Brexit and personal data

As the transition period came to an end on 31 December 2020, a new one began on 1 January 2021 for international data transfers.

Pursuant to Brexit, the UK left the EU and is now considered a third country from a data protection standpoint. This change of status will affect personal data transfers between the EU and the UK. Indeed, according to Article 45 of GDPR, international data transfers to a third country are prohibited, unless certain specific requirements are met.

In this regard, on 24 December 2020, a Trade and Cooperation Agreement was agreed upon by the EU and the UK, granting an interim period of four months with a possible extension of two months, during which the UK will not be considered a third country for the purpose of transfers of personal data from the EU to the UK.

As a result, during this interim period, personal data transfers from the EU to the UK remain legal and subject to GDPR.

On 14 January 2021, Bruno Gencarelli, Head of the International data flows and protection unit at the European Commission, said that this period is limited and whatever happens, on 30 June 2021, the agreement will end.

The Luxembourg data protection regulator (CNPD) recently released its Guidelines to assist Luxembourg-based entities in transferring personal data to the UK and to evaluate the consequences of Brexit for international data transfers (the Guidelines).

The Guidelines make the following clear.

From 1 January 2021 until 1 May 2021 (or at the latest 1 July 2021 if the extension of two months to the interim period is triggered), a separate legal framework regarding data protection and privacy will be in force in the UK, i.e. the UK GDPR and Data Protection Act 2018. As the UK version of GDPR is almost identical to the EU GDPR, no material new steps will need to be taken by Luxembourg players at this stage, provided they already complied with GDPR.

Before the end of the interim period (at the latest on 1 July 2021): the UK will have to apply for an adequacy decision which can be either (i) adopted by the European Commission if the level of protection required is reached, or (ii) rejected.

(i) In case of an adequacy decision adopted by the European Commission

During the interim period, the UK will have to prepare and submit to the European Commission an adequacy decision for approval. The adoption of an adequacy decision involves a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from representatives of EU Member States, and the final adoption of the decision by the European Commission.

In his update of 14 January 2021, Mr Gencarelli stated that the European Commission, in close cooperation with the UK, is finalising its assessment and will trigger the decision-making process in the coming weeks. The next step will involve seeking the opinion of the European Data Protection Board (EDPB). The objective is to finalize this process in due time – that is before the interim period ends.

This statement suggests that the UK adequacy decision is on its way.

If the UK adequacy decision is approved by the European Commission, personal data will flow freely from the EEA (including Luxembourg) to the UK without any further safeguard being necessary. Indeed, such adequacy decision would mean transfers to the UK would be assimilated to intra-EU transmissions of data.

(ii) In the absence of an adequacy decision adopted by the European Commission

If the UK adequacy decision is not approved, GDPR will continue to apply to certain “legacy” personal data (ie data of individuals outside the UK that were transferred from the EU to the UK during EU membership or during the transition period).

Irrespective as to any adequacy decision, if a UK entity operates or offers goods or services in the EU, GDPR still applies to it (in addition to the UK GDPR). Equally, if an EU entity operates or offers goods or services in the UK, the UK GDPR will apply to it (in addition to GDPR). Organisations who operate across EU-UK borders need to be aware of the dual regulatory regime that now applies.

That being said, EU-based entities will need to take additional steps to ensure an appropriate level of protection for personal data transferred from the EU to the UK – the “appropriate guarantees” as referred to in Article 46 GDPR. These measures can be Standard Contractual Clauses (as adopted by the European Commission, or ad hoc contractual clauses), Binding Corporate Rules applicable to the EEA, codes of conduct or certification mechanisms, and/or legally binding and enforceable instruments between public authorities or bodies.

As far as the Standard Contractual Clauses (SCC) are concerned, on 15 January 2021, the EDPB and the European Data Protection Supervisor (EDPS) adopted opinions on two sets of SCCs to bring more clarity and to ensure their practical usefulness as well as a further harmonisation and certainty about the personal data transfers.

In its Guidelines, the CNPD underlines that the use of such “appropriate guarantees” shall be made in accordance with the recent Schrems II judgement of the Court of Justice of the EU which was confirmed by the EDPB and EDPS in the draft SCCs for the transfer of personal data to third countries. This means that, following a case-by-case analysis of the circumstances of the EU-UK transfer, data exporters may rely on “supplementary measures” if they can ensure that UK law does not impinge on the adequate level of protection that they guarantee. It is worth noting that the new SCCs subject to the review of the EDPB and the EDPS on 15 January 2021 include further guarantees in case of discrepancy between the law of the country of destination and the clauses, for instance in case of binding requests from public authorities for disclosure of personal data.

As declared by Mr Gencarelli: “if no adequacy decision is approved, we will fall back to the default situation, which is the same as other countries which do not benefit from an adequacy decision. The system is not binary, adequacy or no flow, there are alternatives, transfers tools, which allow transfer but not as simple and straightforward as an adequacy decision.”

According to the Trade and Cooperation Agreement and during the new transition period, the UK is not considered by the EU as a third country for personal data transfer purposes. However, close attention will be paid to the proposition of adequacy decision submitted by the UK and the evolution of the future of personal data transfer between the EU and the UK.

DLA Piper has developed a set of innovative tools to assist clients in ensuring compliance of their transfers of personal data with the requirements of GDPR and the Schrems II judgement.