On 31 December 2020, the National Commission for Data Protection (CNPD) published a statement on the applicability of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), following the UK's departure from the European Union (EU).

Key Takeaways

The General Data Protection Regulation (GDPR) remains applicable in the UK for a maximum period of six months (at the latest until 1 July 2021).

From 1 January 2021, the one-stop-shop mechanism no longer applies to the UK and to the Information Commissioner's Office (ICO).

Appropriate alternative transfer mechanisms can be used in order to avoid any potential interruptions to services, i.e., standard contractual clauses (standard data protection clauses adopted by the European Commission or "ad hoc" contractual clauses); binding corporate rules applicable to the European Economic Area (EEA); codes of conduct or certification mechanisms; or legally binding and enforceable instruments between public authorities or bodies.

In-depth

1. Rules on international data transfers for the specified period in the EU-UK trade and cooperation agreement

Pursuant to the Trade and Cooperation Agreement between the UK and the European Commission, published on 25 December 2020, the EU and the UK committed to uphold high standards of data protection. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months (until 1 May 2021), which can be extended to six months, at the latest until 1 July 2021 (known as "the bridge"). The UK government is seeking adequacy decisions from the European Commission. In the absence of adequacy decisions at the end of the bridge, transfers from the EEA to the UK will need to comply with GDPR transfer restrictions.

However, from 1 January 2021, the one-stop-shop mechanism no longer applies in the UK and the Information Commissioner's Office can no longer act as lead authority. In other words, during this transitional period, entities that intend to continue transferring personal data to the UK, will not need to take additional steps for the designated period and must continue complying with the general principles of the GDPR.

If you transfer personal data from the EEA to the UK, we recommend putting alternative safeguards in place before the end of April, if you haven't done so already.

Two situations will apply, depending on whether the European Commission will adopt an adequacy decision, i.e., by way of a formal decision the European Commission may decide that the personal data protection regime of the UK provides data protection safeguards that are "essentially equivalent" to those in the EU.

2. Rules on international data transfers after the specified period in the EU-UK trade and cooperation agreement

Two situations will apply, depending on whether the European Commission will adopt an adequacy decision, i.e., by way of a formal decision the European Commission may decide that the personal data protection regime of the UK provides data protection safeguards that are "essentially equivalent" to those in the EU.

2.1. In case of an adequacy decision adopted by the European Commission

Following the adoption of an adequacy decision by the European Commission, no specific authorization will be required and personal data will continue to flow freely from the EEA to the UK.

In any case, these entities must continue to comply with the GDPR and must apply them when transferring personal data to the UK (e.g., the principle of lawfulness, the compatibility of the communication with the initial processing activity and information to the data subjects).

The CNPD has issued guidelines on transfers to a country outside the EEA with an adequate level of protection.

2.2. In the absence of an adequacy decision adopted by the European Commission

In the event the UK is not granted adequacy, EU data protection law will continue to apply to certain "legacy" personal data. Such "legacy" personal data is the data of individuals outside the UK that was transferred from the EU to the UK during EU membership or the transition period.

Additional steps to transfer personal data from Luxembourg to the UK will also need to be taken.

Entities may rely on "appropriate guarantees" as referred to in Article 46 of the GDPR to ensure a sufficient and appropriate level of protection for personal data transferred from Luxembourg to the UK. Such appropriate guarantees include:

  • standard contractual clauses (SCCs) (standard data protection clauses adopted by the European Commission or "ad hoc" contractual clauses)
  • binding corporate rules (BCRs) applicable to the EEA
  • codes of conduct or certification mechanisms
  • legally binding and enforceable instruments between public authorities or bodies

The use of such guarantees will be made in accordance with the Schrems II judgment of the European Court of Justice.

The CNPD issued a statement following the invalidation of the privacy shield by the European Court of Justice. It also published the slides of a conference where one of its agents was a panelist and provided practical guidance for companies to comply with GDPR post-Schrems II. In brief, the recommendations are as follows:

  • identity the transfers to third countries (register of processing activities - Article 30 (1)(e) of the GDPR; information of the stakeholder - Articles 13(1)(f) and 14(1)(f) of the GDPR; paying attention to onward transfers)
  • analysis of the data receiving country (if adequacy decision — no additional step; in the absence of an adequacy decision — appropriate safeguards [Article 46 of the GDPR] or derogations [Article 49 of the GDPR]; check whether the legal system of the third country allows the effectiveness of these guarantees — depending on the circumstances of the transfer)

Following a case-by-case analysis of the circumstances surrounding the transfer, data exporters may rely on supplementary measures along with the aforementioned tools, if they can ensure that third-country law (in this case UK law) does not impinge on the adequate level of protection that they guarantee.

If taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards cannot be ensured, data exporters are required to suspend or end the transfer of personal data.

To help data exporters in this analysis, the European Data Protection Board (EDPB) recently published its recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and its recommendations 02/2020 on the European Essential Guarantees for surveillance measures.

The EDPB also published an information note on BCRs for specific cases of groups of undertakings or enterprises that have the ICO as BCR lead supervisory authority.

The EDPB together with the European Data Protection Supervisor (EDPS) adopted opinions on two sets of SCCs (one for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries).

The transfer may also be covered by one of the "exceptions" as set out in Article 49 of the GDPR. However, controllers should aim to implement appropriate safeguards and should only rely on the exceptions in the absence of appropriate safeguards. Indeed, Article 49 of the GDPR is subject to a strict interpretation by the data protection authorities to prevent the exceptions from becoming the rule.

In the absence of appropriate guarantees or where one of the exceptions cannot be used, the transfer of personal data to the UK, therefore, will be prohibited.

Explore More Insight