Although the UK has already left the EU 9 months ago, EU legislation is still applicable to the country during the transitional period until the end of the year, so in practice we have not yet faced the post-Brexit legal environment. Due to the protracted process, businesses in the EU may easily overlook the fact that, as of January 2021, they will no longer be able to transfer personal data to the UK as they used to. However, until the end of the year, there is still time to settle the legality of data transfer to UK, the possibilities of which are analysed in our short article.
1. What is a data transfer under GDPR?
Solving the problem begins with recognizing the problem, so you first need to know what qualifies as data transfer under GDPR. It is considered a data transfer according to the GDPR if the data controller transfers personal data to another person, which includes parent companies and subsidiaries in a same company group. Personal data means any information relating to an identified or identifiable natural person. In business, we transfer personal data on a daily basis, from email addresses to a scanned ID to the content of a copied message, such data are almost everywhere.
We are sure that you also transfer personal data, the legality of which has probably been examined by an expert back when the GDPR was introduced. If you transfer personal data to a partner in the UK, the current legal basis of the transfer will not be applicable from January 2021, so the data processing needs to be reviewed.
2. BREXIT and GDPR
As long as the United Kingdom was a member of the EU, there was no particular difficulty in transferring data to UK from the Member States as the free movement of personal data is ensured within the Union. This is based on the fact that under uniform EU law, all Member States are obliged to harmonize their national data protection rules with EU law, so that state guarantees for data protection are, in principle, provided by all Member States.
However, as a result of Brexit, EU law will no longer apply to the UK from 1 January 2021, so it will become a third country.
For the Member States, this means that data transfer to the UK will only be allowed if the requirements set out in the GDPR are met.
3. What are the cases defined in the GDPR?
Under GDPR, data transfer to a third country may only take place in the following cases:
a) On the basis of an adequacy decision
b) Based on standard data protection clauses adopted by the Commission (SCC)
c) Based on Binding Corporate Rules (BCR)
d) other special cases and exceptions
From the above options, we cover cases a) and b), which are relevant to all businesses.
4. Why does it matter whether the UK receives an adequacy decision?
A transfer of personal data to a third country may take place where the Commission has decided in an adequacy decision that the third country in question ensures an adequate level of protection. The European Commission recognised several countries as providing adequate protection, for example Argentina, Israel, Japan, or New Zealand. In the case of the United Kingdom, this will be decided after 2020.
If the EU finds that the United Kingdom provides the same adequate level of protection as within the EU, the transfer may continue as before Brexit.
However, experts are sceptical about the adequacy decision, mainly for the same reasons why the CJEU recently annulled the Privacy Shield, a method that allowed data to be transferred to the US, in the “Schrems II” judgment.
The fall of the Privacy Shield was caused by the fact that several US national security agencies have bulk surveillance powers that are inconsistent with European Union principles for the protection of personal data, and that the persons under surveillance often do not have adequate redress for possible violations.
Experts point out that it is questionable whether the UK will receive adequacy decision declaring the same level of protection as in the EU, given its current intention to extend surveillance for national security purposes.
5. Standard data protection clauses adopted by the Commission
In the absence of an adequacy decision, companies must take the lead and enter into contracts with the recipients of the data transfers containing the standard clauses (SCC) published by the EU Commission, in which the recipient provides appropriate safeguards regarding the protection of personal data and guarantees that enforceable data subject rights and effective legal remedies for data subjects are available.
Such contracts may legitimize data transfer to a third country, however, the Schrems II judgment pointed out a fundamental shortcoming of the method: Since the State of the recipient and its bodies are not parties to the contract, SCCs cannot guarantee the protection of the information from national intelligence services.
Although the CJEU has not found the use of SCCs illegal, it ruled that companies must now assess each SCC to make sure there are no local laws that can adversely affect the protection of personal data to European standards. Data transfer is only possible if the latter is established.
The EU has not yet provided guidance on how to conduct the assessment. It is also questionable how a company can establish the adequacy of a recipient domiciled in the USA when concluding the SCC, after the CJEU has found that the United States, mainly due to its surveillance programmes, can not provide adequate protection.
The applicability of SCCs can therefore be questioned not only in the case of the USA but also in the case of the United Kingdom, which endeavours to introduce similar national security surveillance.
As things stand, on the first day of 2021, a new chapter will begin in the transfer of data between the EU and the UK, although the details are still uncertain. In the event of an adequacy decision, the data transfer could proceed as before, but until this happens, companies will have to choose: they either refrain from data transfer or enter into SCCs with their British partners, the adequacy of which is currently in question. Should you need more information on this matter, we suggest contacting a legal expert experienced in data protection.
 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
 Art. 4(2),(7) of the Regulation
 Art. 4(1) of the Regulation
 Chapter V of the Regulation
 Art. 45 of the Regulation
 Judgment of the Court of 16 July 2020 in case C-311/18: Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems Request for a preliminary ruling from the High Court (Ireland)
 Art. 46 of the Regulation
© International Law Firms 2016-2017 All rights reserved.
3, Montée de Clausen, L - 1343 Luxembourg
Luxembourg Commercial Register Number F-9208.