The transfer of personal data is of key importance to many businesses. It is an area that is affected by Brexit and companies must consider how to deal with the changes brought upon by the British departure. This note discusses the implications of Brexit for the transfer of personal data and offers guidance to companies and other parties.
The United Kingdom withdrew from the European Union on 31 January 2020. The Withdrawal Agreement regulates the terms of the British departure between the parties and entered into force immediately upon exit. The Withdrawal Agreement also includes a Transition Period, during which EU law will continue to apply to and within the UK. The jurisdiction of the Commission and the EU courts also remains intact. The Transition Period is currently set to expire on 31 December 2020 (the Expiry Date). This period can be extended with 1 or 2 years, but such an extension must be agreed between the EU and the UK before 1 July 2020.
The Withdrawal Agreement does not regulate the future relationship between the EU and the UK. This relationship is yet to be negotiated and decided between the parties. It is not certain that an agreement concerning future relations will be concluded before the expiry of the Transition Period. However, the EU and the UK have agreed on a Political Declaration that is meant to set the framework for the future relationship. This declaration is only a political document and not a legally binding agreement.
The transfer of personal data (personal data includes information relating to an identified or identifiable natural person) between EU Member States as well as between an EU Member State and a country outside the EU is governed by the General Data Protection Regulation (GDPR). The GDPR remains applicable to and within the UK during the Transition Period, ensuring the continued free flow of data between the EU and the UK until the Expiry Date.
Following the expiry of the Transition Period, the GDPR will generally no longer apply to transfers of data between the EU and the UK. However, according to the Withdrawal Agreement, EU law will continue to apply to data obtained by the UK from the EU if the data was processed under EU law in the UK before the end of the Transition Period, or is processed in the UK after the end of the Transition Period on the basis of the Withdrawal Agreement.
If the transfer of data is not regulated in a future agreement between the EU and the UK, the UK will be dealt with as any other third country and transfers of data from a Member State to the UK will be subject to the GDPR’s third country rules. Under such circumstances, transfers of data from a Member State to the UK may only take place on the basis of (i) the adoption of an adequacy decision by the Commission, (ii) use of appropriate safeguards, or (iii) if the conditions for specific derogations are met.
The Commission may decide that a third country ensures an adequate level of data protection by adopting an adequacy decision, which in turn enables a free flow of personal data from an EU Member State to the UK. In order for the Commission to adopt such a decision, the Commission must be satisfied that the third country’s data protection rules are essentially equivalent to the EU’s.
According to the Political Declaration, the Commission will start the assessments with respect to the UK soon as possible following the UK’s withdrawal, with the aim to adopt an adequacy decision by the end of 2020. This is a relatively short period of time for the Commission to evaluate if the UK’s data protection regulation is adequate. The fastest time it has taken the Commission to adopt an adequacy decision thus far is 18 months, and the process has gone on for several years in some instances. It should in this context be recalled that the statements in the Political Declaration are merely aspirational and that they are not legally binding.
Although the UK’s domestic data protection rules will be aligned with the EU data protection framework on the Expiry Date, there is risk that the two regimes will diverge in the future. There are already issues that may be of concern for the Commission. For example, the UK’s Investigatory Powers Act 2016 could cause a problem since it provides for bulk-data collection, which was recently considered unlawful by Advocate General Campos Sánchez-Bordona in his Opinion in Case C-623/17 and Joined Cases C-511/18 and C-512/18. Moreover, the Five Eyes alliance, an intelligence sharing agreement between Australia, Canada, New Zealand, the UK and the US, may be considered problematic since not all countries involved in this alliance have received an adequacy decision. The alliance enables the transferring of data to third countries where it might not be sufficiently protected in the eyes of the EU.
Further, the domestic UK Data Protection Act provides for certain exceptions which may be problematic in a GDPR perspective. For example, data subjects are excluded from various GDPR rights when their personal data is processed by public bodies for immigration purposes. This exemption has no equivalent in the GDPR and could influence the Commission’s adequacy process.
If an adequacy decision is not adopted before the end of the Transition Period, data cannot be transferred from the EU to the UK unless appropriate safeguards are adopted by the data exporter or if specific derogations exist (see further below concerning the latter). As provided for in the GDPR, different safeguards are available; (i) Standard Contractual Clauses (SCCs), (ii) Binding Corporate Rules (BCRs), and (iii) a Code of Conduct.
The Commission has published contract templates – SCCs – which can be adopted by private subjects to compensate the lack of an adequacy decision. The SCCs contain contractual obligations for the data exporter as well as the data importer. The clauses themselves cannot be modified, but they can be included in a wider contract and other clauses or additional safeguards might be added, provided that they do not contradict the SCC. Notably, the validity of SCCs are currently being examined by the EU Court of Justice. In his Opinion of 19 December 2019 in case C-311/18, Advocate General Saugmandsgaard Øe considered them valid.
BCRs are legally binding data protection policies that an international group of affiliated companies may adopt to be able to transfer data to a company within the organisation which is established in a third country. BCRs must be approved by the competent national supervisory authority and are only available to organisations with operations in the EU.
Another alternative to an adequacy decision is the adoption of a code of conduct. Such an instrument is drawn up by an organisation or association representing a sector with the purpose of specifying the application of the GDPR by codifying how to handle data in cases specific to the sector. A code of conduct must be approved by the competent national supervisory authority or, if it concerns more than one EU Member State, the European Data Protection Board. An approved code of conduct alongside binding and enforceable commitments for a third country organisation to apply the appropriate safeguards, provided in an agreement or other binding legal instruments, will offer the required safeguards for transfers of data without an adequacy decision.
Finally, there are some important derogations from the third country requirements that otherwise would apply which allow for a transfer of personal data from an EU Member State to a third country in specific situations listed in the GDPR. Primarily, a transfer of personal data to a third country is permitted if the individual concerned has explicitly consented to the transfer. Other derogations include transfers that are necessary for important reasons of public interest.