Big Ben

Data Sharing - What to Do to Prepare for a ‘No Deal’ Brexit

 

Where are we now?

After months of negotiations, the UK and EU agreed a Brexit deal which mean't the UK left the EU on 31 January 2020. It came in two parts: (i) a legally binding withdrawal agreement and (ii) a non-legally binding short statement on future relations. 

Following the UK’s exit, there will be an 11 month transition period until at least 31 December 2020 during which time the UK / EU will begin negotiations that includes the issue of data protection and the potential to complete / pass the assessment to gain an ‘Adequacy Decision’ for the UK.

However, whilst it has been stated that the UK / EU will attempt to complete the process, there is no guarantee it will occur and if no extension to the transition period is made then 1 January 2021 the flow of personal data to the UK will be affected due to there being no deal and include;

 1.       organisations in the EU/EEA will not automatically be able to continue to lawfully share personal data with the College;

2.       the College may not be able to continue to share lawfully personal data with organisations in the United States.

 

 Steps to take to prepare for a no deal Brexit

NB: In addition to the guidance below, colleagues involved in research projects that require cross border data sharing may find this No deal Brexit guidance for research activities helpful to determine whether any action needs to be taken to mitigate for the risk of a no deal Brexit. Other colleagues may find this No deal Brexit guidance for non research activities helpful.

Step 1: Data sharing contracts/arrangements checks – please take Step 1(i) and (ii) below

(i)            Identify any contracts or other arrangements where:

  • an organisation based in the EEA shares personal data with the College; or
  • where the College shares personal data with an organisation in the EEA and that organisation then transfers the data back to the College in the UK (e.g. this may arise in joint research projects or where cloud IT services are provided to the College).

If you identify any such contracts or arrangements, then please take the actions set out in Step 2(i) below.

Explanation notes:

  • the following countries are in the EEA: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK, Iceland, Liechtenstein and Norway;
  • if personal data is shared and processed solely within the UK – no further measures need to be put in place to prepare for a no deal Brexit;
  • if personal data is transferred solely from the UK to an organisation in the EEA (and not back to the UK) – no further measures need to be put in place to prepare for a no deal Brexit;
  • if personal data is transferred solely from the UK to an organisation outside the EEA, the current rules will continue to apply as before except for sharing of data with organisations in the US on the basis of the EU – US Privacy Shield where the position changes as explained in section (ii) below.

(ii)           Identify any transfers of personal data from the College to organisations in the US where such transfers currently take place on the basis of the EU – US Privacy Shield.

If the College wishes to continue to make transfers of personal data to US organisations under the Privacy Shield, if the UK exits the EU without a deal, you will need to check that the relevant US organisation has made the necessary update to its commitment to compliance with the Privacy Shield to cover both the EU and the UK. Confirmation of the update should usually be possible simply by checking the US organisation’s publicly available privacy policy. More information about the Privacy Shield arrangements can be found on the Privacy Shield website.

If the US organisation has not made such an update, then you should take the actions set out in Step 2(ii) below.

Step 2: Work with the relevant counterparty in the EEA or the US (as applicable) to find a legal basis for continuing to share personal data with them

(i)            Where the counterparty is in the EEA - once the UK becomes a third country on Brexit day (and for so long as the EU has not made an “adequacy decision” for the UK), organisations in the EEA may transfer personal data to the College if:

  • the College has provided “appropriate safeguards” in the form of signing up to the EU Standard Contractual Clauses (SCCs); or
  • the College and the EEA organisation can agree to rely on the basis of the so-called “derogations” - they allow transfers in specific cases, such as:
    • where explicit consent is given by the data subject – but this is not an option where the College is exercising public functions i.e. where the personal data is used for teaching or research purposes;
    • where the cross border transfer is necessary for the performance of a contract – but this is not an option where the College is exercising its public functions or has simply chosen to structure its activities in that manner;
    • where the cross border transfer is necessary for important reasons of public interest (this is a fairly exceptional derogation and would apply rarely).

In most cases, the College signing up to the EU Standard Contractual Clauses would be the most appropriate mechanism to enable an EEA counterparty to transfer or continue to transfer personal data to the College in the event of a no deal Brexit.

