Cross-Border Data Governance Post-Brexit
1. Overview of Cross-Border Data Governance Post-Brexit
Cross-border data governance refers to the legal, technical, and organizational measures a company must adopt when transferring, storing, or processing data across national borders. Post-Brexit, the UK is no longer part of the EU and has established its own data protection regime:
UK GDPR: UK General Data Protection Regulation, largely mirroring the EU GDPR, governs processing of personal data within the UK.
Data Protection Act 2018 (DPA 2018): Supplements UK GDPR, sets out additional compliance requirements.
EU GDPR: Continues to govern EU-based data subjects.
Key concerns for cross-border data transfers:
Transfers between the UK and the EU (or EEA) now require an adequacy decision or alternative safeguards (e.g., Standard Contractual Clauses (SCCs), Binding Corporate Rules).
Transfers to non-adequate jurisdictions require legal safeguards, documented assessments, and risk mitigation.
Companies must implement technical, organizational, and contractual measures to ensure compliance.
2. Regulatory Frameworks and Guidance
UK GDPR & DPA 2018 – Core framework for personal data processing in the UK.
EU GDPR (post-Brexit) – Applies to EU citizens’ data processed by UK entities with EU-facing activities.
UK Adequacy Decision – The EU has recognized the UK as providing adequate protection (EU Commission Implementing Decision 2021/914).
Standard Contractual Clauses (SCCs) – Updated in 2021 by the European Commission; must be used for EU-UK data transfers.
Data Protection Authorities (DPA) Guidance:
UK ICO: Provides guidance on UK GDPR compliance and international transfers.
European Data Protection Board (EDPB): Offers guidance on cross-border transfers.
3. Common Compliance Challenges
Dual compliance: UK GDPR vs. EU GDPR requirements differ in some procedural and enforcement matters.
Adequacy and SCCs: Ensuring legal transfer mechanisms are in place for cross-border flows.
International cloud and hosting arrangements: Cloud providers may store data outside the UK/EU.
Data localization demands: Some sectors (healthcare, finance) may require local storage or processing.
Cross-border enforcement risk: Potential fines and penalties under both UK and EU regimes.
4. Key Compliance Strategies
Data Mapping: Identify where personal data is stored, processed, and transferred.
Transfer Mechanisms: Use adequacy decisions, SCCs, or Binding Corporate Rules for legal transfers.
Data Protection Impact Assessments (DPIAs): Conduct DPIAs for international transfers.
Contractual Safeguards: Update contracts with cloud providers and processors to reflect cross-border compliance.
Training and Policies: Staff training on GDPR obligations and cross-border handling rules.
Monitoring Regulatory Updates: UK and EU authorities regularly update guidance on post-Brexit transfers.
5. Case Law Examples
1. Schrems II v. Facebook Ireland (CJEU 2020)
Issue: EU-US data transfers challenged under Privacy Shield.
Outcome: Invalidated the Privacy Shield, emphasizing the need for legal safeguards (SCCs, BCRs) for international transfers.
Implication: UK companies transferring EU personal data must ensure robust SCC-based mechanisms post-Brexit.
2. Lloyd v. Google (UK 2021)
Issue: Google collected personal data without proper consent, including cross-border transfers.
Outcome: UK Supreme Court confirmed claims can be made for breaches under UK GDPR, highlighting cross-border liability risks.
3. Re British Airways (ICO 2020)
Issue: Data breach affecting international customers, including EU citizens.
Outcome: ICO fined BA £20 million, illustrating enforcement scope under UK GDPR and cross-border implications.
4. Facebook Ireland Ltd v. Irish DPC (EDPB Guidance 2021)
Issue: Challenges on data transfer adequacy and SCCs.
Outcome: Clarified that SCCs must be supplemented by supplementary measures when transferring data internationally, applicable to UK-EU transfers post-Brexit.
5. R (on the application of Privacy International) v. Secretary of State for Foreign & Commonwealth Affairs (UK 2019)
Issue: Government sharing personal data with foreign intelligence agencies.
Outcome: UK courts emphasized legal safeguards and oversight for cross-border personal data sharing.
6. Google LLC v. CNIL (CJEU 2019)
Issue: Right to erasure of personal data for EU citizens by US entities.
Outcome: Reinforced extraterritorial applicability of GDPR principles, impacting UK companies processing EU data post-Brexit.
6. Practical Takeaways
UK-EU Transfers: Always use SCCs or rely on adequacy decisions. Monitor updates as EU rules evolve.
Global Transfers: Implement DPIAs, contractual safeguards, and encryption when transferring data internationally.
Compliance Monitoring: Regular audits and mapping of cross-border data flows reduce enforcement risk.
Staff Training: Employees must understand cross-border data handling obligations.
Documentation: Maintain evidence of lawful basis, DPIAs, and contractual safeguards for transfers.
Regulatory Awareness: Monitor ICO and EDPB guidance for Brexit-specific adjustments.
Conclusion:
Post-Brexit, cross-border data governance requires careful alignment with both UK GDPR and EU GDPR for international transfers. Courts and regulators emphasize accountability, legal safeguards, and risk mitigation, making proactive governance essential.
RELATED Blog
comments