This month has been a busy one for the United Kingdom and the European Union in seeking to agree the terms of their future relationship before the end of the Brexit transition period on 31 December 2020. One of the many open questions is how the outcome of the ongoing negotiations (whether that is an agreement or a “no-deal” Brexit) will impact upon transfers of personal data from countries in the European Economic Area (“EEA”) to the UK from 1 January 2021 onwards.
Under EU data protection law, personal data can flow freely between countries within the EEA. For transfers of personal data to countries outside the EEA (known as “third countries”), the law requires one of the mechanisms under Chapter V of the General Data Protection Regulation (“GDPR”) to be in place. While the UK formally left the EU on 31 January 2020, the Withdrawal Agreement provides that the rules governing the transfer of personal data to the UK would remain the same until the end of the Brexit transition period on 31 December 2020. In the event that the UK and the EU do not agree specific arrangements for the transfer of personal data to the UK post-Brexit, one of the mechanisms under Chapter V of the GDPR will need to be in place for transfers of personal data from the EEA to the UK after 31 December 2020.
The UK Government has confirmed that Brexit will not impact upon the transfer of personal data from the UK to countries within the EEA. Therefore, such transfers can continue under existing arrangements after the end of the transition period without the need to put additional measures in place.
Transfer mechanisms under the GDPR
Standard contractual clauses
Chapter V of the GDPR sets out various mechanisms under which personal data may be transferred from countries within the EEA to third countries. The most commonly used transfer mechanism is the standard contractual clauses (“SCCs”). These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data from a party in an EEA country to a party in a third country, when incorporated into a contract between those parties.
In its recent decision in the Schrems II case1, the Court of Justice of the European Union (“CJEU”) affirmed the validity of the SCCs but found that a party relying on them to transfer personal data to a third country must verify that the laws of that third country ensure adequate protection for the personal data, and where necessary must provide additional safeguards to those set out in the SCCs. The European Data Protection Board (“EDPB”) has recently issued draft guidance regarding the steps that parties can take to ensure compliance with the requirements identified by the CJEU in the Schrems II case, which is currently open for public consultation and is expected to be updated and approved in due course. Annex 2 of the draft guidance provides a non-exhaustive list of examples of supplementary measures that can be put in place to ensure that personal data transferred to third countries is afforded the same level of protection as that afforded in the EU. The draft guidance can be viewed here.
The SCCs that are currently in place were adopted by the European Commission under the GDPR’s predecessor, the 1995 Data Protection Directive. The European Commission has recently published updated draft SCCs in order to bring the mechanism into line with the GDPR, and also to address the requirements established by the CJEU in the Schrems II case. The draft SCCs were open for public consultation until 10 December 2020 and are expected to be approved by the European Commission in early 2021. Parties will be given a grace period of one year following the adoption of the new SCCs, during which they may continue to rely on the existing SCCs.
Binding corporate rules
Another mechanism by which personal data can be transferred from countries with the EEA to third countries is pursuant to binding corporate rules (“BCRs”). This mechanism allows a multinational organisation to transfer personal data from its branch within the EEA to its branch located outside the EEA in accordance with internal rules established by that organisation. An organisation’s BCRs must be approved by its BCR lead supervisory authority. The BCR mechanism is more limited than other transfer mechanisms in that it does not allow transfers of personal data between different organisations.
Another transfer mechanism available under the GDPR is where the European Commission has decided that the third country to which personal data will be transferred provides a level of data protection to the standard required by EU law (known as an “adequacy decision”). Where the European Commission has adopted an adequacy decision in respect of a third country, personal data can flow freely between countries within the EEA and that third country.
While it is expected that an adequacy decision will be made by the European Commission in due course in respect of the UK, this will not be in place by the end of the Brexit transition period.
With each passing day, it appears increasingly likely that specific rules governing the transfer of personal data to the UK will not be agreed in advance of the end of the Brexit transition period. As such, organisations wishing to transfer or continue to transfer personal data to the UK after 31 December 2020 should ensure that they do so in accordance with one of the mechanisms available under Chapter V of the GDPR. Practical steps that organisations should take before the end of the Brexit transition period are as follows:
- Analyse the organisation’s data flows and identify all transfers of personal data to the UK, including to any branches of the organisation located in the UK.
- Identify which of the transfer mechanisms under GDPR is most appropriate to govern the transfer of data to the UK. While the SCCs may be the solution for many organisations, each organisation will need to consider the specific circumstances of its own data flows in order to identify the mechanism that is most appropriate to its operations. For example, BCRs may be the most suitable measure for an Irish organisation with a UK presence.
- Where the organisation chooses to rely on the SCCs, it must verify whether the personal data will be afforded a level of protection in the UK that is essentially equivalent to the level of protection afforded to it in the EU, and assess whether any additional safeguards are required to be put in place to achieve this. In carrying out these assessments, the organisation should have particular regard to the recent draft guidance issued by the EDPB.
1 Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (Case C-311/18).Back to Full News
Share this article:
About the Authors
Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.
Ruth is a solicitor in the Commercial & Business team and advises on an array of commercial and regulatory matters, including in the areas of privacy and data protection, intellectual property, terms and conditions of purchase and sale, advertising and promotions and commercial contracts.