United Kingdom | International Transfers of Data to the United Kingdom after Brexit
On 24 December 2020, the European Commission (CE) announced the conclusion of the Trade and Cooperation Agreement with the United Kingdom, following its withdrawal from the European Union (EU) and the end of the succeeding transition period. The Agreement has now been published by the EC and it establishes a transitional regime for international data transfers between Member States and the United Kingdom.
Under the General Data Protection Regulation (GDPR), transfers of personal data to countries outside the European Economic Area (EEA) are subject to a set of rules. The rules vary depending on whether or not the EC has issued an adequacy decision concerning the level of protection provided by the legislation of the country receiving the data. Where no adequacy decision exists, organisations, in order to perform the international transfers, must therefore implement one of the legal instruments ensuring appropriate safeguards foreseen in the GDPR, including, for example, the conclusion of contracts containing the standard contractual clauses approved by the EC.
The transition period following the departure of the United Kingdom from the EU, will finish on 1 January 2021, having strong implications in this context. This situation is aggravated by the absence of an adequacy decision from the EC (which may be more difficult after the Privacy International judgment of the Court of Justice of the European Union). Therefore, data transfers to this country – which were so far considered as transfers within the EEA –, would be subject to the regime applicable to transfers of personal data to third countries.
The now published Trade and Cooperation Agreement safeguards the position of organisations transferring personal data to the United Kingdom. It provides a period of 4 months (extendable for 2 months, provided there is no opposition from the parties to the Agreement) within which transfers of personal data to the United Kingdom shall not, exceptionally, be considered as transfers to a third country. This transitional regime, which has raised a number of questions as to its articulation with the GDPR and EU primary law, is applicable provided that the following conditions are met:
- The data protection regime established by the United Kingdom is maintained and applies to the data transferred; and
- The United Kingdom does not exercise the designated powers without the agreement of the EU. These powers are defined in the Agreement and include:
- Issuance of a new document specifying standard data protection clauses;
- Approval of a new draft code of conduct which can be relied to provide appropriate safeguards for transfers of personal data to a third country;
- Approval of a new certification mechanism which can be relied to provide appropriate safeguards for transfers of personal data to a third country;
- Approval of new binding corporate rules ; and
- Approval of contractual clauses or clauses to be inserted in administrative arrangements between entities which are involved in an international transfer of data, under article 46 (3) of the GDPR.
It is also foreseen that the transitional period of 4 months can be shortened if:
- The EC adopts an adequacy decision for the United Kingdom;
- The United Kingdom exercises the "designated powers" mentioned above, without the agreement of the EU; or if
- The United Kingdom changes the applicable data protection regime, except when such change aims to align the law with the EU’s law or is made with the agreement of the EU.
The ratification process of the Agreement should be concluded within the first months of 2021, namely after approval by the European Parliament. In the meantime, and to avoid a legal gap in the provisions regulation the relationship between the EU and the United Kingdom, pursuant to expectable decisions of the Council and British Parliament, the Agreement shall be provisionally applied from 1 January 2021 onwards.
Organisations transferring personal data to the United Kingdom should closely monitor developments in this regard. In any circumstance, a backup plan should be developed considering that, at the end of the transitional period, the United Kingdom may not be regarded as offering an adequate level of data protection. In this case, the implementation of one of the legal mechanisms for legitimately continuing to transfer data may be needed. The aforementioned backup plan may also be useful if the rules on data protection contained within the Agreement are challenged before the Court of Justice of the European Union.