Brexit implications for data protection
The UK officially left the EU on 31 January 2020, and we are now in a “transition period” until 31 December 2020. During the transition period, personal data may continue to flow freely between the EU and the UK in accordance with the GDPR, but negotiations are taking place to determine what the future relationship may look like and to agree on new rules and arrangements including those regarding data protection.
Assuming there is no extension to the transition period, any new rules and arrangements will come into effect on 1 January 2021. Depending on the outcome of negotiations, the default position is the same for a “no deal” Brexit scenario. This document seeks to explain some of the implications that this default position may have on the processing of personal data by Aon.
This is not a contractual document, and it does not create any rights or obligations on any party. The information contained in this document does not constitute legal advice and clients should seek their own counsel and guidance concerning Brexit.
1. Scope and applicability
1.1 This document applies to services provided by Aon’s UK businesses. The approach taken by other Aon businesses to prepare for Brexit may differ to that described in this document. Throughout this document Aon UK businesses may be referred to as "we", "us", "our" or “Aon”.
2. Background
2.1 The General Data Protection Regulation (the “GDPR”) is an EU regulation, that came into force on 25 May 2018 and governs the collection and use of personal data across EU member states. Under the GDPR, organisations are only permitted to transfer personal data outside of the European Economic Area (the “EEA”) if the “third country” to which the personal data are transferred is deemed by the European Commission (the “EC”) to provide adequate protection for the rights and freedoms of individuals, or the transfer is subject to one of the safeguards or derogations set out in the GDPR. There are no restrictions on the transfer of personal data within the EEA.
2.2 The UK has transposed the GDPR into national law in the form of the UK Data Protection Act 2018 (the “UK Act”) and together the GDPR and the UK Act provide a comprehensive data protection framework for the UK, which is substantively aligned with the EU regime.
2.3 If, following the end of the transition period, the UK and EU governments have established new rules and arrangements regarding data protection, in particular rules around cross-border data transfers (i.e. the EC makes an adequacy decision in respect of the UK as a third country), there are unlikely to be material implications for businesses with regard to the ongoing collection and use of personal data, particularly the ongoing free-flow of personal data between the UK and EU.
2.4 However, in the event the UK and EU governments do not agree on new rules or arrangements regarding data protection, the legal framework governing the transfer of personal data between the UK and EU will change following the end of the transition period. For instance, if the EC has not made an adequacy decision in respect of the UK in these circumstances, this may inhibit the free flow of personal data between the UK and EU and require alternative data transfer mechanisms to be implemented.
2.5 It is important to note that although the UK government has made clear its intentions to pursue an adequacy finding, the EC has made clear its preference to wait until the UK becomes a third country before entering a dialogue about this. To the extent any such discussions were scheduled, these may also be delayed in view of the current global health pandemic.
3. Implications of the default no deal scenario following the transition period
3.1 The UK government has made clear that at the point of exit businesses may continue to send personal data collected in the UK to the EU due to the substantive alignment between the UK and EU data protection regimes. In essence, the UK will continue to allow personal data to be transferred to the EU without restriction, but this will, however, be kept under review.
3.2 Following the UK’s exit from the EU it becomes a “third country” and in the absence of specific rules and agreements regarding data protection, the GDPR restrictions on transferring personal data from the EU to third countries will apply in the context of any transfers made to the UK. In essence, such transfers will be prohibited unless the transfer is subject to one of the safeguards or derogations set out in the GDPR.
3.3 In the vast majority of cases businesses will rely on EC approved standard contractual clauses (“SCCs”) to provide a legal framework to transfer personal data from the EU to the UK in this context. SCCs comprise clauses which have been approved by the EC and permit personal data to be transferred from the EU to the UK when embedded in a contract between the (EU) data exporter and the (non-EU) data importer (i.e. the disclosing and receiving parties). SCCs impose obligations on each party to respect the rights conferred to individuals (under the GDPR) who are the subject of the personal data transferred.
3.4 In addition to those matters above regarding the transfers of personal data, following the transition period, Aon UK will be required to designate in writing an EU representative for GDPR purposes, since the UK is still subject to the GDPR by virtue of its extra-territorial effect. The EU representative must be mandated by Aon UK to be addressed in addition to or in place of Aon UK, in particular by supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with the GDPR. In parallel, non-UK Aon entities that are caught by the extra-territorial effect of the UK Act will need to appoint a UK representative.
3.5 Following the end of the transition period, the UK Information Commissioner’s Office (“ICO”) will no longer be competent to act as Aon’s lead supervisory authority for GDPR purposes. As Aon will continue to do business in the UK, the ICO will remain a relevant data protection authority. However, for the purposes of compliance with the GDPR across the remaining EU Member States, Aon is considering the designation of an alternative lead supervisory authority.
4. What practical steps are we taking to prepare for Brexit
4.1 Aon provides services to EU based clients, and engages with EU based suppliers, which involves the collection and use of personal data. We are therefore actively preparing for the default no deal Brexit scenario to ensure we can continue to rely on our EU based suppliers and service our EU based clients after the end of the transition period.
4.2 Firstly, we have implemented a comprehensive intra-group data sharing agreement which incorporates SCCs to ensure personal data can be shared within Aon and continue to be shared between our UK and EU businesses following the UK’s departure from the EU.
4.3 Secondly, we have determined scenarios that may exist where transfers of personal data between Aon and EU based clients and suppliers may constitute a “restricted transfer” on exit date. To address scenarios where restricted transfers exist, we have reviewed the GDPR related terms contained in our agreements to ascertain whether SCCs are automatically incorporated, or whether rights exist to amend the contracts to include SCCs, and are facilitating contractual updates where required.
4.4 Thirdly, we are considering whether it is necessary to nominate EU and/or UK representatives and considering the designation of a lead supervisory authority following the UK’s departure from the UK.
4.5 Finally, we are continuing to monitor developments closely as part of our preparations to determine what additional steps may be required to ensure we can continue to provide services to our EU clients.
5. Further information
If you require further information about the approach we are taking to prepare for Brexit please contact your nominated Aon point of contact in the first instance.