The United Kingdom (UK) and the European Union (EU) have agreed on a Withdrawal Agreement – ‘Brexit with a deal’ – and EU law will continue to apply until the end of 2020, meaning there is no disruption to EU-UK data flows.
During the transition period, the EU General Data Protection Regulation (GDPR) will continue to apply, and data flows will not be immediately affected. Nevertheless, by the end of the transition period, the UK may become a ‘third country’ according to the GDPR, with far-reaching implications for data protection.
Scope of application of the GDPR
The GDPR has an extraterritorial effect on both private and corporate data protection. It stipulates the rights of data subjects and applies to all businesses that process the personal data of people in the EU within the scope of offering goods or services or monitoring behaviour. As stipulated in Art. 3 GDPR, compliance is mandatory for all such businesses, irrespective of their physical location.
After leaving the EU, Articles 44–50 of the GDPR will regulate data flows with the UK as a third country (see our guide on Brexit and the GDPR).
Brexit transition period
With the Withdrawal Agreement, a transition period until the end of December 2020 applies, which is meant to ensure that data flows between the UK and the EU remain undisrupted. During this timeframe, the UK is committed to applying EU data protection laws, thus leaving UK-EU data transfers unaffected. Consequently, from a data protection perspective, the UK will continue to be treated as an EU Member State until the end of the transition period.
After the UK’s status changes to that of a third country, transfers will require a specific legal basis in order to exchange personal data with the EU. The most feasible solution for this will be an adequacy decision, which the EU Commission grants if it decides that the third country can ensure a sufficient level of data protection, as envisaged in Article 45 GDPR. As a result, the transition period will provide the UK with the necessary time to establish an international data transfer policy and for UK businesses to ensure they are GDPR compliant.
The transition period gives the UK and EU more time to negotiate a legitimate basis for data transfers with the aim of protecting UK businesses from facing immediate data transfer restrictions. After the transition period, the GDPR will no longer directly affect the UK. Instead, the UK’s data protection policy will be based on the ‘UK GDPR’, i.e. amended UK data protection legislation to implement the GDPR and the Data Protection Act 2018 and the extraterritorial effect of the ‘EU GDPR’. In order to ensure continued compliance with the GDPR after the transition period, UK businesses will be required to appoint an EU Representative in one of the Member States where they wish to operate.
The Information Commissioner’s Office of the United Kingdom (ICO) is the UK’s independent supervisory body responsible for monitoring compliance with the GDPR and will maintain its mandate during the transition period. It will retain representation rights on the European Data Protection Board (EDPB) for matters affecting the UK but will no longer have any voting rights.
In the post-transition period, the UK will have third-country status within the EU, and its role within the EDPB will cease. However, as the UK data protection policy is expected to be in line with the GDPR, current regulations and recommendations will remain in effect. Thus, UK businesses may continue to follow guidelines provided by the ICO, which will also review and update specific recommendations where necessary (click here for the details).
Recommendations for UK businesses
We recommended UK businesses to carefully follow developments during the transition period. As it is not expected that the transition period will provide sufficient time to negotiate and arrive at an adequacy decision, we advise UK businesses operating inside the EU to ensure that adequate, GDPR-compliant data protection safeguards be prepared now (e.g. Standard Contractual Clauses). In addition, guidelines and recommendations made by the ICO will continue to be a useful resource for UK businesses to remain GDPR compliant.
Lastly, the EU Court of Justice is currently examining the legality of EU Standard Contractual Clauses (SCC) –and the EU-U.S. Privacy Shield – as a legal basis for data transfers outside the EU. The outcome is uncertain, but there is a substantial risk that SCC may no longer be considered sufficient safeguards. We recommend all UK businesses to follow the developments of this subject matter very closely.