The United Kingdom (‘UK’) left the European Union (‘EU’) on 31 January 2020. There is a transition period until 31 December 2020. Until then the UK will continue to comply with all EU laws and legislation. What will happen after this period is still not clear yet. Deal or no deal? It is however certain that the UK’s withdrawal will have an impact on data traffic between the EU and the UK.
UK becomes a third country
The General Data Protection Regulation (‘GDPR’) distinguishes between countries that are part of the EEA and so-called third countries. The EEA consists of all EU Member States plus Liechtenstein, Norway, and Iceland. The UK will become a ‘third country’ as of 1 January 2021, since the transition period will then come to an end and it is very unlikely that the UK will join the EEA.
Adequacy decision unlikely
The transfer of personal data to (organisations in) third countries is only permitted if those countries or organisations offer an adequate level of protection. The European Commision may determine by means of an adequacy decision that this is the case. Examples of countries on which such decisions have been taken are Switzerland, Israel, and Japan. The European Commission takes an adequacy decision when it finds that a third country provides a level of protection equivalent to that provided under the GDPR.
If an adequacy decision is obtained by the UK before 1 January 2021, the transfer of personal data from the EEA to (organisations in) the UK may continue the same way after the transition period. Although the UK initially appeared to be in favour of an adequacy decision during the negotiations with the EU, there have been some developments in the last months of 2020 which have called this into question.
For example, the UK published its National Data Strategy on 9 September 2020. As a result, several messages in the UK media indicated that the UK wished to loosen up their data protection laws, which may have antagonized the EU. In addition, on 6 October 2020, the Court of Justice of the European Union ruled that the UK’s surveillance legislation does not comply with EU law. This makes it increasingly unlikely that the European Commission will issue an adequacy decision at all, let alone before the deadline of 1 January 2021.
What should organisations do?
We already wrote about the possibilities of securing a legally valid transfer of personal data to the UK in the event of a No Deal Brexit before. While those possibilities have remained the same, there is also the fact that the Dutch data protection authority has recently indicated that organisations will have to wait five to seven years for the Dutch DPA to approve their Binding Corporate Rules. Binding Corporate Rules are therefore not a realistic option if a solution must be found in the short term to make a legally valid transfer of personal data to the UK possible.
In most cases, only the EU Standard Contractual Clauses (‘SSCs’ or ‘model contracts’) will be able to offer a solution. However, since last summer’s groundbreaking Schrems II-judgment simply signing these model contracts is not enough. First, a so-called data transfer impact assessment will have to be carried out. In short, this means that the data exporter will have to assess whether all the rights and obligations contained in the SSCs can be complied with by the data importer. To do this, it will be necessary to look, inter alia, at the UK laws and regulations applicable to the specific transfer. In addition, that assessment should be carefully documented and handed over to the supervisory authority when requested.
All in all, it will be quite a challenge for organisations to achieve all this before 1 January 2021. We nevertheless recommend to set this in motion as soon as possible. Since, without a model contract, there is a good chance that your organisation will violate the GDPR as soon as the new year starts. Even if a deal is struck, the chances of an adequacy decision being taken by 1 January 2021 are very slim. This means that, in any case, extra safeguards will have to be put in place for a legally valid transfer to (organisations in) the UK.
Would you like more information on the transfer of personal data to the UK? The potential risks your organisation faces? Do you need help with closing SSCs? Or do you have other questions about data traffic after Brexit? Then please contact one of our specialists.