Understanding and ensuring compliance with applicable data protection regimes is unavoidable. Data flows and data processing form an essential part of all travel businesses. Following the UK’s departure from the EU, we thought it would be helpful to summarise the current legal position and to answer some frequently asked questions…
Are there any changes to the GDPR?
The short answer is no. The European Union (Withdrawal) Act 2018 incorporated the GDPR into UK law from the end of the transition period. All UK organisations and EU organisations without an establishment in the UK will continue to be required to comply with the UK GDPR if their personal data processing operations involve offering goods or services or monitoring the behaviour of, individuals in the UK.
However, as a result of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (known as ‘the DP Brexit Regulations’), there is now also the EU GDPR. The EU GDPR applies to EU organisations and UK organisations without an EU establishment where their personal data processing operations involve offering goods or services or monitoring the behaviour of individuals in the EU. Thus two separate legal regimes. Whilst both regimes are presently aligned, post-Brexit the UK is now free to make changes to and divergences from the EU GDPR and vice versa so companies who offer goods or services to or monitor the behaviour of, individuals in the UK and the EU will need to keep any eye on any future divergences.
What about Data Transfers?
For data flowing from the UK to the EU, the DP Brexit Regulations maintain the status quo. They deem transfers from the UK to all EEA countries (including EU Member States) and Gibraltar as adequate. They also recognise existing adequacy decisions of non-EU countries. As such, data transfers from the UK, which comply with the existing regime, can continue without change.
However, for data flowing from the EU to the UK, the UK is now a third country and so it requires an Adequacy Decision in order to maintain the status quo and to allow data transfers from the EU which comply with the existing regime, to continue unaffected. The European Commission have not yet issued an adequacy decision. Whilst you would expect the UK’s regime, which by virtue of the UK GDPR being currently aligned to the EU GDPR, to be clearly ‘adequate’, aside from any political motivations, there are some genuine concerns on the part of the EU about the UK. These include the UK’s use of mass surveillance techniques and the potential for unprotected onward data transfers, as the UK is now free to grant adequacy decisions in respect of non-EEA countries independently from adequacy decisions by the EU so could deem a particular country to be adequate which the EU does not.
The Withdrawal Agreement and Political Declaration envisaged that the EU would give an adequacy ruling before 31st December 2020. However, this has not happened and whilst we await this, the UK- EU Trade and Co-operation Agreement contains provisions allowing data to continue to flow freely from the EU to the UK without additional protections on a temporary basis – an effective extension to the time frame for an EU Adequacy Ruling. Initially this will last for four months, but it could be extended to six months. If an Adequacy Decision is not awarded to the UK all UK businesses which receive data from the EU are likely to receive requests from the third party data controllers to update their contractual documentation via a variation/ addendum.
Is there anything I should be doing now?
Ensuring that you understand where, how and from whom you collect all data which your business processes, where you store it, who you share it with and who may have access to it is key to ensuring that you will be able to quickly update and adapt to reflect any future changes/ divergences or requests from third party data suppliers.
For further information on this, contact our Commercial & Corporate Governance Team at email@example.com