The UK government has unveiled a series of amendments to the Privacy and Electronic Communications Regulations (PECR) to ensure the UK’s legal framework for data protection functions correctly after the UK leaves the EU and to prepare for the prospect of a No Deal Brexit. It is crucial that companies are attuned to these amendments, which come into effect on Exit Day possibly 31 October 2019, to ensure that they do not fall foul of data protection rules and avoid potentially hefty fines.
What is the PECR?
Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’. This will need to meet the GDPR standard of consent to ensure it is valid. This involves a clear affirmative action, such as an opt-in to receive such communications.
Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’.
There is an exemption within PECR called the Soft Opt-in, which states that you do not require consent where:
- You have obtained contact details in the course of a sale;
- You are only marketing your own similar products and services; and
- You provided a simple opportunity to opt out of the marketing when you first collected the contact details.
What is the Scope of PECR?
The GDPR governs the data you use for email marketing, whilst the PECR defines the required permission to send email marketing. There is naturally much overlap between the GDPR and PECR as both aim to protect people’s privacy and therefore compliance with one shall help compliance with the other.
How is the UK Government Preparing ?
To ensure that the UK legal framework for data protection functions correctly after the UK leaves the EU, the government is preparing a series of amendments. The first set of amendments, PECR Amendments No 1, will come into effect on the day the UK leaves the EU, and will:
- Extend the GDPR standards to certain data processing activities outside the scope of EU law;
- Make amendments to international transfers of personal data, institutions and member states; and
- Formally amend the definition of consent in the PECR to mirror the GDPR definition.
What about US Transfers
The Privacy Shield is a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US. It enables US organisations to more easily access personal data from entities based in the EU and protected by EU privacy laws.
This will provide some commercial and legal certainty for UK businesses in a “No Deal” scenario and UK data subjects will continue to have access to the redress mechanisms afforded by the Privacy Shield.
How Should I Prepare my Organisation
Relentless Comprehensive GDPR Assessment covers 10 core areas and 73 compliance controls
Relentless GDPR Assessment
Today we discuss the effects of BREXIT for EU businesses post 31st October 2019.
EU businesses that intend to transfer personal data to the UK after Brexit’s latest deadline 31st October 2019 should document their decisions to do so and notify data subjects of those arrangements, a European data protection watchdog has said.
This article helps a five-step plan for organisations to ensure compliance with EU data protection laws when accounting for a potential ‘no deal’ Brexit.
When transferring data to the UK, you should: identify what processing activities will imply a personal data transfer to the UK; determine the appropriate data transfer instrument for your situation; implement the chosen data transfer instrument to be ready for 31 October 2019; indicate in your internal documentation that transfers will be made to the UK; update your privacy notice accordingly to inform individuals.
Currently, data can flow freely to the UK as it is a member of the EU and subject to the General Data Protection Regulation (GDPR).
The GDPR places firm restrictions on the transfer of personal data outside the EEA. Businesses are prohibited from transferring personal data to non-EEA countries unless they can evidence one of a number of safeguards to ensure EU data is adequately protected when processed in those ‘third’ countries. In a ‘no deal’ Brexit, this will include where personal data is transferred to the UK.
Standard Contract Clauses (SCCs)
Standard Contract Clauses (SCCs) are “a ready-to-use instrument” for businesses planning data transfers to implement. SCCs were “likely to be relevant to most Irish businesses that transfer personal data to the UK” in a ‘no deal’ Brexit scenario.
SCCs, also known as model clauses, were developed by the European Commission for use in cross-border contracts. They create a contractual framework for how personal data should be handled when transferred outside of the EU to ‘third countries’.
The Commission has previously issued decisions that endorse model clauses as tools providing for adequate protection of personal data when used for data transfers, as is required by EU data protection law. The use of model clauses has therefore become widespread among international businesses which many companies have come to rely on for demonstrating compliance.
Other legal mechanisms for underpinning EU-UK data transfers post-Brexit may be more difficult to put in place given the time left before Brexit is scheduled to take effect.
While businesses planning data transfers can modify or add to SCCs to “provide appropriate safeguards” particular to their own situation, the “tailored” clauses must be authorised for use by organisations’ local data protection authority.
Binding corporate rules’ (BCRs)
Similarly, ‘binding corporate rules’ (BCRs), which businesses can commit to facilitate intra-group data transfers outside of the EEA, need approval by the relevant national DPA.
