Expiry of transition period

For some time now, EU-based companies have been wondering about the data protection implications of Brexit after the transition period expires. While with the conclusion of a Trade and Cooperation Agreement at the end of December last year the EU and the United Kingdom prevented a “no deal” Brexit at the last minute, what does this mean for the transfer of personal data from the European Union to the UK? Is the United Kingdom now an unsafe ‘third country’ for data protection purposes? What do European companies need to bear in mind to ensure continued compliance with EU data protection rules?

Background

The United Kingdom left the EU single market and the customs union on 1 January 2021. The European Commission and the UK negotiated the terms of their future cooperation until the very end. Finally, an agreement was reached so that the Trade and Cooperation Agreement between the EU and the United Kingdom could enter into force on 31 December 2020. In its final provisions, this agreement also regulates, among other things, data transfers from the EU to the UK.

Requirements for data transfers to ‘third countries’ outside the European Union

In the EU, the General Data Protection Regulation (GDPR) sets out the legal framework and the conditions under which personal data may be transferred internationally. It differentiates between safe and unsafe third countries. Safe third countries are those whose level of data protection has been classified by the European Commission by means of an adequacy decision as comparable to the level of data protection in the EU. These safe third countries include Canada, New Zealand, Switzerland and Japan.

The USA, for example, is not currently one of them. With the ‘Schrems II’ ruling of 16 July 2020, the ECJ declared the EU-US Privacy Shield invalid. In order to transfer data to the USA, data controllers must therefore individually ensure that the personal data are adequately protected at the recipient’s end. To this end, the GDPR provides for a number of instruments in Articles 44 et seqq., for example, the conclusion of standard contractual clauses, which is very relevant in practice. However, the ECJ also emphasised in Schrems II that standard contractual clauses cannot justify a third-country transfer if the legal situation and practice in the third country do not allow the data importer to comply with the obligations under the standard contractual clauses. It is the responsibility of the companies to analyse the specific data transfers in detail and to determine which laws of the third country apply in each case and whether these laws affect the guarantees they gave by signing the standard contractual clauses. If necessary, the data exporter and importer must take supplementary measures in addition to the standard contractual clauses to ensure an adequate level of data protection.

Classification as an unsafe third country thus entails a number of risks and uncertainties and leads to considerable additional work for companies wishing to transfer data to recipients in third countries.

Provisional regulation: United Kingdom not to be treated as a third country

The EU and the UK have now agreed that the UK, with its current data protection standard, should not be considered a third country, at least for the time being (Part Seven, Article FINPROV.10A). Data transfers from the EU therefore currently do not require any additional justification apart from the general requirements (which also apply to transfers within the EU). However, this only applies on a transitional basis initially until 1 April 2021. Provided neither the EU nor the UK object, this period will be automatically extended until 1 June 2021.

Should the Commission adopt an adequacy decision by then, the UK will continue to be considered a safe destination and data transfers from the EU to the UK will continue to be possible without any problems. At least at present, the level of data protection in the United Kingdom is not significantly different from that in the European Union. This is because the General Data Protection Regulation has become part of UK data protection law under the Data Protection Act 2018 with only a few adjustments.

The UK can make certain changes to its data protection law during this transitional period without automatically forfeiting its privileged status. Changes that merely serve to adapt UK law to European data protection law, for example, are unproblematic with regard to the transitional regime. Other changes are also possible, provided the Partnership Council set out in the Trade and Cooperation Agreement gives its prior consent or waives its right to consult by tacit agreement.

How companies can prepare

The transitional regime buys some time for businesses to hedge their bets on data flows to the UK. While the European Commission can resolve the issue through an adequacy decision, it is advisable, however, that companies also prepare for a situation in which such a decision does not materialise and the UK becomes a third country, at least temporarily (cf. Brexit and the GDPR).

The necessary measures (for example, standard contractual clauses or binding corporate rules) cannot be implemented ‘overnight’, but require careful preparation in coordination with the data recipients involved in the UK in order to have the smallest possible adverse effect on established business processes and data flows.

 

Further links:

• Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part, OJ 2020 L 444 of 31 December 2020, pages 14 to 1462
• ECJ – Judgment of 16 July 2020 – Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd (‘Schrems II’)
• European Commission - Draft implementing provision on 'standard contractual clauses' for the transfer of data to third countries