Brexit, data transfers and the implications for digital health
Brexit is finally done and the UK is no longer bound to the EU. However, loose ends remain. One is the status of GDPR after the end of June. Read on to find out more.
So, Brexit is finally complete. The UK and EU have concluded their divorce and now it’s time to take stock and deal with the outcome. Unfortunately, there is still some unfinished business. One key remaining issue is the GDPR status of the UK after the transition period ends in June. Here, we look at the possible outcomes and how these might affect digital health companies.
The UK is now a 3rd country for GDPR
From the EU perspective, as of the end of 2020, the UK became a 3rd country. This has profound implications from the viewpoint of data protection and GDPR. Under GDPR, the default position is that no data can be transferred to such 3rd countries unless certain conditions are met. The GDPR includes a number of articles setting out these conditions. Following the ECJ judgement on the EU-US Privacy Shield, the EDPB (European Data Protection Board) has issued new guidance on what this actually means. For instance, they made it clear that “data transfers” includes any form of data processing or storage.
What does this mean in practical terms?
Right now, nothing is actually going to change. That’s because the European Commission reached an interim agreement that for now, the existing GDPR rules apply. In other words, you can continue to transfer data just as before. Technically, there is a difference between data that was transferred prior to 2021 (so called “legacy data” covered by “frozen GDPR”) and data transferred in the transition period. This transition period will expire at the latest on 30th June 2021.
The aim of this transition period is to give time for the EC to grant the UK an “Adequacy Decision” as set out in Article 45. Adequacy decisions are granted where the EU is confident that any data transferred to that country will be protected just as well as it would be within the EU. These decisions can be overturned (for instance, the Privacy Shield effectively granted an Adequacy Decision before it was overturned in July 2020). The decision also has to be reviewed periodically by the EU. Currently, there are only 12 countries with an adequacy decision.
Meanwhile, the UK Data Protection authority recommends you “put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data”. They recommend this happens before the end of the transition period.
What if the UK doesn’t receive an adequacy decision by 30th June?
Clearly, everyone hopes that the UK will receive an Adequacy Decision. After all, as of right now, the UK GDPR is precisely aligned with the EU GDPR. Furthermore, it is in the financial interests of both sides to maintain the ability to transfer data. However, there is no guarantee a decision will be made before the deadline. This means you may have to face the issue of treating the UK as a 3rd Country. So, what are the implications?
Other GDPR data transfer tools
The first thing you should know is that the GDPR does allow transfers to 3rd countries without an Adequacy Decision. However, you must use one of the “data transfer tools” described within the GDPR. These are shown in the infographic below. Ultimately, you are responsible for making sure any data that is transferred is properly protected.
The GDPR extraterritorial effect after Brexit
Regardless of any adequacy decision, the UK is now a 3rd country under GDPR. This has its own implications.
EU representative or branch
Almost any digital health company based outside the EU will need an official EU presence. You can only avoid this if you undertake occasional or small-scale processing or when the processing is not risky for the rights and freedoms of people. In all the other cases, an EU presence is necessary. Realistically, this means any digital health company must have an EU presence.
This can be achieved in two different ways. The first is setting up a branch, office, or another establishment in the EU. This must be a genuine legal entity able to be held liable for your activities within the EU. Alternatively, in order to comply with the GDPR, it is sufficient to appoint an EU representative established in the EU. The EU representative acts substantially as the main contact point with the EU Authorities and the EU data subjects (so-called “mail box”).
UK representative or branch
As a mutual consequence of Brexit, assuming the UK adopted the “UK GDPR”, the concept of a UK representative emerges. The rules and exceptions are closely aligned to the rules in the EU. So, almost any digital health organisation not established in the UK which processes UK personal data needs a UK branch or representative.
How will this affect digital health?
Clearly, this has the potential to impact any digital health company with users in but the UK and EU. Most companies will fall into one of three categories:
- An EU company with users in the UK.
- A UK company with users in the EU.
- A company from another country with users in either the UK or EU.
In all cases, you should consider putting in place additional technical and organisational measures for protecting any health data you process. Furthermore, you need to consider if you need an EU or a UK representative. Remember, you are processing data that GDPR classes as particularly sensitive. So, in most cases, you will also need a data processing impact assessment (DPIA).
Want to know how this affects you?
Brexit has caused significant problems for a lot of companies. But solving the data transfer problem is one of the trickiest, especially for companies operating in both the UK and EU. The above is just a general overview of the situation. To find out how you are affected, ask one of our in-house specialists to analyse your case in detail. Simply book a call using the button below.