Data Protection and Data Transfers after Brexit – myPOS’ readiness
Product News Tips / 05.06.2020
Believe it or not, Brexit is now a fact and the United Kingdom entered a transition period. What is the meaning of this period for the data protection and data transfers between EEA and the UK?
You may wonder how Brexit is going to affect the myPOS customers, since the financial institution in the corporate family (myPOS Europe) is located in London, UK.
According to the British Data Protection Supervisory Authority – ICO – during this period, which runs until the end of December 2020, it will be business as usual for data protection.
This means that for myPOS Europe Ltd (based in London, UK) the GDPR will continue to apply. During the transition period, companies and organisations that offer goods or services to people in the EU do not need to appoint a European representative.
In short, our companies will continue operating as usual and the data transfers will be conducted without any additional GDPR guarantees, applicable to transfers of data from the EU to third countries.
Under the terms of the European Union (Withdrawal Agreement) Act 2020, UK will negotiate its future relationship with the European Union until 31 Dec 2020 – although it is still possible for this deadline to be extended.
No trade deal of this size and complexity has ever been agreed between the EU and a third country in such a short time, so the risk of the UK’s trade relationship with the EU defaulting to WTO (World Trade Organization) terms – effectively a no-deal Brexit – still exists.
While the future of the relationship between the UK and Europe is uncertain yet, we would like to ensure our customers that we are ready to protect their data and to maintain the security of their accounts.
Which is the applicable data protection law in the UK before 31 December 2020?
UK organisations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018.
Both laws continue to apply until the end of the transition period.
Therefore, we can ensure you that myPOS Europe Ltd will maintain the same level of data protection, as it will comply fully with the above legislations during the transition period.
Data protection law after 31 December 2020: will the GDPR apply in the UK after Brexit?
Even though EU GDPR will no longer apply directly in the UK at the end of the transition period (31 December 2020), UK organization will still need to comply with it. Why is this?
First of all, the GDPR’s requirements are already “incorporated” in the UK law – mainly in the Data Protection Act 2018.
Furthermore, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit.
This new regime will be known as ‘the UK GDPR’.
There is very little material difference between the EU GDPR and the proposed UK GDPR, so when processing personal data myPOS Europe Ltd will continue to comply with the requirements of the EU GDPR.
International data transfers after Brexit: how they will be conducted?
According to the official statements, the fact that UK is no longer an EU member state, but a ‘third country’ will not make any difference to myPOS Europe and the rest of UK organizations. The data transfers will go on as usual.
However, it is not certain yet how the UK is going to negotiate its further relationship with EU.
In order to present a few possible scenarios for the continuation of the data transfers, we should explain how the data transfer to third countries take place under the requirements of GDPR.
In the following cases the transfer of personal data from the EEA to third countries and international organisations (and onward) is permitted:
- If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
- If appropriate safeguards are in places, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
- On the basis of approved codes of conduct, such as the EU-US Privacy Shield. (No such code has been agreed for transfers from the EEA to the UK yet.)
After the transition period, the status of UK as a third country will matter and one of the above circumstances should apply. If myPOS desires to continue the data transfers between its UK-bases entities and EEA-based organizations, it needs to rely on one of the GDPR guarantees.
Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.
Data Transfers, justified by аdequacy decisions
The best scenario for the companies will be if European Commission issues an adequacy decision for UK.
The GDPR’s requirements are implemented in UK domestic law to such extend, that we have every right to hope that the Commission will adopt an adequacy decision.
However, it’s a little bit optimistic to hope that the issuing of such decision will be completed within the transition period – the process of negotiating and striking such a deal sometimes takes over two years. Currently, there are 13 decisions issues: with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified under the EU-US Privacy Shield).
Of course, myPOS is prepared for every outcome and if the adequacy decision is not adopted in the transition period, it will rely on other guarantees.
Binding corporate rules and standard contractual clauses
If an adequacy decision is not reached by 31 December 2020, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards, such as BCRs or SCCs.
BCRs are legally binding and enforceable internal rules and policies for data transfers within multinational group companies and work in a way somewhat similar to an internal code of conduct. They allow multinational companies (such as myPOS) to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection for personal data as required under the GDPR.
Controller BCRs are suitable for data transfers from controllers established in the EU to other group company controllers or to processors established outside the EU. They apply to entities within the same group acting as controllers and to entities acting as ‘internal’ processors.
It is important to note that, after the UK leaves the EU, the ICO (Information Commissioner’s Office) will no longer be a supervisory authority under the EU GDPR, and will not be able to approve BCRs for transfers of personal data from the EEA to the UK.
Such BCRs will, therefore, need to be approved by a supervisory authority within the EU 27.
The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally.
It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA).
It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA. myPOS is ready to implement these two safeguards (BCR and SCC) in case the adequacy decision is not reached within the transition period.