As the media continues to report the challenging nature of the UK/EU Brexit negotiations, the Commission has in recent months been updating its guidance relating to readiness for the end of the transition period. This has included, on 6 July 2020, issuing an updated Notice in relation to data protection. The main change since the previous edition of the Notice deals with the transitional arrangements provided for in the Withdrawal Agreement, and so the Notice itself does not raise any new points for businesses preparing for the end of the transition period.
However, the Notice is a reminder that, without an adequacy decision in place, transfers of personal data from the EEA to the UK after the end of the transition period will need to comply with GDPR's rules relating to transfers of personal data to third countries. This will require that they take place adopting an 'appropriate safeguard' or a relevant 'derogation'.
Appropriate safeguards will include:
- Standard contractual clauses (SCCs) – Whilst these seem the most obvious mechanism to use, the CJEU is currently considering a challenge to the validity of SCCs. We will be recording a rapid response on the Schrems 2 decision on 16 July.
- Binding corporate rules (BCRs) – Whilst these may be appropriate, BCRs approved by the UK ICO since 25 May 2018 will no longer provide appropriate safeguards, unless they are approved by an EU Member State competent authority. BCRs approved by the ICO before 25 May 2018 can only continue to be used where any connection to the legal order of the UK (e.g., the corporate entity designated) is replaced by equivalent roles within the EU.
- Codes of conduct and certification – The European Data Protection Board will be issuing further guidance as to the use of Codes of conduct and certification as transfer mechanisms.
Alternatively, a 'derogation' may be relied upon under GDPR for a transfer to a third country, such as the data subject's consent.
Transitional provisions under the Withdrawal Agreement
The Withdrawal Agreement provides for the continued protection of data subjects' personal data where it was transmitted to the UK before the end of the transition period. It also ensures the continued protection of the personal data of such data subjects where said data is processed in the UK on the basis of the Withdrawal Agreement after the end of the transition period.
Outlook on adequacy
The Commission has also reported in its general Communication on readiness for the end of the transition period that it is currently conducting its assessment of the UK's regime and has held a number of technical meetings with the UK in order to gather information to inform the process. As we reported, in March 2020, the UK Government has also set out its positon in a number of papers.
Whilst an adequacy decision is clearly the optimum solution for businesses relying upon international data flows, there remain substantial doubts as to whether such a decision will be granted, at least before the end of the transition period. In mid-June, for example, the European Data Protection Board wrote to the European Parliament raising issues about the potential impact of the UK/US agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3rd October 2019, on an adequacy decision.