With the Brexit deadline of 1 January 2021 approaching, the moment where the UK and the EU will have their own privacy regimes nears. While both regimes will likely continue to be aligned (at least initially), they will still be separate regimes. One area where this will be felt is in respect of Binding Corporate Rules (BCRs), with the UK already introducing its own approval procedure. This is important both for newly filed BCRs and for BCRs previously approved by the EU.
After 1 January 2021, the processing of personal information in the European Economic Area (EEA) will remain to be governed by the EU General Data Protection Regulation (GDPR), while the UK will transpose the GDPR into local law (“UKDPR”). The UKDPR will continue to only allow international data transfers if the country of destination is considered to provide for an adequate level of protection (an “Adequate Country”) and to require a transfer mechanism in respect of non-Adequate Countries. The UKDPR recognizes and provides for the use of BCRs, similar to the EU. And although the requirements on BCRs (at least for now) are aligned with those applied by EU authorities, we are already seeing that companies wanting to use their BCRs in respect of transfers out of the UK will need to comply with specific requirements. It will not be sufficient to simply take the EU-approved BCRs as they are.
UK to Non-Adequate Country Data Transfers
The UKDPR recognizes the same transfer mechanisms as the GDPR, including BCRs. Previously, companies with BCRs approved by the EU could use these BCRs also for their transfers out of the UK. However, with Brexit and under the UKDPR, the UK will have its own requirements and its own approval regime. While the instrument of BCRs continues to be recognized, companies will have to create a standalone version of the BCRs for the UK (“UK BCRs”) and file these with the ICO.
According to the ICO's guidance on this topic, there are a number of scenarios to be distinguished.
Existing BCRs – Approved Pre-GDPR and Authorized by the ICO
There are 33 companies whose BCRs the ICO already authorized before 25 May 2018. All of these BCRs are automatically eligible for UK BCRs. In order to make the transition to UK BCRs, the company simply needs to create a standalone version of their EEA BCRs, revise them in accordance with ICO's Transition Table and publish their resulting UK BCRs by 1 January 2021. The UK BCRs must then be provided to the ICO on or before the due date of the next annual update.
After 1 January 2021, the ICO will contact each of these 33 companies to confirm the status of their UK BCRs. If the EEA BCRs are not transitioned into UK BCRs, the ICO may revoke the UK BCR authorization.
Existing BCRs – Approved Pre-GDPR but Not Authorized by the ICO
Companies that have BCRs that were approved before 25 May 2018, but that were not yet authorized by the ICO, are also automatically eligible for UK BCRs, but additional steps will be required. In addition to creating the standalone UK BCRs as per the ICO's Transition Table (see above), the company should also:
1. have its UK entity notify the ICO that the company has EEA BCRs and now wishes to create UK BCRs;
2. Provide the name and contact details of the Data Protection Officer or other relevant contact to the ICO; and
3. Provide any additional information as reasonably required by the ICO.
To use this option, companies must submit their UK BCRs as soon as possible and in any event before 30 June 2021.
Existing and Future BCRs – Approved Post-GDPR
BCRs that were approved by the EU after 25 May 2018 or will be approved going forward are not subject to the automatic eligibility procedures described above. Companies that have such BCRs should contact the ICO as soon as possible. It is not clear whether the UK will continue to recognize EU-approved BCRs and only require UK BCRs to comply with the ICO's Transition Table, or whether the UK will conduct a full review of UK BCRs independently of any EU approval.
EEA to UK Data Transfers and Vice Versa
With the Brexit deadline closing in without a deal between the EU and the UK, it seems more and more likely that the data transfers from the EU to the UK will require a separate Transfer Mechanism. Companies with EU-approved BCRs can rely on these in satisfaction of their transfers to the UK. Alternatively, companies can use Standard Contractual Clauses or one of the derogations (such as consent or contractual necessity).
In respect of transfers from the UK to the EU, the ICO has already confirmed that, as of 1 January 2021, such transfers can continue to take place without further requirements (even if a Brexit deal is not reached).
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved