Hello. I'm Kim Walker, partner in the commercial team here at Shakespeare Martineau.
Welcome today's webinar on Brexit and Data Protection.
We live in a time of uncertainty about so many things.
The new normal, as my CEO likes to call it and I doubt preparing for data protection. Data protection strategies has been top of your agenda recently.
What is certain, however, is that data protection laws will change from the first of January.
The end of the transition period.
This is going to affect every business in the UK in some way or other, even those who don't really do much business outside the UK, and there are definitely preparations which need to be made between now and the end of this year.
So I'm going to explain what the changes will be and the steps businesses can be taking.
We'll start by looking at the new legislation, how it takes over from the GDPR, as we know it, the possible consequences of having separate, but overlapping UK and EU data protection regimes.
Then I'm gonna look at what will change, as far as flows of data between the UK, and the EU, and elsewhere, concerned. And what steps businesses need to take to ensure that data flows aren't disrupted from the first of January next year.
And finally, we'll look at the other steps that you need to take to be ready for transition into transition periods, such as checking.
I'm changing your contractual terms.
I should mention that there is a chat function on the webinar, so if you have any questions, please do. Feel free to leave them in the chat, and we'll get back to you later with some answers.
So, let's start by looking at the new legal framework, what data protection laws would apply from the end of the transition period from the first of January?
Now, this is going to depend on whether the UK is given what's called an adequacy decision by the EPA.
By this, I mean that the EU has formerly declared the UK Data Protection Laws adequate to protect the rights abuse of EU citizens.
Now, the intention was, has always been that the EU would issue an adequacy decision during 2020, That's unfortunately not looking, very unlikely.
You would have thought that what that's all UK is doing is transposing the GDPR into UK Law, that it would be very straightforward, but the EU has reservations about a number of other things.
Such as, for example, the UK's mass surveillance rights under its investigatory powers regime.
Membership with the five Fight Eyes, Intelligence Sharing community, which means that theoretically, EU citizens data could pass, for example, to the US on the fact that the laws of the UK and the EU candidates search after the transition period.
There's also been a recent decision of the EU Courts.
Notice that Quadrature Janette.
Where the CJ founded the national doors at the UK and a number of other EU countries which require bulk data for communications to be made available to the security agencies.
The contrary to the fundamental rights. So, all those things are currently standing in the way of getting an adequacy decision, and, of course, the politics of tune it out.
So, I'm going to assume for today's talk that there is no adequacy to this decision if and when there is, then life will become a whole lot simpler, as far as data protection is concerned.
So, what's going to happen? First of all, from the first of January, the UK will adopt the GDPR as national law, and turn it into what is known as the UK GDPR.
This will include the parts of the Data Protection Act 20 18, which extend the GDPR to aspects, which aren't covered by the basic GDPR, such as processing for law enforcement purposes in some other public sector processing.
So the UK, GDPR, the EU GDPR will coexist.
The withdrawal agreement, Article 71, Treatment as a safety net for a Citizen. This will also provide the data of non UK citizens processed in the UK.
As at the last day of the transition period, must continue to be processed in the UK in accordance with the EU GDPR, as it stands on that date.
So, it has at 31st December, so there'll be a kind of frozen version of the EU GDPR, which applies two EU citizens data, the UK's processing at that point.
The same will apply to the data of EU citizens who are resident in the UK, who benefit from the work withdrawal agreements with cool agreements, citizens rights provisions.
So the problem, therefore, for UK businesses, which have any operations in the EU, which sell to customers in the EU, or monitor EU citizens activities through their websites, is that they're, potentially subject to three data protection regimes.
You've got the EU GDPR, which will apply, for example, if you target your customers from the UK, off to the end of the transition period, where, if you were established in the EU, then you have to comply with the EU GDPR, will have the withdrawal agreement version of the EU GDPR.
That's the sort of Frozen version, is a 31st December, reply to personal data, processed by UK businesses, before the end of the transition period.
And we'll have, importantly, the new UK, GDPR slightly expanded UK customized version of the GDPR, which will apply going forward for data processed in the UK, or Buddy, you are the international company targeting customers in the UK on TV, UK GPOs, Extraterritoriality provisions.
So in some ways, this shouldn't make any difference, because, of course, the withdrawal agreement version, two GDPR, UK, GDPR, the EU GDPR should all be very similar when the transition period and so on the first to generate. The rate will be much difference between them.
In reality, however, over time, it's very possible that the EU GDPR and the UK GDPR search, for example, the withdrawal agreement allows the UK Supreme Court to depart from the retained caseload of the EU up to the transition period.
The government has given itself powers in the withdrawal agreement to allow other lower UK course to do this.
So, about to be eventually some divergence there, and, of course, also, the UK courts aren't obliged to follow ECG decisions about the transition period.
So, the two sets of laws could diverged over time.
