Brexit is the term generally used to describe the decision of the United Kingdom to leave the European Union (EU).
Brexit became effective on January 1, 2021. The EU-UK Trade and Cooperation Agreement provides for an additional transition period of 4 months starting January 1, 2021 (with an additional 2-month extension unless the EU or UK objects) where the EU will treat the UK like an EU member state with respect to the processing of personal data. Thus, there are no additional restrictions or safeguards needed for the transfer of EU personal data to the UK currently. We have prepared an FAQ document with additional information on Brexit and data protection.
- Data Protection
8x8 Brexit and Data Protection FAQ
Sets out various answers to key questions you may have in relation to Brexit, how this affects the services you purchase from 8x8, and how 8x8 addresses the data protection issues related to Brexit.
What is Brexit?
"Brexit" is the term generally used to describe the decision of the United Kingdom to leave the European Union ("EU"). On 31 January 2020, the UK formally left the EU but then immediately entered into a transition period, which ended on 31 December 2020 (the "Transition Period"). During the Transition Period, EU law continued to apply to the UK as it had done previously (that is, for most intents and purposes as if the UK continued as a member).
In any case, at the end of the Transition Period:
- EU law that is in force as of that date will be "snapshotted" and then converted into UK domestic law (so, will continue to take effect in the UK as UK local law).
- Following the Transition Period and onwards, any new EU law will no longer apply to the UK.
"EU law" includes EU Regulations, EU Directives (which must be implemented into local law to take effect in each EU member state) and case law from the Court of Justice of the European Union ("CJEU").
Did the Brexit deal in late December address transfer of personal data from the EU to the UK?
The EU-UK Trade and Cooperation Agreement (“Brexit deal”) provides for an additional transition period, the “Specified Period” during which the EU will treat the UK like an EU member state with respect to processing of personal data and thus, transmission of personal data from the EU to the UK shall not be considered as transfer to a third country under EU law for four months. This period shall be extended by an additional two months unless the EU or the UK object. The Specified Period gives the European Commission additional time to determine whether personal data protection in the UK is “adequate” to allow the transfer of EU personal data to the UK without any additional safeguards.
What happens to data protection law in the UK following the Transition Period?
Firstly, the General Data Protection Regulation 2016/679 ("GDPR" or for clarity, "EU GDPR")) was "snapshotted" into UK domestic law. Specifically, the GDPR is incorporated into UK domestic law by s3 of the European Union (Withdrawal Act) 2018; and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("Exit Regs") (collectively, "UK GDPR").
This means that UK data protection law (as set out in the UK GDPR) essentially mirrors the obligations set out in the EU GDPR; however, certain elements of the EU GDPR (which refer to cooperation and consistency procedures within the EU) are no longer apply, as the UK are no longer be a member of the EU. Further, the territorial scope of the UK GDPR are as set out in Article 3 of the GDPR; however, the references to the "Union" are instead references to the UK.
Secondly, the Data Protection Act 2018 ("DPA 18") (as amended by the Exit Regs) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") continue to apply under UK data protection law, as any existing UK or CJEU case law relating to data protection. However, the UK can choose to deviate from existing CJEU case law (where it is "reasonable" to do so); and is no longer be bound by new rulings from the CJEU.
Thirdly, as discussed above in FAQ 3, during the Specified Period, the UK will be treated like an EU member with respect to processing of personal data and no additional safeguards are required to transfer EU personal data to the UK.. The UK government has also legislated that it will consider the EU as adequate for the purposes of the UK GDPR; and thus that transfers of data from the UK to the EEA will be uninhibited after the Specified Period. Similarly, transfers from the UK to Gibraltar will also be permitted.
Fourthly, 11 of the 12 third party countries previously deemed adequate by the EU (all but Andorra) have confirmed that they will maintain unrestricted personal data flows with the UK.
Lastly, for transfers to other countries (i.e. not the EEA nor adequate countries), the UK has also legislated so that the EU Standard Contractual Clauses can (as now) be used as a mechanism for transfers from the UK to non-"adequate" territories (per UK GDPR).
What does this mean for me, as an 8x8 Customer?
Firstly, you will need to understand whether you are directly subject to the EU GDPR, the UK GDPR, or both. This will determine what your responsibilities are under law and specifically vis a vis international data transfers to the UK and outside the EEA.
