Brexit and GDPR: quo vadis?
When the UK left the EU on 1 January 2021, it essentially became a third country. Logically, this would then mean that it should be treated as a third country also from the perspective of GDPR compliance and, specifically, Articles 44-49 thereof on international data transfers. This was also the line of thought underlying the original Brexit Statement that the European Data Protection Board adopted on 15 December 2020, which was superseded by a new statement on 13 January 2021.
Theoretically, also considering the recent Schrems 2 case law by the European Court of Justice, this would have meant that as of January all data transfers from the EU to UK would have to be halted, unless covered by one of the (remaining) safeguards or derogations that Articles 45 to 49 of the GDPR foresee.
As on many other aspects of Brexit, the EU-UK Trade & Co-operation Agreement (Brexit Agreement) gives parties some comfort.
It is generally accepted that the UK (which has essentially copy pasted the GDPR into its 2018 UK data protection act) will benefit from an adequacy decision by the European Commission before summer. Such decision (adopted by the Commission following the comitology procedure) will allow data transfers from the EU to the UK to be covered “as if” they happen intra-community and would mirror a similar decision already taken by the UK to allow for data transfers from the UK into EU/EEA territory.
In order to “bridge the gap” between now and then, the Brexit Agreement provides a stay of execution until 1 May 2021, by essentially prolonging the transitional period as relating to data transfers until then.
If no adequacy decision has been issued by that date, then there is a further automatic extension, until 1 July 2021, unless either the UK or the EU would object to that. According to most observers (and sources within the European Commission), an adequacy decision in favor of the UK should be adopted by then.
This arrangement is conditional on the UK not amending its data protection legislation or exercising certain “designated powers” during this period (i.e., doing anything new relating to data transfers). If the UK does want to take action during this period, then it can do so with the approval of the Partnership Council (the regulatory body that the Brexit Agreement created to oversee its implementation). There is an exception for UK amendments which are limited to changes to align rules with those applicable in the EU. In December 2020, the European Commission has published a draft implementing decision relating to new standard contractual clauses for data transfers. If the EU adopts these new clauses (which they are likely to do by March 2021 following the present consultation period), this exception would allow the UK to adopt the same updated clauses, should it wish to do so.
While all of this can be welcomed as good news in terms of business continuity for many enterprises doing business across the Channel, the EDPB points out in its above referenced statement on this topic that, as the UK is no longer an EU Member State, UK based controllers and processors whose processing activities are subject to the application of the GDPR under Article 3(2) GDPR are required to designate a representative in the Union in accordance with Article 27 of the GDPR. The representative may be addressed by supervisory authorities and data subjects on all issues related to processing activities in order to ensure compliance with the GDPR.
Another very concrete and rather immediate consequence of the UK leaving the EU fold concerns binding corporate rules (BCRs) that multinationals may leverage to ensure the efficient transfer of data between their affiliates across jurisdictions. Organisations which rely on BCRs for their data transfers will need to adjust their BCRs so that they meet both EEA and UK requirements. Recent Brexit related legislation in the UK requires organisations which have BCRs which were approved under the GDPR, by an authority other than the Information Commissioner, to resubmit their BCRs to the British privacy watchdog (Information Commissioner’s Office - ICO) by 31st June 2021.
Speaking of which, the ICO is no longer a data protection authority that can partake in the GDPR One-Stop-Shop (OSS) mechanism for overseeing cross-border data processing activities. This too will have an impact on the way data protection between the EU and UK is handled going forward.
In summary, while the Brexit Agreement and the prospect of an adequacy decision before summer give some level of comfort to businesses and privacy professionals grappling with the data protection fall-out of Brexit, there are several considerations on post-Brexit GDPR to be taken into account if your company transfers personal data across the Channel. As always, it is advisable to seek expert legal advice on how these affect your business.