Please use the ICO interactive tool to confirm that the EU Standard Contractual Clauses are appropriate to use in any specific data sharing scenario. When answering questions via the interactive tool, please remember that where the College is exercising public functions such as teaching or research, data subject explicit consent or relying on a transfer being necessary for the performance of a contract are not available to the College (although it may be available to other organisations).

What are the EU Standard Contractual Clauses and where can I find them?

The EU Standard Contractual Clauses are three sets of templates (which may not be amended by the parties):

-       2010 EU controller to non-EU or EEA processor clauses

-       2001 EU controller to non-EU or EEA controller clauses or 2004 EU controller to non-EU or EEA controller clauses – note that the 2004 clauses are preferable to use (as the 2001 clauses are more onerous)

Once you confirm that the EU Standard Contractual Clauses are the most appropriate mechanism to use, you can download the appropriate form of template here:

Alternatively, in the event of a controller to processor arrangement, you can use the ICO’s interactive contract builder to create a contract containing the EU Standard Contractual Clauses for controller to processor by answering a few questions here and downloading and saving the resulting contract  - https://ico.org.uk/for-organisations/data-protection-and-brexit/controller-to-processor-contract-builder/

PLEASE NOTE that the EU Standard Contractual Clauses for controller to processor arrangements have to be used as a supplement to an existing data processing agreement or clauses in a services or other contract in order to satisfy the legal basis for cross border transfers outside the EEA. They cannot be used on their own as a standalone data processing agreement as the GDPR has additional requirements for what provisions need to be set out in data processing agreements (and the EU Standard Contractual Clauses are still to catch up with these). Therefore, if you are considering entering into data processing arrangements with an EEA counterparty where personal data will be transferred from the EEA to the UK and there are no existing data processing agreement or clauses within a services agreement (or other contract) that satisfy the GDPR (except for the non-EEA transfer basis), please reach out to the data protection contacts noted below for advice on what form of document to use.

What if I think the College can rely on one of the derogations (as opposed to signing up to the EU Standard Contractual Clauses)?

If you think that one of the derogations may apply in the context of a specific arrangement, please discuss this with the relevant EEA counterparty first. If they agree, consider with the EEA counterparty if a side letter confirming this conclusion is desirable to be signed. At the very least, please make a file note of the analysis and retain any email correspondence with the EEA counterparty in this regard.

(ii)           Where the counterparty is in the US and the College has transferred any personal data to it to-date on the basis of the Privacy Shield and the US counterparty has not amended its Privacy Shield registration to cover the UK (as explained in Step 1(ii) above) – the College may continue to transfer personal data to the US organisation only if:

  • the US counterparty signs up to the EU Standard Contractual Clauses (SCCs) – as explained in Step 2(i) above (and as per the templates referred to in Step 2(i));
  • the US counterparty is part of a group that has put in place Binding Corporate Rules (BCRs) authorised before Brexit day – BCRs are rarely encountered in practice; 
  • the College and the US organisation can agree to rely on the basis of the so-called “derogations” - they allow transfers in specific cases, such as:
    • where explicit consent is given by the data subject – but this is not an option where the College is exercising public functions i.e. where the personal data is used for teaching or research purposes;
    • where the cross border transfer is necessary for the performance of a contract – but this is not an option where the College is exercising its public functions or has simply chosen to structure its activities in that manner;
    • where the cross border transfer is necessary for important reasons of public interest (this is a fairly exceptional derogation and would apply rarely).

If you think one of these derogations may apply in the context of a specific arrangement, please discuss this with the relevant US counterparty first. If they agree, please suggest to the US counterparty that a side letter confirming this conclusion (and supplementing and amending any other data sharing agreements between the College and that US counterparty) is signed.

 

What if I have questions in relation to the above recommendations or need help preparing any data protection documents?

If you have questions in relation to Brexit preparations in the context of data protection or need help with any data protection documents, please contact in the first instance the College’s DPO or the College’s Deputy DPO via Data-Protection@Imperial.ac.uk for further information.

 

Further publicly available information

The Department for Culture, Media and Sport have provided a brief overview which will be added to as further information becomes known and is available on their website.

The ICO has reiterated that data protection legislation will remain in place and has started to create guidance that aligns to the governments statements regarding a ‘no deal’ scenario.

The guidance currently consists of a ‘Leaving the EU - Six steps to take’, a broader guidance site ‘Data protection if there's no Brexit deal’ and some Frequently Asked Questions.