choose between implementing a single, global privacy policy applicable for all its customers globally or jurisdiction specific policies. Taking into account that even within the EU, member states are likely to have varying rules on data protection. This will mean paying attention to the references to legislation in jurisdiction specific policies and being clear about how exactly cross-border data transfers are taking place between different branches of an organisation. Given the potential complexity of the structure of such data transfers it would be worth seeking legal advice. Many privacy policy regulators, including the ICO, recommend a layered policy format, which pairs a short summary with a linked detailed disclosure, as the most effective way to simplify a complex privacy policy and make it clearly and conspicuously accessible.
Here to help
Hopefully this blog should give you enough scope to update your privacy policy and address data compliance. But we can also help you do so. With Brexit and the ruling in Schrems II, data compliance has become legally complex but that doesn’t mean a practical approach for businesses isn’t possible. The next big step in UK data law is whether or not an adequacy decision will be granted. The decision is currently in the comitology procedure which means all EU member states need to agree the drafting. If an adequacy decision is reached, then data flows will be unimpeded between the EU and UK. Regardless of such a decision however, references to legislation and the mechanisms relied upon for cross-border transfers will still need to be updated.
Other developments include the recent publishing of updated Standard Contractual Clauses by the European Commission. This means that agreements which export EU data to a third country and rely upon Standard Contractual Clauses should be updated. The new versions also incorporate means by which to adhere to new requirements for cross-border transfers following the decision in Schrems II. Schrems II introduced an obligation to assess local data laws before going ahead with a transfer.
EM law specialises in technology and data protection law. Get in touch if you need advice on data protection law or if you have any questions on the above.