In our latest whitepaper we discussed the transfer of personal data to third countries. Now, as a result of Brexit, the status of ‘third country’ may also come to apply to the United Kingdom. What does this mean for the transfer of personal data to the UK and for the supervision of such transfers?
In terms of the GDPR, all countries that are not part of the European Economic Area are known as ‘third countries’. One of the basic principles outlined in the GDPR is that personal data may not be transferred to third countries as a matter of course. Chapter 5 of the GDPR lists multiple exemptions to this general rule in the form of conditions which, when complied with, lift the ban on personal data transfers to third countries. What these conditions have in common, is one strict requirement: the level of protection ensured in the European Union, by the GDPR, must not be undermined (Article 44).
One of the exemptions referred to above, is a so-called adequacy decision (Article 45 of the GDPR). This is a decision by the European Commission to the effect that the third country in question, or a territory or one or more specified sectors within that third country, ensures an adequate level of protection. In this context, ‘adequate level of protection’ means that the third country commits to guarantee a level of protection essentially equivalent to that which is guaranteed in the European Union.
The European Commission however, has not been able, before the beginning of 2021, to reach a decision on the adequacy – or inadequacy – of the level of protection offered by the UK. In the Brexit deal finalised on November 24 2020, the parties involved have agreed on a transition period of four months, during which time transfers of personal data may continue on the same conditions as before the Brexit, unless, within that same period of time, the UK decides to change the regulations. The transition period may be extended, if necessary, with another two months. So, basically, for the next four to six months, everything stays the same.
At the same time it is still the European Commission’s intention, in the course of the next few months, to rule on an adequacy decision for the United Kingdom. At this point, however, whether or not this will actually happen remains uncertain, due to various unsolved issues, one among them being the question to what extent British investigation services will be authorised to access personal data relating to EU citizens. After all, it was the excessive freedom of access enjoyed by the US intelligence community which led to the invalidation, in July of 2020, of the formerly approved Privacy Shield program. If the European Commission fails to rule on a UK adequacy decision, the result will be that, as of July 2021, the United Kingdom will have to be considered a third country to which transfers of personal data will, essentially, no longer be allowed.
All in all, then, it is definitely a good idea for businesses to make sure they are prepared for scenarios like the one referred to above, as they may very well become a reality. One possible instrument to help resolve the issue may be the adoption of Standard Contractual Clauses (SCCs) in the standard contracts approved by the European Commission for mutual commitments between EU-based and third country parties. There are three sets of standard contracts drawn up by the European Commission: two for the transfer of data from one controller to another controller and one for the transfer of data from a controller to a processor. All three of these actually originate from the days of the GDPR’s predecessor, (Directive 95/46). Recently, the European Commission also opened a consultation on two new standard contracts, which are more closely aligned with the GDPR and more fitting for the complex processing operations of the present day. These new contracts, when approved, will replace the existing SCCs. We will of course continue to closely monitor new developments concerning Brexit and these new standard contracts.