Data Sharing – What to do post-Brexit
Where are we now?
The UK left the EU on 31 January 2020 and the 11 months of transition period ended on 31 December 2020.
Transfers from the UK to the EEA (and other countries deemed adequate by the EU) continue unaffected. The UK has adopted all of the existing European Commission adequacy decisions. In addition, the UK has declared that the EEA is a ‘safe place’ to transfer personal data, and therefore no other gateway mechanism will be required for UK to EEA transfers. This is reflected in a UK-specific version of the GDPR (known as the “UK GDPR”) which took effect on 1 January 2021. The UK GDPR provides a replica regime for transfers of personal data outside the UK which is exactly like the rules in the EU GDPR for ex-EEA transfers.
Transfers from the EEA to the UK. The UK has become a ‘third country’ under the EU GDPR in terms of personal data transfers. This means transfers from the EEA to the UK will require a gateway mechanism to validate them. The UK has applied for an adequacy decision from the European Commission but this has not yet been granted. For the time being though, transfers from the EEA to the UK can continue unaffected under the terms of the Trade and Cooperation Agreement (ie the Brexit ‘deal’). This contains a provision allowing the continued transfer of personal data from the EEA to the UK for four months (up to 30 April 2021), while the European Commission continues to consider the grant of an adequacy decision to the UK. This period is potentially extendable by another two months to 30 June 2021.
We strongly advise colleagues to use this time to put in place or implement alternative transfer mechanisms, such as Standard Contractual Clauses so that transfers of personal data from the EEA to the College can continue uninterrupted in the event that the UK does not receive an adequacy decision at the end of this bridging period. Furthermore, there is real risk that even if an adequacy decision is made for the UK, such adequacy will be challenged in court leaving UK organisations such as the College again in the position of having to put in place or implement alternative transfer mechanisms. This is in line with recommendations from the ICO (see here).
By way of reminder of how the College may share personal data with organisations outside the UK, please see this Guidance Note - Transferring data outside the EEA and UK
Steps to take now with respect to data protection
NB: In addition to the guidance below, colleagues involved in research projects that require cross border data sharing may find this Guidance for international data sharing in research helpful to determine whether any action needs to be taken at this stage. Other colleagues may find this Guidance for international data sharing in non research activities helpful.
Step 1: Data sharing contracts/arrangements checks – please take Step 1 below
Identify any contracts or other arrangements where:
- an organisation based in the EEA shares personal data with the College; or
- where the College shares personal data with an organisation in the EEA and that organisation then transfers the data back to the College in the UK (e.g. this may arise in joint research projects or where cloud IT services are provided to the College).
If you identify any such contracts or arrangements, then please take the actions set out in Step 2 below.
- the following countries are in the EEA: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein and Norway;
- if personal data is shared and processed solely within the UK – no further measures need to be put in place at this time;
- if personal data is transferred solely from the UK to an organisation in the EEA (and not back to the UK) – no further measures need to be put in place at this time;
- if personal data is transferred solely from the UK to an organisation outside the EEA, the current rules will continue to apply as before.
Step 2: Work with the relevant counterparty in the EEA to sign up to the EU Standard Contractual Clauses (SCCs)
Where the counterparty is in the EEA – even though transfers from the EEA to the UK can continue unaffected under the terms of the Brexit ‘deal’ for four months (up to 30 April 2021) and, potentially up to 30 June 2021, we highly recommend that colleagues use this time to put in place or implement alternative transfer mechanisms, such as the SCCs, so that transfers of data from the EEA to the College can continue uninterrupted in the event that (i) the UK does not get an adequacy decision at the end of this bridging period and (ii) if granted, the adequacy decision is challenged in court. This tallies with what the ICO currently recommends.