So, ideally, therefore, UK businesses should be arranging the processing of data so that they can, if necessary, distinguish between the various categories of data, in case they need to try to treat them differently in the UK, GPR, and teacher.
So, this is something that businesses should be thinking about now.
If you, if you target customers in the EU, when you've got non UK data in your database, can your database be set up to differentiate to tag the different categories of data?
And so, you should be getting that.
Of course, an adequacy decision, we'll help simplify things.
Said that the UK GDPR is adequate and businesses don't have to worry about applying different versions of the EU GDPR in the UK. So, the sooner we get an adequacy decision, the better.
Another aspect of not having an adequacy decision is the difficulties, or slightly increased difficulties, that will be correlates to cross border data transfers.
Currently, transfer presentation around the EU can be done free.
But transfers from the EU to third countries, so-called third countries, can only take place. if appropriate safeguards are put in place.
These safeguards are there to ensure that the data is properly protected by contract.
in that local jurisdiction and the EU citizens have suitable rights to redress.
OK, if that data is processed.
Of course, from the end of transition period, you can become, just as the country, GDPR Pepsis, so, until there's an adequacy decision, personal data can't be transferred from the UK, from the EU, to the UK, without appropriate safeguards.
Normally, as I'm sure you know, this will be by the exporting company and the importing company, putting EU standard contractual clauses in place between them.
Traditionally, this has been straightforward through it. First, get a copy of the clauses. You turn them into a contract.
You fill in the blanks, and you sign the contract.
The shrimps to decision in the ECG July, however, has made this a little bit more complicated. And this now requires a bit more thought.
That decision trends to decision.
As well as invalidating the privacy shield, which was one of the ways that the countries could for the EU companies, could be could lawfully transfer data to the US.
The CJ also made it clear in that decision that if you want to rely on the standard contractual clauses, you need to make sure the adequate to protect individuals' data under the laws of the particular country.
Wait, you're sending that data.
So, for example, if it's a country like the US, then you need to consider supplementing the clauses to cover off any concerns.
Remember, you're not allowed to amend the standing standard contractual clauses, but you are allowed to supplement.
So, you might add a clause, for example, requiring the importer to give you a warranty that it has never been subject to government of any governmental order to disclose data, and it will tell you if it ever is, and allowing you to freeze, any processing or transfers, if that happens.
So that's, That's the bad news until And unless there's an adequacy decision for the UK, if you or your processes transfer data from the VA to the UK, You need to put the standard contractual clauses, suitably supplemented, in place.
I should've mentioned when I say, the EAA, Amin, European Economic Area.
Which means, as you know, I'm sure the EU plus Liechtenstein, Norway, Iceland.
So, that's the bad news. The good news is that this doesn't apply the other way around. So, if you transfer personal data from the UK to the EA, then you can government has already confirmed that it will treat the EEA is having adequate data protection rules.
It has, however, made it clear that it's going to keep that under review. And, it can apply, Keep applying pressure on the EU tickets, and you can proceed decision.
The threat of that UK Effectivity withdrawing its adequacy decision.
Here's a summary, on-screen of the flows of the potential for you free cross border data flows, post transition. It's recently complicated.
The other thing I would remind you is that data being accessed via a computer outside the UK counts as a cross border transfer of data. Even if the data is still sitting on the survey, the UK.
So, think the transfer isn't actually probably the best word to use, because it includes data being accessed from outside jurisdiction.
So far as the action points are concerned, the things that businesses should be doing now, I think, are reviewing that key.
International data flows and recording them in that article 30 records of processing.
Try to prioritize them. In other words, look at your data flows and work out, which the most important in terms of volume. Or other key details tends to.
Special category data that's flowing, um, and tackle that first, clearly, because that'll be the most important start, putting together some ready to use version of versions of your standard contractual clauses.
And don't forget, the standard contractual clauses will be needed for intra group transfers from, yay, companies, you know, took a company in the UK.
We're not just talking about unrelated businesses, think about the kinds of situations because you might have to consider, even if, even if you're a ..., a UK based business. So, for example, have you outsource any services to an EU country? For example, your payroll.
Your HR, your IT platform services, or whatever.
Do you use cloud service provider in any country?
Are you a UK business managing stuff in the EU, or are you an EU organization with stuff in the UK?
In all these cases, there'll be cross border transfers of data taking place.
And so, you'll need to ensure that adequate, appropriate safeguards are in place, such as the standard contractual clauses, so that you cover your transfers of, the data back from the E A, to B, K.
Remember, also, that the only approved, standard contractual clauses, which currently exist offer controllers to processes, or from controllers to another controller, not the other way round.
So, if, for example, you're a UK.
Controller sending data to be processed on your behalf by a service provider in Germany, say, than the German process account, as things currently stand, send your data back to the UK from 20 21, because there are no applicable standard contractual clauses.
That was the case until very recently, however, fortunately, the European Data Protection Board published very recently on the 12th of November.
