Brexit - Data Protection

From a data protection point-of-view, a distinction must be made between four periods of time, namely (i) the period prior to Brexit (31 January 2020), (ii) the Transition Period (1 February 2020 – 31 December 2020), (iii) the Interim Period (1 January 2021 – 30 June 2021) and (iv) the period thereafter (as of 1 July 2021 onwards).

 

Before Brexit (31 January 2020)

 

The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the GDPR) was applicable as from 25 May 2018 in all EU Member States, including the UK (Great Britain and Northern Ireland).

The UK also adopted the Data Protection Act 2018, which, amongst others, further implemented the GDPR into national law. The competent supervisory authority for data protection in the UK is the Information Commissioner’s Office (ICO).

Hence, until 31 January 2020 (the Brexit Date), the GDPR applied fully in the UK and entities operating in the UK had to comply with the GDPR and the Data Protection Act 2018, were be able to benefit from the one-stop-shop principle and were subject to the consistency mechanism (including the competence of the European Data Protection Board (EPDB)).
 

Transition Period (1 February 2020 – 31 December 2020)

 

The agreement of 19 October 2019 on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (the Withdrawal Agreement) provided for a transition period from 1 February 2020 until 31 December 2020 (the Transition Period). 

During the Transition Period, the UK remained subject to all EU laws (other than those expressly excluded by the Withdrawal Agreement).

Consequently, during the Transition Period:

• the GDPR and related EU privacy laws continued to apply to the UK;
• the UK had to continue to interpret and apply the GDPR and related EU privacy laws consistent with wider EU legal principles; EU Member States had to continue to apply the GDPR and related EU privacy laws in a way which did not discriminate against the UK;
• the CJEU continued to have jurisdiction to settle questions of interpretation raised by the UK courts regarding data protection law and the UK had to abide by CJEU decisions;
• transfers of personal data from the EU to the UK were not restricted under Chapter V (Transfers of personal data to third countries or international organisations) of the GDPR; and
• the UK was restricted from participation in EU decision-making and governance bodies/offices, but could be invited to attend on a non-participatory basis; hence, the ICO’s role in the EDPB was limited to attendance in an observer capacity.

The UK and the EU had the option to extend the Transition Period once by joint agreement before 1 July 2020 for one or two years. The UK had however ruled out the possibility of an extension in its domestic law. Consequently, the Transition Period ended on 31 December 2020, in accordance with Article 126 of the Withdrawal Agreement.

 

Interim Period (1 January 2021 – 30 June 2021)

 

Political Declaration

Aside from the Withdrawal Agreement, the EU and UK on 19 October 2019 also agreed on a non-binding political declaration setting out the framework for the future relationship between the European Union and the United Kingdom (the Political Declaration).

The Political Declaration stated that the EU and the UK both desired a high level of data protection and established a willingness by the European Commission to commence an assessment of the UK’s adequacy, with an ambition to adopt an adequacy decision by the end of the Transition Period. Securing an adequacy decision would be vital to support a free flow of personal data between the EU and the UK once the Transition Period ended. The Political Declaration also contained some high level principles to (i) secure co-operation between data protection regulators; (ii) develop reciprocal arrangements for PNR, DNA, fingerprint and vehicle registration data processing, and (iii) facilitate electronic commerce and cross-border data flows.

During the Transition Period, the UK and the EU negotiated a comprehensive deal covering all aspects of Brexit after the end of the Transition Period.
 

EU-UK Trade and Cooperation Agreement

The EU and the UK came to an agreement on 24 December 2020 called the EU-UK Trade and Cooperation Agreement (the Trade Agreement). The Trade Agreement was signed on 30 December 2020 and applied as of 1 January 2021 on a provisional basis until 28 February 2021 to enable the European Parliament and the Council of the EU to ratify the Trade Agreement.

The Trade Agreement provides that transfers of personal data to UK entities will not be considered as transfers to a third country subject to the provisions of Chapter V of the GDPR for an interim period to allow the European Commission to prepare an adequacy decision (the Interim Period). 

The Interim Period will last four (4) months and will automatically be extended to six (6) months, thus to 30 June 2021, unless the EU or the UK object, and subject to the two following conditions: (i) the UK data protection regime remains the same, and (ii) the ICO may not approve new transfer mechanisms or Codes of Conduct without the approval of the EU-UK Partnership Counsel.
 

As of 1 July 2021

 

It is expected that the EU Commission will adopt an adequacy decision pursuant to Article 45 GDPR by 30 June 2021 so as to ensure that transfers of personal data to the UK can continue without the data exporter and the data importer having to take additional steps (e.g., Standard Contractual Clauses or Binding Corporate Rules) or having to rely upon the derogations provided for in Article 49 GDPR.

If no adequacy decision is taken before the end of the Interim Period, all transfers from the EU to the UK will be considered again as a transfer to a third country under Chapter V of the GDPR as of 1 July 2021.

On 19 February 2021, the EU Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the UK, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission could proceed to adopt the two adequacy decisions.
 

Consequences of Brexit as of 1 January 2021

 

GDPR and UK GDPR

As the GDPR is no longer applicable in the UK since 1 January 2021, the UK has written down the GDPR into UK law (with the necessary changes to tailor its provisions for the UK) and has adopted the so-called UK GDPR, which applies together with the UK Data Protection Act 2018.

Article 71 of the Withdrawal Agreement states moreover that the GDPR will remain applicable in the UK to personal data that were processed in the EU under the GDPR before the end of the Transition Period, unless the UK obtains an adequacy decision. When an adequacy decision would not be applicable anymore, the UK must ensure a level of protection of personal data that is equivalent to the protection offered by the GDPR.