Some of the other tools for underpinning data transfers, provided for in the GDPR, are not available to use yet.
Under the GDPR it is open to industry bodies to develop codes of conduct or establish certification schemes that set “binding and enforceable” standards on data transfers and allow organisations that sign-up to the code or certify against the scheme to demonstrate their compliance with the requirements around data transfers set out in the Regulation. However, to-date, no such codes or certification mechanisms have been developed for data transfers.
Derogation’s apply to the GDPR’s main rules on data transfers. EU businesses may be able to turn to the derogations as a basis for transferring personal data to the UK in the event of a ‘no deal’ Brexit. However, the derogation’s “must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive
One of the listed derogations is where businesses obtain the explicit consent of data subjects to carry out the transfer of their data, having explained the possible risks of the arrangement. Others include where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, and where the transfer is necessary for important reasons of public interest, where it is necessary to protect the vital interests of individuals where the data subject is physically or legally incapable of giving consent, or where it is necessary for the establishment, exercise or defence of legal claims.
Where none of the derogations listed apply, data transfers that are not repetitive and limited in volume may still be permitted where it is necessary “for the purposes of compelling legitimate interests” the business is pursuing, so long as those interests are not overridden by the interests or rights and freedoms of the data subject and “suitable safeguards” are provided for, and the data controller will be required to inform the ICO, or other relevant local supervisory authority.
The issue remains for processor transfers – the requirements of the GDPR in relation to external transfers are not limited to those made by a controller,” data protection law expert processors also are subject to the strict international transfer requirements.”
EU / US Privacy Shield
The UK government has said that, in a ‘no deal’ Brexit scenario, data flows from the UK to the EU will not be disrupted. And for data transferred to the USA the UK government will respect EU/US privacy shield.
Relentless GDPR Services cover all aspects of GDPR Delivery.
FIND OUT MORE
Post Brexit the UK will cease to be part of the European Union on 31st October 2019 in the absence of a “deal” to extend the deadline. One implication of this is that UK businesses which hold, obtain or use data about EU citizens after the 29th will most likely have to formally appoint a “EU representative” within the EU for data protection purposes.
The representative is not intended to simply be a box ticking appointment. It will act as the go between and single point of contact for all data protection matters, whether with individual citizens or data protection authorities, and must maintain records of the processes activities (ROPA) an organisation makes of EU citizens’ data. The representative can be a company or an individual, but it must be mentioned in the privacy information organisations make available to EU citizens.
If your business is required to appoint a representative and does not, action by a European data protection regulator could cause interruption to your business or result in legal action being taken against you.
Which businesses appoint a representative?
Any non-EU business or organisation which systematically offers services to EU citizens or processes data about EU citizens after Brexit is likely to continue to be subject to the General Data Protection Regulation (“GDPR”) and will likely be required to appoint an EU representative.
Technically, non-EU organisations are subject to GDPR if they obtain or process EU citizens’ personal data, either in connection with offering “goods and services” to them (including free services) or “monitoring their behaviour”.
A representative is not required if the organisation already has an “establishment” within the EU (meaning it is already subject to EU laws) or if it meets a limited set of exemptions.
What constitutes “offering goods and services”?
The business or organisation must “envisage” providing goods or services to EU citizens. The fact that EU citizens can access a website or otherwise identify the provider may not be enough to make an organisation subject to GDPR, but evidence that EU citizens are intended to be able to receive goods or services is likely to be enough.
What is implied by the term “monitoring their behaviour”?
“Monitoring” will not result from routine online collection or analysis of personal data (for example, website analytics) or occasional contacts with persons within the EU. However, any focused or deliberate analysis of EU citizens, including via behavioural advertising/marketing, conducting surveys, or conducting statistical analyses of personal data – whether for the business or organisation’s own purposes or those of another – is likely to amount to “monitoring”.
What actions should I take to prepare?
Organisations which makes use of EU citizens’ data need to determine whether they will be subject to GDPR after “Brexit” as a result of offering goods/services or monitoring behaviour – and, if so, whether any exemptions in Article 27 allow them to avoid appointing a representative.
If a representative is required, it must be appointed by the “Brexit” date and must be able to fulfil its functions, including having access to all necessary records, by that date.
By preparing in advance of the 31st of October 2019 will ensure your organisations compliance.
FIND OUT MORE