UK-based transport operators with an international dimension should be mindful of the myriad of rules which may apply to their personal data processing from 1 January 2021.
Have you ever felt confused when standing in front of a tube map in a strange new city somewhere abroad, trying to figure out which line to take and from which platform, to get to your destination? For transport operators with an international reach, navigating the new rules on personal data processing may feel quite similar. May this piece be a helpful legend to your map on your journey to compliance.
You are here
From 1 January 2021, any business based in the UK is subject to the domestic data protection regime (with the UK Information Commissioner (ICO) remaining as the regulator). The EU GDPR no longer applies in the UK and instead, the UK GDPR incorporates into the UK law the relevant body of EU legislation (including the EU GDPR) in place on the exit-day. The UK GDPR sits alongside an amended version of the Data Protection Act 2018. The new-old regime, therefore should not give rise to surprises, domestically.
Bon voyage or farewell?
The EU-UK Trade and Cooperation Agreement (TCA) agreed on the 24 December 2020 provides for a number of data protection commitments and includes a creative bridging mechanism to address the absence of the UK's adequacy, allowing for a four month interim period (with an automatic extension of two further months, if necessary) during which transfers of personal data from the EU to the UK are permitted without any additional safeguards.
Data flows from the UK to the EU, EEA and other jurisdictions with EU adequacy are authorised to continue until further review in 2024.
Is it therefore 'business as usual' in the short-term for transport operators? Not necessarily.
As it is difficult to gauge the odds of the UK obtaining EU adequacy, the ICO recommended in its statement of 28 December 2020 that as a "sensible precaution" businesses which "work with EU and EEA organisations who transfer personal data to them" should utilise the interim period to "put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data"
Furthermore, the regulatory matrix gets a little more complicated due to the extraterritorial effect of the EU GDPR. Transport operators offering services to customers based in the EEA or monitoring their behaviour, operating in the EEA (as well as in the UK) or operators processing personal data of individuals based in the EEA which were obtained prior to 1 January 2021, may find themselves subject to both the EU and the UK GDPR regimes. Those transport operators may also be required to appoint representatives in the EU because of the application of the EU GDPR to those specific types of processing.
As well as stress-testing your business for the various data flow scenarios and putting in place appropriate processes, you should consider alternative safeguards whether or not an adequacy decision is reached (as this outcome is not guaranteed and is subject to the UK sticking to its side of the bargain with respect to certain temporary limitations on its powers to vary the domestic regime). While the 'bridging mechanism' buys some time for transport operators to review their practices, and update policies and contracts, the ICO recommends that your contingency plan should be in place before the end of April. And at the time of uncertainty, planning for the alternative routes may just get you to your destination.
Dr Nathalie Moreno is a Commercial Partner at Addleshaw Goddard