Apart from the College and the EEA organisation signing up for the SCCs, they can instead agree to rely on the basis of the so-called “derogations” - they allow transfers in specific (rare in practice) cases, such as:
- where explicit consent is given by the data subject – but this is not an option where the College is exercising public functions i.e. where the personal data is used for teaching or research purposes;
- where the cross border transfer is necessary for the performance of a contract – but this is not an option where the College is exercising its public functions or has simply chosen to structure its activities in that manner;
- where the cross border transfer is necessary for important reasons of public interest (this is a fairly exceptional derogation and would apply rarely).
Please use the ICO interactive tool - https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/ to confirm that the EU Standard Contractual Clauses are appropriate to use in any specific data sharing scenario. When answering questions via the interactive tool, please remember that where the College is exercising public functions such as teaching or research, data subject explicit consent or relying on a transfer being necessary for the performance of a contract are not available to the College (although it may be available to other organisations).
What are the EU Standard Contractual Clauses and where can I find them?
The EU Standard Contractual Clauses are three sets of templates (which may not be amended by the parties):
- 2010 EU controller to non-EU or EEA processor clauses
- 2001 EU controller to non-EU or EEA controller clauses or 2004 EU controller to non-EU or EEA controller clauses – note that the 2004 clauses are preferable to use (as the 2001 clauses are more onerous)
Once you confirm that the EU Standard Contractual Clauses are the most appropriate mechanism to use, you can download the appropriate form of template here:
- Research Template A1 - controller to controller data sharing
- Research Template A2 - controller to processor data sharing
Alternatively, in the event of a controller to processor arrangement, you can use the ICO’s interactive contract builder to create a contract containing the EU Standard Contractual Clauses for controller to processor by answering a few questions here and downloading and saving the resulting contract - https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/controller-to-processor-contract-builder/contract-builder/
PLEASE NOTE that the EU Standard Contractual Clauses for controller to processor arrangements have to be used as a supplement to an existing data processing agreement or clauses in a services or other contract in order to satisfy the legal basis for cross border transfers outside the EEA. They cannot be used on their own as a standalone data processing agreement as the GDPR has additional requirements for what provisions need to be set out in data processing agreements (and the EU Standard Contractual Clauses are still to catch up with these). Therefore, if you are considering entering into data processing arrangements with an EEA counterparty where personal data will be transferred from the EEA to the UK and there are no existing data processing agreement or clauses within a services agreement (or other contract) that satisfy the GDPR (except for the non-EEA transfer basis), please reach out to the data protection contacts noted below for advice on what form of document to use.
In addition to above, if Standard Contract Clauses are utilised then following the ‘Schrems II’ judgement it is now necessary to conduct a “Standard Contractual Clauses Assessment” a template of which is located here to evidence the measures taken to document the effectiveness of the measures being implemented and the necessity for the data transfer.
What if I think the College can rely on one of the derogations (as opposed to signing up to the EU Standard Contractual Clauses)?
If you think that one of the derogations may apply in the context of a specific arrangement, please discuss this with the relevant EEA counterparty first. If they agree, consider with the EEA counterparty if a side letter confirming this conclusion is desirable to be signed. At the very least, please make a file note of the analysis and retain any email correspondence with the EEA counterparty in this regard.
What if I have questions in relation to the above recommendations or need help preparing any data protection documents?
If you have questions in relation to steps to take now in the context of data protection or need help with any data protection documents, please contact in the first instance the College’s DPO or the College’s Deputy DPO via Data-Protection@Imperial.ac.uk for further information.
Further publicly available information
ICO statement from 28 December 2020 - https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/12/ico-statement-in-response-to-uk-governments-announcement-on-the-extended-period-for-personal-data-flows-that-will-allow-time-to-complete-the-adequacy-process/
ICO’s “Keep data flowing from the EEA to the UK – interactive tool” - https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/keep-data-flowing-from-the-eea-to-the-uk-interactive-tool/
ICO guidance on “Information rights at the end of the transition period - Frequently Asked Questions” - https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/information-rights-at-the-end-of-the-transition-period-frequently-asked-questions/ .