If you are subject to the EU GDPR:
- You will be appointing 8x8 as a processor in the UK. 8x8 also uses a group entity sub-processor in the US for the provision of our services. This is already addressed in the Data Protection and Security Section and Data Protection Appendix of 8x8’s standard terms.
- During the Specified Period (until 30 April 2021, which may be extended up to 30 June 2021) there are no transfer restrictions or additional safeguards needed for the transfer of EU personal data to the UK. If the European Commission does not determine that the UK has adequate personal data protection by the end of the Specified Period, an international data transfer mechanism may be required to legitimise the transfer of your personal data from the EEA to 8x8 in the UK. We will monitor the situation and may offer you an amendment agreement, which includes the EU Standard Contractual Clauses, if at the end of the Specified Period, the European Commission has not issued an adequacy decision for the UK.
- Further, 8x8 has an intra-group data transfer agreement (which incorporates the EU Standard Contractual Clauses) to ensure that data can flow within our group in compliance with the requirements of GDPR.
If you are subject to the UK GDPR, there is no transfer restriction when sharing personal data with 8x8 in the UK. In addition (as mentioned above), 8x8 has an intra-group data transfer agreement (which incorporates the EU Standard Contractual Clauses) to ensure that data can flow within our group in compliance with both the requirements of GDPR and UK GDPR.
What about Schrems II?
Following the CJEU's ruling on the Schrems II case (C-311/18), when relying on EU Standard Contractual Clauses, controllers are now obliged to investigate further into any transfers of personal data subject to GDPR (or UK GDPR) outside the EEA to countries that have not been deemed "adequate" by the EU Commission (or, the UK Secretary of State, as applicable). These investigations are to ensure that the third-party data recipient can comply with the requirements of the EU Standard Contractual Clauses and that the third-party recipient country can offer "essentially equivalent" protections for the personal data to EU data protection standards. If this is found not to be the case, the parties should look to impose additional safeguards to remedy the discrepancy.
As highlighted above, it is yet unclear whether the EU will consider the UK to be "adequate". However, 8x8 has taken steps to ensure that any personal data we receive is protected as required by law, including in respect of access requests by local authorities or law enforcement agencies in the jurisdictions in which we operate. In no event will 8x8 ever knowingly disclose personal data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society. We also have in place, and maintain in accordance with good industry practice, security measures (see below), including security measures to protect personal data from interception while in transit.
What security measures does 8x8 apply to protect personal data?
As highlighted above, 8x8 is committed to ensuring that the personal data we receive is secure. 8x8 implements appropriate technical and organisational security measures to protect such personal data against: (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorised disclosure or access.
In particular, 8x8 has in place administrative, physical, and technical safeguards implemented in accordance with 8x8’s existing data security program, which includes:
- limiting access to information on 8x8’s information system media to authorized users;
- limiting physical access to 8x8’s information systems and related equipment to authorized individuals;
- regular assessments of information security risks to 8x8’s information systems and associated information processing activities and of the effectiveness of information security controls in 8x8’s information systems;
- training of 8x8’s managers and users of 8x8’s information systems regarding the information security risks associated with their activities and applicable laws and policies; and
- imposition of formal sanctions for 8x8 personnel failing to comply with 8x8’s information security policies and procedures.
In addition, 8x8 certifies with Cyber Essentials and 8x8's information systems are protected by industry standard firewalls and intrusion detection systems. Regular vulnerability scans and penetration tests are carried out and 8x8 has a consistent patching policy. In relation to data back-up, 8x8 carries out risk assessment of threats from point of back-up creation; through transit process to ultimate place of storage and back-up data is encrypted.
Can we audit 8x8's security measures?
8x8 is regularly audited against ISO27001, ISO 9001:2015 and Cyber Essentials standards by independent third-party auditors. Upon a customer's reasonable request, 8x8 can provide Customers with a summary copy of our audit reports.
8x8 cannot accommodate on-premises audits but does take full responsibility to ensure the security of all customer and end user personal data. 8x8 complies with ISO27001, ISO 9001:2015 and Cyber Essentials and conducts several audits throughout the year that provide assurances that 8x8's controls are properly and securely managed.
If you have any further questions in relation to Brexit and how it impacts our services, please let us know. You can contact us at: firstname.lastname@example.org.