EU Representative

The GPDR applies also to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU (e.g., in the UK after the end of the Transition Period), where the processing activities are related to (i) the offering of goods or services to such data subjects in the EU; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU. 

Hence, now that the Transition Period has ended, UK entities may have to comply with the GDPR, given the latter’s extra-territorial effect. 

UK entities subject to the GDPR need to appoint a local representative in the EU (Article 27 GDPR).

EU to UK Data Transfers

During the Interim Period (1 January 2021 – 30 June 2021), personal data may continue to be transferred to the UK without further restrictions.

It is expected that a UK adequacy decision will be adopted by 30 June 2021 so as to ensure the further free flow of personal data to the UK as of 1 July 2021.

When after the Interim Period (30 June 2021) there is no UK adequacy decision, the UK will automatically be regarded as a third country that does not provide adequate protection of personal data originating from the EU. In practice, this means that EU entities transferring personal data to the UK must ensure that, prior to the end of the Interim Period, appropriate safeguards are put in place (e.g., Standard Contractual Clauses or Binding Corporate Rules). In this respect, it important to remind the Court of Justice of the European Union’s decision in Schrems II and the guidance of the European Data Protection Board (EDPB), which requires data exporters relying upon Standard Contractual Clauses to undertake case-by-case Transfer Impact Assessments.

Use of UK (Sub-)Processors

During the Interim Period (1 January 2021 – 30 June 2021), personal data may continue to be transferred to UK (sub)processors without further restrictions.

It expected that a UK adequacy decision will be adopted by 30 June 2021 so as to ensure the further free flow of personal data to UK (sub)processors as of 1 July 2021.

Should a UK adequacy decision not be adopted by 30 June 2021, EU controllers using UK processors or sub-processors will need to ensure that, aside from a data processing agreement in accordance with Article 28 GDPR, express contractual safeguards to ensure adequate protection of personal data (e.g., Controller-Processor Standard Contractual Clauses) are put in place.

UK to EU or Adequate Countries Data Transfers

Transfers from the UK to the EU or other adequate countries (including organisations adhering to the Privacy Shield) are unlikely to be affected. However, onward transfers of personal data originating from the EU by UK entities may become an issue. Indeed, in case no UK adequacy decision is adopted by 30 June 2021, contractual arrangements imposed upon UK entities to legitimise data transfers from the EU to the UK (e.g., Standard Contractual Clauses) will generally require the same obligations to be passed on to any third parties that will be processing the data. As a result, existing arrangements between UK entities and entities located elsewhere and that are processing personal data originating from the EU may need to be reviewed and updated. New arrangements between UK entities and entities located elsewhere and that are processing personal data originating from the EU will also require specific attention in order to ensure compliance with the UK entity’s obligations under contractual arrangements to legitimise data transfers from the EU to the UK.

Lead Supervisory Authority

Due to the fact that their main EU establishment is located in the UK, many multinationals operating across the EU were subject to the competence of the ICO as lead supervisory authority under the one-stop-shop mechanism foreseen by the GDPR. Now that the UK has ceased to be an EU Member State, the ICO is no longer considered as a supervisory authority for the purposes of the GDPR, is no longer a member of the EPDB and cannot longer act as lead supervisory authority. As a result, UK headquartered multinationals need to select an alternative lead supervisory authority (within the EU) or an additional one in parallel with the ICO. UK headquartered multinationals operating across the EU are accountable to a variety of EU data protection supervisory authorities instead of only to the ICO. Therefore, some of them have moved their headquarters to an EU Member State in order to secure the lead supervisory authority benefit.
 

EU Entities

In the event the UK would succeed in securing an adequacy decision by the end of the Interim Period, personal data will continue to be able to flow freely between the EU and the UK. Hence, EU controllers transferring personal data to UK controllers or processors would not have to ensure appropriate safeguards are in place.

If there is no adequacy at the end of the Interim Period:

• EU controllers transferring (directly or indirectly) personal data to UK controllers or processors need to put in place appropriate safeguards to ensure adequate protection of personal data; and
• EU processors using UK sub-processors need to ensure appropriate safeguards to ensure adequate protection of personal data are put in place.

Furthermore, and in any event:

• EU controllers need to review their current documentation (from records of processing activities under Article 30 GDPR to DPIAs under Article 35 GDPR) in order to reflect the fact that the UK does no longer form part of the EU.

UK Entities

In the event the UK would succeed in securing an adequacy decision by the end of the Interim Period, personal data will continue to be able to flow freely between the EU and the UK. Hence, UK controllers receiving personal data from EU controllers or processors would not have to ensure appropriate safeguards are in place.

If there is no adequacy at the end of the Interim Period:

• UK controllers and processors that are receiving personal data from the EU need to put in place adequate safeguards to ensure they become safe importers of personal data, unless the UK obtains an adequacy decision; and
• UK controllers and processors need to review their arrangements with entities located outside the UK that are receiving personal data originating from the EU in order to ensure that contractual obligations imposed upon UK entities to legitimise data transfers from the EU to the UK (e.g., Standard Contractual Clauses) are passed on to any third parties that will be processing the data, unless the UK obtains an adequacy decision.

Furthermore, and in any event:

• UK controllers and processors subject to the GDPR due to its extra-territorial effect need to appoint a local representative in the EU;
• UK headquartered multinationals need to select an alternative lead supervisory authority (within the EU) or an additional one in parallel with the ICO or may consider moving their headquarters to an EU Member States in order to secure the lead supervisory authority benefit; and
• UK controllers need to review their current documentation in order to reflect the fact that the UK does no longer form part of the EU.