In fact, its long awaited drafts of some brand new GDPR versions of the standard contractual clauses, which include, for the first time, close the switch, can be used for processor to controller, process a process of processor transfers.
So that's good news, that solve, fill the hole in the, in the EU legislation.
Finally, if these new clauses are adopted by the EU before the 31st of December, then that Autumn off automatically become part of the UK GDPR.
If not, UK monitored, and later, by regulations, under our Data Protection Act 20 18.
In the meantime, you should check with your German processor and all your other EU processes, how they plan to comply with EU GDPR after transition, and you should be getting ready to put the new, standard contractual clauses in place soon, as they are.
The current pay out for consultation until the 10th of December.
They have been adopted than the previous standard contractual clauses. The ones we're referring to know and love over the last few years will be repealed with a one-year traditional period the contract entered into before the new clauses come into force.
So you can look forward to major contracting, contract updating exercise, which are all going to need to carry out over the next year or so to put these new standard clauses into our existing processor agreements.
Some other steps for you to take, as you need to consider, whether you're you're going to appoint, going to need to appoint an EU representative because you're based in the UK, means your name, OK.
Post transition, based in the EU.
So if you don't have any establishment of some sort of permanent base in the EU, put your focus and service to individuals in the EU or monitor them.
Then, obviously, under Article 32, with the GP off the EU GDPR would apply to this processing.
Because you have a good base that you'll have to appoint any representative in an EU member state where you target customers, your appointment and writing is quite straightforward, natural appropriate to the supervisory authority.
For example, if there's a data breach, you don't need to appoint a representative, however, if you're processing using the occasional or low risk.
And it doesn't cover special category data but it's something to bear in mind.
The other thing to think about is a consequence of the ICA ceasing to be a supervisory authority for GDPR purposes.
So if you trade in multiple, you countries, you need to work out which EU supervisory authority will be your lead supervisory authority in future.
Cindy, you said that your faces in the EU at least can benefit for the EU's one stop shop in terms of supervisory authorities under the EU GDPR.
If however, you don't have a base in the EU, do you do business there?
Than you probably won't benefit any longer from the one stop shop?
You'll need to think about what implications this will have.
For example, if there's a data breach, and it affects the data of individuals in multiple jurisdictions.
Then you may well need to make commercial applications to the ICA as well as to every one of those EU supervisory authorities where customer data has been affected, And obviously, this could be serious exercise you need to show in the data breach notification processes are up to date, updated, to take this into account.
So that you don't find yourself with 72 hours to work out what you're supposed to be doing if a data breach, obviously the first of January.
Another thing to do is to review your privacy notice, Thomas bound to need updating So that it works with the new regime following transition.
So we need to adjust what it says about international data transfers.
Probably many cases still includes references to the Privacy Shield, which will need to get rid of putting the right wording about standard contractual clauses and how you use them.
It refers to transfers outside the EEA, Killarney exchange, because now, what's important? Transfers out of the UK?
Certainly, privacy notice to cover that.
You'll obviously need to refer to the correct version of the GDPR and use the correct terminology.
You'll need to identify your E representatives if you're required to have one.
And if you, again, if you have establishment in the EU, you probably need to list the relevant supervisory authorities that apply.
The same with your contracts, You will need to look at the data terminology, if necessary, say, references, for example, to union law, EU references to the GDPR.
You'll need to update that to refer to the correct version of the GDPR. Probably, the UK GDPR.
And if you're contracts talk about requiring consent for transfers outside the EEA, you again, you'll need to change them to references to transfer as entity.
So, go through your contracts, look at the data processing, and data protection clauses.
Decide whether any changes need to make.
And one final thing, if you have staff who are responsible for data protection, buprenorphine each update, that training center, they understand how the new regime works.
So, to sum up that until the UK received an adequacy decision from the EU, then the legal landscape is going to be potentially confusing.
Potentially diverging data protection laws.
So be prepared to avoid confusion.
Make sure you have your appropriate safeguards in place, your standard contractual clauses.
I'm ready so that, well, the first of January to find cross border data flows are disrupted.
Um, decide whether you need to appointing a year representative.
If you need one with members of an organization called Privacy Rules and Networkers.
Privacy lawyers across the EU, my technology companies crusty, so if you need what we can help you find one.
And, of course, thanks again to update you privacy Notice of Contracts documentation.
So, that brings us to the end of this webinar. I hope you found it useful and relevant.
If there's something you would like further information on it.
Or if you go to a specific inquiry about anything else, please do that.
Of course, be very happy to help.
There'll be a recording of this webinar on on demand page, on our website.
Webinars, leadership talks, I've been trust, And also, a reminder that we do have our free Legal Help line, which gives you direct access to senior team of experts, who offer free legal guidance for a 20 minute telephone, or video call.
As you can see, the details are on the screen, So please, we took a session now if you'd like.
And finally, a short survey will appear on your screen videos, to be very pleased if you give us your feedback because this helps us improve events in the future.
Thank you very much for joining.