December 31, 2020 was the final day of the Brexit transition period that commenced on January 1, 2020 during which Britain ceased to be in the European Union but continued to be subject to EU law. As of January 1, 2021 European law no longer applies to Britain for the first time since 1973. The European Union (Withdrawal) Act 2018 provides for the adoption into UK law of all EU legislation in effect as of December 31, 2020. However, from now on, the UK will be free to interpret, amend, repeal and replace these laws as it deems fit without having to answer to the EU.

The GDPR and Brexit

For Israeli businesses that undertake certain activities with the personal data of individuals based in the European Economic Area, being the EU plus Iceland, Liechtenstein and Norway (EEA), the EU’s General Data Protection Regulation, or GDPR, which came into effect in 2018 is relevant as it contains provisions that ensure that it will apply to non-EEA based businesses under certain circumstances. In short, the GDPR regulates what may be done with the personal data of individuals located in the EEA, including the collection and transfer of the personal data to locations outside the EEA.

Now Israeli businesses need to take a look at how the UK’s withdrawal from the EU will impact on their GDPR compliance and what regulatory framework will apply to the use of personal data of UK based individuals.

UK GDPR

As stated above, by the European Union (Withdrawal) Act, the UK adopted the GDPR, but with some relatively small changes. The version of the GDPR now in effect in the UK is known as the UK GDPR. Most of the provisions of the UK GDPR reflect the provisions of the GDPR, but solely with respect to the UK. So for example, Article 3 of the GDPR provides that the GDPR will apply to the control and processing of personal data by a permanent establishment located within the EEA, whereas the UK GDPR will apply to the control and processing of personal data by a permanent establishment within the UK. With respect to extra-territorial scope, the UK GDPR applies to any control or processing of personal data not in the UK where the processing relates to the offering of goods or services to individuals located in the UK or to the monitoring of the behaviour of individuals located in the UK, which mirrors the original GDPR extra-territorial provision, except referencing the UK rather than the EEA.

What changes post Brexit?

Personal Data Transfers from the EEA to the UK

Any Israeli business whose activities are subject to the GDPR and that wish to transfer personal data of EEA based individuals to the UK will need to take into account that as the UK is no longer in the EEA, such transfers will be subject to the same GDPR restrictions that apply when transferring personal data from the EEA to any other non-EEA country. Transfers of personal data relating to EEA based individuals may be made to non-EEA countries in respect of which the EU Commission has made an adequacy decision, meaning that the EU views that country’s data privacy laws to be sufficiently protective of personal data so as not to create any concerns for the affected EEA individuals. Where an adequacy decision is not in place for a non-EEA country, a transfer may only be made where certain other safeguards set out in the GDPR have been taken.

It had been hoped that an EU Commission adequacy decision concerning Britain would have been in place by December 31, 2020, but that has not happened. In the trade agreement reached between the EU and the UK on December 24, 2020 the EU and Britain agreed to a 4 month extension in which EU to UK transfers may still be made without the need for other GDPR safeguards. This grace period may be extended to 6 months in total and it is hoped that within this time, the EU will grant to the UK an adequacy decision. However, the EU does have some concerns relating to certain differences between the GDPR and UK GDPR, particularly relating to rights that the UK Government has to access and process personal data in connection with matters of national security. There is therefore no guarantee that the EU will provide an adequacy decision for the UK.

Therefore, Israeli companies that transfer personal data of EEA based individuals to the UK must keep an eye on developments, particularly over the next 4-6 months and react accordingly. It will be wise to take steps sooner rather than later to put in place suitable GDPR safeguards in case no adequacy decision is granted by the end of the extension period. For many businesses, the most relevant and possibly only available safeguard will be to enter into an agreement with the intended transferees that contain standard clauses approved by the EU that cover personal data protection.

Personal Data Transfers from the UK to other Destinations

If an Israeli business will need to transfer personal data of UK individuals to another destination, they must now determine whether that transfer is permitted according to the UK GDPR. Currently, the UK GDPR’s provisions reflect the GDPR’s on international transfers, meaning that there must either be an adequacy decision in place from the UK Government concerning the destination country or at least one of the other safeguards must be used. As of January 1, 2021, the UK has in place adequacy decisions that cover all members of the EEA and reflect the EU’s adequacy decisions for other destinations as of December 31, 2020. Going forward, future adequacy decisions of the UK will not be tied to the decisions of the EU.

Businesses that were transferring UK personal data to other destinations under agreements with the EU approved standard clauses prior to January 1, 2021 may continue to use the same clauses for transfers from January 1 and on. For new agreements the government intends to publish its own standard clauses in 2021 and until then has advised that the EU standard clauses may continue to be used, with amendments where required so that they refer to the UK rather than the EU and EEA.

Appointments of EU Representatives

The GDPR provides circumstances in which a business based outside the EEA would have to appoint an “EU representative”. The EU representative would have to be based in at least one of the EEA countries and act as a point of contact for EEA based individuals wishing to contact the non-EU business in connection with their GDPR based personal data rights. As of January 1, 2021, the appointment of an EU Representative within the EEA does not cover the similar obligation under the UK GDPR for businesses outside the UK to appoint a UK based representative under the UK GDPR. Therefore, if an Israeli business will be undertaking any activity that falls under the UK GDPR, they will need to appoint a UK representative, regardless of whether or not they also have an EU Representative.

Privacy Policies and Notices

Israeli businesses that will be undertaking activity falling under the UK GDPR will need to ensure that their privacy policies are adapted in order to properly take into consideration the requirements of the UK GDPR. For businesses that already have GDPR compliance policies, this may just require some simple adjustments at this time so that they refer to both the EU’s GDPR and the UK GDPR. However, over time, as the data privacy laws of the EU and the UK diverge more and more, more attention will be required to ensure that the requirements of both laws are properly covered.

To conclude, the immediate ramifications of Brexit for Israeli businesses that collect and use personal data of individuals in the EU and/or in the UK will not be earth shattering. Some considerations come into play now, such as determining whether or not a UK representative needs to be appointed now. However, going forward, businesses now must keep in mind that they have two sets of regulations to content with that may be very similar for the time being, but are likely to diverge over time and create additional compliance issues to take into account.

Joseph Shem Tov & Co.’s partner Gil Rosen advises Israelis on GDPR and UK GDPR compliance issues. Please feel free to contact him should you have any questions.