January 2021 - Data Protection post Brexit

Brexit has meant that the EU General Data Protection Regulation (‘GDPR’) no longer applies in the UK. It has been replaced with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which is being referred to as the ‘UK GDPR’. The main change is that references to EU institutions and EU legislation have been removed, the main rules around data protection remain unchanged. There is, however, one key issue that may affect ITC members who work in the EU or with EU nationals/organisations; this is that transfer of personal data to and from EU countries will become a little more complicated.

It has long been the case that data can only be transferred to other countries that offer “adequate protection”, i.e have data protection legislation at least as rigorous as the country of origin. This was taken as a given within the European Economic Area (the EU plus Norway, Iceland and Liechtenstein) so data transfer was not restricted (as long as the processing met all the rest of the GDPR requirements, of course). Transfers to other countries were also unrestricted where an ‘adequacy’ decision had been made. That meant that recipient country had been judged to have a data protection regime would provide at least the same level of protection to personal data as there was in the sending country.
The EU has made full adequacy decisions for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. In addition, adequacy decisions have been made for Canada (in respect of transfers to commercial organisations only) and Japan (for transfers to non-governmental organisations only). The UK has adopted all these adequacy decisions made by the EU so far, with the addition of Gibraltar, and including all the EEA countries. This means that transfers from the UK to the EU and these other countries are unrestricted. However, the EU has yet to make an adequacy decision in respect of the UK, which means that transfers of data from the EU to the UK may be less straightforward.

Where no adequacy decision exists the usual way of protecting personal data that is transferred abroad is through Standard Contractual Clauses (“SCC”s) as part of the agreement between the sender and the recipient of the data. An example of such a clause can be found here on the ICO website.

In the absence of an adequacy decision and where an SCC is not possible and/or appropriate, international data transfers must be made with the data subject’s informed consent necessary -
• For the performance of a contract between the data subject and the controller or
• For the conclusion or performance of a contract in the interest of the data subject or
• For important reasons of public interest or
• In connection with legal claims;
• To protect the vital interests of the data subject or others, where the subject is incapable of giving consent;
• For a transfer from a public register.

And if none of those situations applies, you are able to make transfers that:
• Are not repetitive;
• Concern only a limited number of data subjects; [and]
• Are necessary [in the data controller’s] compelling legitimate interests, which are not overridden by the interests, rights and freedoms of the data subject.

These issues are likely to matter when you are working with people from EEA countries since this often involves exchange of personal data such as addresses, tax details, bank details or similar. There may also be issues related to holding personal data on cloud providers, which means the data may be hosted or backed up overseas. Cloud providers are likely to have generic SCCs that they use for all their clients for data transfer where there is not an adequacy decision.

Where you are dealing with individuals abroad the key issue is not the nationality or location of the individuals but the location of their data. In cases where the data has been sent to you by the individual themselves – for example if a performer sends you their tax codes or contact details, there are unlikely to be any significant implications. If the data has been obtained by an organisation abroad, however, e.g a partner theatre company you are working with, it may well be important to have SCCs in your contract with that organisations. might need to sign up to standard contractual clauses.

If your normal operations involve regular transfers between the UK and other countries, you should review these to ensure that you are clear about the basis on which they take place. If they are only occasional you should still have a procedure for checking that you have a sound basis for these transfers. And any data about people in the EU that you obtained before 1 January 2021 (“legacy data”) must continue to receive an EU GDPR level of protection.

Finally, check that any reference to overseas transfer of date in your privacy policy now explains how you will make transfers to EU countries as well explaining your process for transfers outside the EU.

Some useful links
Information Commissioner’s Office guidance
Navigating the data sharing code | ICO
General Brexit info The creative industries sector from January 2021 - GOV.UK (www.gov.uk)