UK-EU and UK-U.S. data transfers after Brexit

With the Brexit transition period nearing the end on 31 December 2020 and the Court of Justice of the European Union’s (CJEU) decision to strike down the EU-U.S. Privacy Shield in the Schrems II judgement, the United Kingdom (UK) is facing a problematic situation for continued post-Brexit data transfers to the US as well as the EU.

UK-U.S. transfers before and after the Schrems II judgement

Before the Schrems II judgment, the UK had hoped that, post-Brexit, it could continue to be part of the Privacy Shield and rely on it for data transfers to participating U.S. companies, thereby fulfilling the necessary GDPR requirements for third-country data transfers. UK companies only needed to update agreements with US companies to include “UK” in the EU-U.S Privacy Shield. However, with the CJEU’s decision against the Privacy Shield, the UK is facing a situation with limited legal options for data flows to the EU and the U.S.

Until the end of the transition period, UK businesses can still rely on the EU legal options available for data transfers to the U.S. and other third countries. As explained here, data transfers from the EU to any third country, including the U.S., are still possible if based on Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR), with additional safeguards in place.

The future of UK-US data transfers is not certain yet. However, the UK Data Protection Authority (ICO) stated that the current European Data Protection Board (EDPB) Guidance, which invalidates the Privacy Shield, still applies to UK controllers and processors. Thus, transfers on the basis of the EU-U.S. Privacy Shield are illegal. The ICO as well as other EU data protection authorities are working on statements about further developments and practical guidance for companies to implement.

Impact of Schrems II on the UK-EU post-Brexit transfers

As the UK will become a so-called third country post-Brexit, many companies will require a legal basis for continued EU-UK data transfers. Therefore, the UK is hoping to be granted an adequacy decision by the EU Commission that would guarantee uninterrupted data flows between the UK and the EU/EEA. Such a guarantee requires the EU Commission to consider the UK data protection regime to be on par with the safeguards provided under the GDPR. However, in the light of the Schrems II decision, ambitions for an adequacy decision are constrained.

Firstly, the decision in Schrems II that U.S. surveillance laws are not substantially equivalent to those required under EU law could provide challenges for the UK post-Brexit. UK surveillance laws and any requirements of the third country for data access by national security or law enforcement will come under scrutiny in deciding on the future of free data flows between the EU and the UK. Due to the UK’s practice of mass surveillance, evident in the Investigatory Powers Act or the “Snoopers’ Charter” as well as its membership in the “Five Eyes Alliance”, it is likely that the EU will decide that the UK’s data protection standards are insufficient.

Secondly, if the EU Commission decides not to grant the adequacy decision, SCCs and BCRs are still possible for EU-UK data transfers. However, the CJEU and the EDPB clarified that their use is subject to closer inspections from EU data protection authorities. They are obliged to restrict transfers if they believe that personal data is not sufficiently protected or if the UK surveillance regime is considered in violation of EU citizens’ rights. Thus, EU data protection authorities may be required to stop transfers to the UK.

Furthermore, the UK’s decision on how to continue post-Brexit data transfers with the U.S. will impact a possible future of free UK-EU data flows. In making the adequacy decision, the EU Commission will consider the ability of UK companies to transfer personal data from the UK to countries that do not provide adequate levels of protection in the eyes of the EU, including the U.S.

For instance, the EDPB is concerned that data protection safeguards in the UK will be neglected if the UK agrees to send data for law enforcement purposes under the CLOUD Act to the US. In case the UK decides to use an arrangement comparable to the Privacy Shield for data transfers to the U.S., the adequacy decision is likely not to be granted. It extinguishes hopes for an extended free flow of data with the EU/EEA.

Next steps for the UK companies

The ICO is reviewing guidance to advise UK companies with what to do next. As with EU companies, UK companies should immediately implement new data transfer mechanisms, including SCCs or BCRs. Where UK companies choose SCCs or BCRs for data transfers to the U.S., they are required to determine whether there are safeguards in place that provide an adequate level of protection. For instance, U.S. data importers could be asked to ensure that technical safeguards, such as encryption or anonymisation, are in place to avoid exposure of UK or EU citizens’ data to the U.S. surveillance regime.

The EDPB and the ICO already announced they will publish further clarifications concerning data transfers to the U.S., especially regarding Brexit. Therefore, it is crucial to stay up-to-date about new developments by following our newsletter.

Focus on your business in the EU and worldwide

We take care of your group's GDPR compliance!