Home / Insights / Brexit and Transfers of Personal Data – What Now?

Brexit and Transfers of Personal Data – What Now?

On 31 January, the UK withdrew from the EU. What are the implications from a GDPR-and data transfer perspective?
Flags of UK and EU on a Creacked Concrete

The current situation

The GDPR has strict rules for transfer of personal data from the EU/EEA to countries outside this area (so-called “third countries”). In short, transferring personal data to a third country is permitted only under observance of strict requirements.

Because of Brexit, as of 31 January the UK is considered as a third country which would entail that transferring personal data to the UK would have to meet the requirements of the GDPR for transfers to third countries.

However, the EU and the UK have entered into a withdrawal agreement establishing a transition period until 31 December 2020. During this period, the UK shall continue to apply the EU laws, including the rules of the GDPR. Moreover, during the transition period, the EU and the UK will negotiate the terms of a potential future partnership.

In practice this means that until 31 December 2020, businesses engaged with activities involving transfer personal data from EU/EEA to the UK (e.g. businesses that make use of IT-service providers established in the UK), can continue with those activities on the same terms as before Brexit.

What will be the situation after the transition period?

The agreed transition period may be extended once for a period of up to two years, if both the EU and the UK agree on such extension before 1 July 2020. If the transition period is not extended, the rules on transfers of personal data to third countries in the GDPR will apply to data transfers to the UK starting next year.

According to the GDPR, transfers of personal data to third countries can take place only if the third country ensures an adequate level of data protection, or if the transfer is subject to appropriate safeguards.

It is worth nothing that the UK would not automatically be considered to provide an adequate level of protection for personal data, even if the UK ensures that the GDPR remains part of UK law after the transition period. The European Commission must assess whether UK law, taken as a whole, ensures the required high level of data protection. Hence, the Commission must formally adopt a so-called “adequacy decision” regarding the UK.

If an adequacy decision is adopted before the end of the transition period, transfers of personal data to the UK can take place based as before, from 2021 onwards. If no adequacy decision is adopted and no special agreement regarding the protection of personal data is reached between the EU and the UK, all businesses involved with transferring of personal data to the UK must take appropriate actions before 1 January 2021. The businesses must ensure that their data transfers to the UK are subject to one of the transfer mechanisms under the GDPR.

Who is affected?

All international corporations with a footprint in the UK will need a transfer mechanism for data transfers from the EU/EEA to group companies established in the UK.

In addition, also businesses that has no establishment in the UK must ensure a transfer mechanism if using UK suppliers established in the UK. The same regards to businesses using EU/EEA suppliers, which have subcontractors established in the UK.

What should you do to prepare?

The transition period provides some time to prepare for the implications of Brexit in terms of transfers of personal data to the UK.

Here is a list of what any affected business should do before end of 2020:

  • Consider whether and to what extent the business will be transferring personal data to the UK (note that a “transfer” may take place if the data may be accessed from the UK, even the data is not stored on servers physically established in the UK)
  • Assess if it is necessary to establish new data transfer mechanisms, such as entering into standard contractual clauses for transfers with recipients in the UK, or adopting binding corporate rules (BCR).
  • New agreements entered into in 2020 should take into account UK’s new status from 1 January 2021
  • Businesses should also update their compliance documentation, including their privacy policy and records of processing activities, to reflect changes due to the UK’s status as a third country

Simonsen Vogt Wiig’s top ranked data protection team has extensive experience in advising clients on implementation of BCR and other frameworks to ensure compliance with the GDPR. Feel free to contact us if you have any questions, or need assistance in evaluating the consequences of Brexit and identifying appropriate compliance and risk mitigating measures for your business.