On 31 January 2020, the United Kingdom (“UK”) left the European Union (“EU”). A transition period was agreed between 1 February and 31 December 2020 where the General Data Protection Regulation (“GDPR”) still applied in the UK.
The end of this transition period, however, marks the end of the formal application of the GDPR in the UK. The UK GDPR sits alongside in an amended version of the UK’s domestic Data Protection Act 2018.
Although the principles of the GDPR have been incorporated into UK law and a Trade and Cooperation Agreement has been agreed between the UK and the EU on 24 December 2020 (the “Agreement”)1, the consequences of the post-Brexit position for data protection following the end of the transition period should not be underestimated.
The preamble of the Agreement states that:
“RECOGNISING the Parties’ respective autonomy and rights to regulate within their territories in order to achieve legitimate public policy objectives such as […] privacy and data protection […], while striving to improve their respective high levels of protection,”
“NOTING the importance of facilitating new opportunities for businesses and consumers through digital trade, and addressing unjustified barriers to data flows and trade enabled by electronic means, whilst respecting the Parties' personal data protection rules,”
This preamble makes it clear that data protection has been taken into account in the Agreement and that the parties have endeavoured to strike a balance between the need to ensure free data flows between countries while ensuring a high level of protection of citizens' rights and freedoms for the UK following Brexit.
We have highlighted the key issues as follows:
> The recognition of the principles of the GDPR as a common legal framework for data protection
Although the GDPR is no longer directly applicable to the UK, this does not mean that a radical paradigm shift in data protection has taken place in the UK following Brexit.
Indeed, as mentioned above, an amended version of the GDPR was introduced in an amendment to the Data Protection Act 2018 (the so-called “UK GDPR”).
Although there are differences between UK GDPR and the GDPR, it shows that the principles of the GDPR have been enshrined as the basis for a robust system of data protection in the EU as well as in the UK, allowing for a fair balance between the imperatives of free movement of data and the protection of fundamental rights.
However, the withdrawal of the UK from the EU is not without consequences, as will be seen below.
> Consequences for transfers of personal data to the UK
According to the Agreement2, personal data transfers from the EU (including the EEA) to the UK will not be considered as transfers to a third country during a specific bridging period starting from 1 January 2021 and ending:
upon adoption of a decision of adequacy by the European Commission demonstrating that the UK provides an adequate level of data protection; or
after four months, which may be extended by two months, unless one of the two parties to the Agreement objects to such an extension.
During this bridging period, personal data may therefore be transferred to the UK without any additional formalities.
According to the Agreement, the application of this further transitional period is made conditional on the UK not introducing new legislation or exercising specific powers in this area (such as issuing new binding corporate rules, issuing new standard contractual clauses, authorising administrative arrangements or codes of conduct) without the prior approval of the EU.
Consequently, while additional formalities are not immediately required, EU entities intending to transfer personal data to the UK should carefully check whether the EU Commission has issued an adequacy decision with regards to the UK before the end of the bridging period.
Should this not be the case, further formalities should be adopted in relation with the transfer of personal data to the UK such as the implementation of safeguards3 or, on a more exceptional and sporadic basis, the use of specific derogations4.
With regards to international transfers, it is also to be noted that the Partnership Council5 created under the Agreement has the power to make recommendations to the parties regarding the transfer of personal data in specific areas covered by the Agreement or any supplementing agreement.
> Consequences for cross-border processing
The withdrawal of the UK from the EU also affects cross-border processing within the EU. By cross-border processing, we mean:
the processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the EU where the controller or processor is established in more than one Member State; or
the processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the EU but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
At the end of the transition period, some processing considered as cross-border may not be considered as such anymore. For example, the processing carried out in the context of the activities of two establishments of a company, one in the UK and one in Luxembourg, is not cross-border within the meaning of the GDPR (unless such processing activities may also substantially affect or is likely to affect data subjects in another EU Member State other than Luxembourg).
Likewise, the UK data protection supervisory authority (the Information Commissioner’s Office) is no longer part of the system of cooperation and consistency procedures for cross-border processing foreseen under the GDPR between the EU national data protection supervisory authorities (the so-called “One Stop Shop Mechanism”).
In the example above, a data breach affecting the processing will not be investigated only by a leading supervisory authority within the framework of the “One-Stop Shop Mechanism” but by:
the CNPD as Luxembourg supervisory authority applying the GDPR or, if the processing substantially affect or is likely to affect data subjects in one or more Member State, the leading supervisory authority applying the GDPR; and
by the Information Commissioner’s Office of the UK under the UK data protection laws.
In the context of processing activities carried out in the UK and in the EU, entities shall then be aware that they may deal with different supervisory authorities applying different data protection laws in contrast to the position before the Brexit.
> Appointment of a EU or UK Representative
One of the innovations of the GDPR at the time of its adoption had been the extension of its territorial scope in comparison to the former EU Directive.
The GDPR could also apply to persons not established in the EU but who either processed data in connection with the offering of goods or services to data subjects in the EU or in connection with the monitoring of the behavior of data subjects that took place in the EU.
Such entities that fall within the scope of the GDPR without having establishments in the EU under the conditions described above must, according to the GDPR, designate a representative in the EU who represents such entity with regard to their respective obligations under the GDPR.
As a consequence, UK entities that are not established in the EU and that process personal data in connection with the offering of goods or services to data subjects in the EU or monitoring their behaviors in the EU shall in principle from now on be required to designate such a representative, unless specific exceptions apply.
Such designation is made in writing and the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services or whose behavior is monitored, are located.
It is also to be noted that similar principles regarding the designation of a representative apply according to the UK GDPR. EU Companies with no establishments in the UK may then be obliged to designate such a representative where they offer goods and services or monitor data subjects behavior in the UK.
Consequently, EU entities that are not established in the UK and that process personal data in connection with the offering of goods or services to data subjects in the UK or monitoring their behaviors in the UK shall also in principle from now on be required to designate such a representative, unless specific exceptions apply.
> Other points of attention
In general, entities shall ensure that their respective data protection documentation is updated in view of the Brexit, including without limitation by:
reviewing privacy notices in order to reflect the fact that the UK will be deemed as a third country after the end of the bridging period or indicating the EU/UK representatives as the case may be;
updating the record of processing activities to include the transfer of data to the UK after the end of the bridging period foreseen under the Agreement;
making sure that the Data Protection Officer is available to take on requests in any establishments in the EU even after the Brexit; and
updating, if need be, data protection impact assessments to reflect the transfer to the UK after the end of the bridging period.
> Conclusion
As a conclusion and despite the Agreement between the UK and the EU, businesses should be aware that the withdrawal of the UK from the EU has significant consequences in terms of data protection. They should proceed with the necessary adaptations and verify what further next steps should be undertaken at the end of the bridging period foreseen under the Agreement depending on whether the EU Commission issued an adequacy decision concerning the UK or not.
We would like to thank M. Mark Shaw, Partner and Head of the Wildgen’s London Representative Office for the review of the article. This article has been written under the direction of Karine Vilret, Partner.
1. OJEU, 31 December 2020, L 444/14 - Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part.
2. Article FINPROV.10A of the Agreement.
3. Article 46 GDPR.
4. Article 49 GDPR.
5. The Partnership Council shall comprise representatives of the European Union and of the United Kingdom and may meet in different configurations depending on the matters under discussion. The Partnership Council shall be co-chaired by a Member of the European Commission and a representative of the Government of the United Kingdom at ministerial level.