Brexit: Impact on the transfer of personal data to the United Kingdom
The United Kingdom – that is Great Britain and Northern Ireland – is no longer part of the European internal market or the customs union. This impacts all companies that have a business relationship with companies from Great Britain and Northern Ireland. Data protection is not exempt in this respect. Under data protection law, when the United Kingdom left the European Union, it became a so-called third country. The transfer of personal data to a third country is subject to special requirements in accordance with Chapter 5 of the General Data Protection Regulation (GDPR). On 19 February 2021, the European Commission presented drafts for two “Adequacy Decisions” pursuant to Article 45 para. 3 GDPR.
In the following, we provide a brief overview of the recent developments, the current legal position concerning data protection and an outlook of what to expect. This is particularly relevant for companies that can still decide with which business partners they build certain infrastructures in relation to certain services. Here, the country of domicile should possibly be taken into account.
The United Kingdom ("UK") withdrew from the European Union ("EU") on 31 January 2020 ("Brexit"). After two postponements, the UK and the EU agreed on a withdrawal date of 31 January 2020. On 1 February 2020, the Agreement on the Withdrawal of the United Kingdom from the European Union entered into force. With respect to data protection, the Agreement contains a provision whereby EU data protection law will continue to apply in the UK to the processing of personal data of persons from outside of the UK until 31 December 2020. In other words, after the withdrawal of the UK from the EU, the GDPR continued to apply in the UK and the UK was not considered a third country within the meaning of Article 44 GDPR. From a data protection perspective, everything stayed just as it was until 31 December 2020; this is subject to possible amendments to data protection information and other documentation under data protection law.
What applies now?
Shortly before the end of this transitional period, the EU and the UK agreed on a Trade and Cooperation Agreement which contains a new transitional rule for data transfers. This new rule provides that, for a new transition period, the transfer of personal data from the EU to the UK will not be considered a transfer of data to a third country according to Article 44 GDPR. This period began with the entry into force of the Agreement on 1 January 2021 and will end either when the EU has adopted an adequacy decision for the UK pursuant to Article 45 para. 3 GDPR (and Article 36 para. 1 of Directive (EU) 2016/680) or, at the latest, four months after the start of this transitional period, on 30 April 2021.
Accordingly, the transfer of data to the UK will initially continue under the current conditions. The end date of 30 April 2021 can be extended again by two months if no party objects.
Accordingly, until the adoption of an adequacy decision or until 30 April 2021 or 30 June 2021 respectively, nothing will change for the transfer of personal data from the EU to the UK; this is subject to possible amendments to data protection information and other documentation under data protection law.
What’s to come
The EU Commission is now tasked with presenting a so-called adequacy decision with respect to the United Kingdom in accordance with Article 44 para. 3 GDPR.
However: The EU Commission can only adopt such an adequacy decision when, after a detailed examination, it concludes that the level of protection for the processing of personal data in the UK is the same as that under the GDPR or that it otherwise ensures an adequate level of protection.
Because: If an adequacy decision has been adopted for a country or organisation, the country will be treated as a secure third country for the transfer of personal data and, consequently, the additional requirements for the transfer of personal data as set out in Article 44 et seq. GDPR will be fulfilled simply by the existence of the adequacy decision under Article 45 para. 3 GDPR.
An adequacy decision has been adopted, for example, for Switzerland, Israel and New Zealand.
The EU Commission has acted with impressive speed and has already presented a draft for an adequacy decision that would declare that the United Kingdom is a secure third country for data protection purposes: LINK.
In so doing, the EU Commission was undoubtedly faced with challenges: if the adequacy decision is adopted, the case law of the European Court of Justice ("ECJ") must be taken into account so that the Commission’s assessment must withstand an examination by the European Data Protection Board ("EDPB") and even possible review by the ECJ.
In this respect, the judgment of the ECJ of 16 July 2020 (Case No. C-311/18 – "Schrems II") is important. In that case, the ECJ declared that the Commission’s Adequacy Decision on the “Privacy Shield” was invalid and an adequate level of data protection could not be guaranteed in the USA. The ECJ criticised the fact that information about EU citizens on US servers could not be protected against access by US authorities and intelligence services. For more Detail: LINK.
In this respect, the EU Commission must examine the rules of the Investigatory Power Act of 2016 as part of its assessment of the level of data protection in the UK. The Act allows focused and thematic mass surveillance, access to devices and grants powers to record communication data. It also includes provisions on the surveillance powers of the British secret services.
Stefan Brink, the Data Protection Officer of the Land of Baden Württemberg commented to the German newspaper Handelsblatt that, "due to the "link" between the British secret services and the USA, there are fundamental doubts. Brexit simply reveals what data protectors have known for a while, he said. "The surveillance and information exchange activities of the United Kingdom secret services also infringe the EU Charter of Fundamental Rights as inappropriate and excessive state surveillance of citizens".
It can be assumed that the draft Adequacy Decision takes these points into account. The EDPB and the EU Council must now review the draft. Subsequently, the Adequacy Decision can enter into force and will apply for the next four years – it is limited in scope – and provide legal security with respect to the transfer of personal data from the EU to the UK.
What Must be done?
We recommend that you follow the ongoing procedures closely. Even if the draft decision leads to an adequacy decision under Article 45 para. 3 GDPR (which is not certain) so that the UK is considered a secure third country, there will still be a need for action. In this case, data protection information will need to be adapted (again). Citizens will need to be informed about the transfer of their personal data to a third country. In addition, when transferring personal data to third countries, the legal basis for the transfer must be provided. This guarantee would then be the adequacy decision.
In any case, keep abreast of developments concerning this complex issue. An action may be brought against the Adequacy Decision and the ECJ may decide - after receiving requests from the national courts for preliminary rulings – to declare the Adequacy Decision invalid, just as it did in its decision in relation to the "Privacy Shield" for the transfer of personal data to the USA.
Against this background, it may offer more legal certainty to look for partners based in the EU or the EEA where possible.