Brexit: Personal data transfers under and after the transition period

In our previous publication  on the consequences of a no-deal Brexit on personal data transfers to the UK, we noted that if the no-deal scenario persists after 29 March 2019, the UK will be considered as a “third country” under the GDPR1 . The EU and the UK have negotiated extensions of this deadline.

The UK ceased to be a Member State of the EU on 31 January 2020. However, the UK benefits from a transition period lasting until 31 December 2020. During this period, EU law, including the GDPR, continues to apply to the UK. Therefore, no additional safeguard is required for personal data transfers to the UK, at least until the end of this year. What will happen after 31 December 2020 is still uncertain.

On 18 March 2020, the European Commission published a draft agreement  on the new partnership with the UK2  and is currently considering adopting an adequacy decision. Any such decision would provide that the UK ensures an adequate level of personal data protection and thus allows personal data transfers to the UK as if they would take place within the EEA.

To facilitate the discussions with the European Commission, the UK government has drafted a policy paper, which is intended to demonstrate that the UK meets the required data protection standards and will continue to do so. The UK data protection legal framework is composed, in particular, of (i) the “UK” GDPR, as incorporated under the European Union (Withdrawal) Act 2018 and (ii) the Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications Regulations 2019.

Should the European Commission not adopt an adequacy decision covering personal data transfers to the UK and the transition period is not extended beyond 31 December 2020, the UK will be considered under the GDPR as a “third country” not benefiting from an adequacy decision. In this context, personal data transfers to the UK would be prohibited, unless appropriate safeguards or derogations can be relied on. As previously mentioned, however most of the available safeguards would be difficult to implement within a short timeframe (e.g. binding corporate rules, certification mechanisms or codes of conduct). The available derogations are also unsatisfactory for non-occasional transfers.

Therefore, the soundest alternative would be for EU-based controllers to enter into (or mandate their processors to enter into) Standard Contractual Clauses (“SCCs”) with the UK personal data importers. The existing SCCs have been adopted on the basis of the old data protection regime under Directive 95/46/EC (repealed by the GDPR) and have not been updated since the GDPR came into force. Notwithstanding this gap, the GDPR provides that such SCCs shall remain in force until amended, replaced or repealed.

Nevertheless, possible transfers remain limited under the SCCs, which only cover transfers from EU controller (to non-EU controller/processor). Transfers from EU processors (to non-EU controllers/processors) are not possible with the existing SCCs. The European Commission is still working on Standard Data Protection Clauses, which are expected to address these matters.

Please read our further article on the temporary period following the deal struck between the EU and the UK over Brexit on 24 December 2020.

This may also interest you :

1Regulation (EU) 2016/679.
2 See notably PART TWO, Title VII, Chapter two, “Data flows and personal data protection”, p. 135.