Impacts of Brexit on data transfers from the EU to the UK
In the context of the UK’s upcoming exit of the European Union (Brexit, expected by 31st January 2020 at the latest), the question of the implications and changes to data transfers to companies in the United Kingdom is of great importance. British Prime Minister Boris Johnson and the EU states have agreed on a new Withdrawal Agreement on 17th October 2019, but it must still be approved by the British Parliament. So far, there has been no outright majority for Johnson's Brexit Deal. Nevertheless, the Parliament agreed to a new election on 29th October 2019, which will prospectively take place on 12th December 2019. As a result, the British Parliament was dissolved on 6th November 2019. Johnson hopes that a new parliament will approve his Brexit deal.
Under the current agreement, the parties committed to ensuring a high level of personal data protection in order to facilitate the flow of data between them. There will also be a transition period during which the UK won’t be a member of the EU but will still have to abide by its rules. In addition, after the United Kingdom has left the EU, the European Commission will start assessments on an adequate level of data protection in order to reach an adequacy decision by the end of 2020.
In the absence of a previously concluded withdrawal agreement between the EU and the UK, the “danger” of an unregulated, No-Deal-Brexit remains. As soon as the UK has left the EU, it counts as third country within the meaning of the GDPR. Consequently, data transfers may only take place under certain conditions. The purpose of the conditions is to maintain a level of data protection which is comparable to the EU, when transferring personal data to the UK.
Data transfers from the EU/EEA to the UK
Examining the legitimacy of a data transfer to a company based in a third country is done in two stages. First, the processing and transfer of personal data must be admissible per se. Second, the data transfer to a third country must be justified. Articles 44- 49 of the GDPR build such justifications for transferring data from the EU/EEA to third countries (such as the UK). A data transfer to a third country is therefore always permitted if the European Commission has decided that the third country ensures an adequate level of data protection according to Article 45 (1) of the GDPR. Such an adequacy decision states that the level of protection is comparable to the one of the EU. The adequacy decisions come from the time before the GDPR, but still provide valid justifications for foreign data transfers.
In the absence of an adequacy decision for the United Kingdom, so-called "appropriate safeguards" must be taken according to Article 46 of the GDPR, in order to enable data transfers. For this purpose, various data transfer instruments can be used. It is the responsibility of controllers and processors to verify which data transfer instruments are most suitable for each situation.
Standard Data Protection Clauses
Initially, standard data protection clauses are considered. Currently, three sets of standard data protection clauses are approved by the European Commission that regulate the transfer of data from a controller in an EU country to a controller or processor in a third country (2001/49 /EC, 2004/915/EC, 2010/87/EU).
These clauses can then be added to (also existing) contracts. It must be highlighted, that these clauses cannot be modified; they must be adopted and signed exactly as the Commission has approved them. The standard data protection clauses date from before the GDPR, but are valid until the EU Commission changes, replaces or repeals them by a resolution.
Binding Corporate Rules
Furthermore, a group of undertakings, i.e. multinationals, may use binding corporate rules (BCRs), which ensure an adequate level of data protection within the group. The multinationals undertake to provide appropriate safeguards when transferring personal data, including outside the EU/EEA. Existing binding corporate rules that have already been approved according to the former Directive 95/46/EC remain valid under the GDPR and are considered appropriate safeguards pursuant to Article 46 of the GDPR. However, they need to be updated in some places to be fully in line with GDPR provisions. Future binding corporate rules require the authorisation of the competent national supervisory authority, following an opinion of the European Data Protection Board (EDPB).
Codes of Conduct and Certification Mechanisms
In addition, there is the possibility to legitimise data transfers with codes of conduct pursuant to Article 40 of the GDPR, if they contain binding and enforceable commitments by the controller or processor and have been approved by the competent supervisory authority. The same applies to certification mechanisms, 42 of the GDPR.
So far, there is still no clarification of the content of the codes of conduct and certification mechanisms regarding legal framework and questions on how to proceed; it must be waited for guidelines from the European supervisory authorities.
Ad hoc Data Protection Clauses
Ad hoc data protection clauses can be negotiated individually between the contracting parties (from the EU/EEA and the United Kingdom) so that they provide appropriate safeguards for data transmission in each case. However, these clauses must be approved by the European Data Protection Supervisor (EDPS) before a data transfer takes place.
Any further modifications of standard data protection clauses will consider them as ad hoc contractual clauses.
In specific situations, there are derogations that allow data transfers to third countries and are exceptions to the rule of having put in place appropriate safeguards or transfer the data based on an adequacy decision. These situations are justified pursuant to Article 49 of the GDPR. This is the case, for example, when there is a prior informed consent or if a data transfer is necessary for the performance of a contract. These derogations are interpreted restrictively and only relate to processing activities that are occasional and non-repetitive.
Until the United Kingdom leaves the EU, precautions must be taken by European companies which transfer personal data to the United Kingdom as part of their economic activity, in order to provide an adequate data protection level within the meaning of the GDPR. Depending on the individual case, various data transfer instruments can be used for this purpose until an adequacy decision for the UK has been reached by the European Commission.
We will be pleasured to support you in coping with the challenges associated with the Brexit in the field of data protection law.