On June 23, 2016, the British people voted in a referendum to leave the European Union. The withdrawal procedure was officially initiated on March 29, 2017, with the handover of the so-called BREXIT letter from the British government to the president of the EU Council Donald Tusk. The withdrawal procedure is governed by Article 50 of the EU Treaty, which sets out the roadmap for the withdrawal. For example, Art. 50 para. 2 of the EU Treaty stipulates that a withdrawal agreement should be concluded. According to Art. 50 para. 3 of the EU Treaty, the European treaties shall cease to apply two years after the receipt of the BREXIT letter, unless the European Council, in agreement with the member state concerned, unanimously decides to extend this period. In fact, the exit date has been postponed several times, most recently to January 31, 2020. Despite leaving the European Union, the United Kingdom remained in the single market and customs union until December 31, 2020. Until that date, the UK and the EU struggled to reach an agreement governing their future relationship. Finally, on December 24, 2020, the so-called “Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part” was concluded.
The question arises what now applies in terms of data protection law: Before the United Kingdom left the Single Market and the Customs Union, personal data could be transferred to the United Kingdom without any special conditions having to be met. As the General Data Protection Regulation applies directly in the member countries, an equivalent level of data protection for natural persons and the free movement of personal data is guaranteed throughout the European Union. Following the UK’s exit from the EU, the General Data Protection Regulation no longer applies in the UK, so that an equivalent level of data protection can no longer be assumed. In order to protect the fundamental right of natural persons when processing personal data relating to them, such data may only be transferred to a non-EU country if that country offers an adequate level of protection and this has been determined by the European Commission in an adequacy decision (Art. 45 para. 1 GDPR). Such an adequacy decision currently exists for Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. There is currently no adequacy decision for the United Kingdom.
The transfer of personal data to non-EU countries for which there is no adequacy decision is only permitted if the controller and the recipient of the data have provided appropriate safeguards and provided that enforceable rights and effective remedies are available to the data subjects (Art. 46 para. 1 GDPR). These conditions can be met, for example, by concluding standard contractual clauses (Art. 46 para. 2 lit. c GDPR). However, the use of standard contractual clauses has become more difficult against the background of the ruling of the Court of Justice of the European Union (CJEU) of July 16, 2020 on Privacy Shield. While the CJEU had confirmed the possibility of using standard contractual clauses, it had pointed out the need to comply with the guarantees and obligations under the standard contractual clauses. The data processor has to critically assess its ability to comply with the data protection obligations imposed on it in the standard contractual clauses. Both the data exporter and the data processor are liable to pay damages to any data subject whose data is processed in the event of a breach of obligations. Furthermore, the data exporter faces a fine. In the meantime, the European Data Protection Board has published recommendations for supplementary measures (“Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” of November 10, 2020) to ensure that the rights of data subjects are safeguarded. The effort involved is unnecessary if the European Union and the United Kingdom have a different arrangement in the Trade and Cooperation Agreement. In fact, there is a provision in Part 7, Article 10A. According to this provision, the transfer of personal data from the European Union to the United Kingdom is not considered a transfer to a non-EU country four months after the agreement enters into force, as long as the United Kingdom adheres to the previous data protection law. The four-month period is automatically extended by two additional months unless one of the contracting parties raises objections. By the end of June 30, 2021, at the latest, the UK will then be considered a non-EU country.
It remains to be hoped that the EU Commission will issue an adequacy decision before the end of April 30, 2021 or June 30, 2021, as the case may be. Before that, however, the EU Commission will check whether the requirements for this are met. Article 45 para. 2 of the GDPR sets out criteria on the basis of which the adequacy decision has to be made. Accordingly, an effective data protection regime must exist, an effective data protection supervisory authority must be installed and it plays a role whether the country has entered into international obligations that are relevant for the protection of personal data. The EU Commission will use these criteria, which are not exhaustive, as part of an overall assessment to decide whether the country offers an adequate level of data protection. It is therefore by no means certain that the EU Commission will actually adopt an adequacy decision with regard to the United Kingdom.
On February 19, 2021, the EU Commission announced in a press release that the procedure for the adoption of an adequacy decision has been initiated. In order to successfully conclude the procedure, the opinion of the European Data Protection Board (EDPB) and the consent of the individual member states are required. Only then the decision can be adopted by the EU Commission.
In order to avoid data protection violations, and thus also to avoid fines and claims for damages, companies are therefore advised to take advantage of the transitional period and first check whether personal data is actually being transferred to the UK. If this is the case, they should take the precaution of preparing for the worst case scenario and prepare standard contractual clauses. In this context, the aforementioned ruling of the CJEU on Privacy Shield as well as the recommendations of the European Data Protection Board should be taken into account.