On January 31, 2020, the United Kingdom confirmed its departure from the European Union, thus becoming a third country. The different areas affected by this decision notably include data protection, since, once the current transition period ends, exchanging data between EU Member States and the UK will be considered transferring data to a third country.
Don’t miss our content
SubscribeOn January 31, 2020, the United Kingdom confirmed its departure from the European Union, thus becoming a third country. The different areas affected by this decision notably include data protection, since, once the current transition period ends, exchanging data between EU Member States and the UK will be considered transferring data to a third country. Therefore, it will be necessary to comply with the conditions and guarantees contained in Chapter V of the General Data Protection Regulation (GDPR), as this is the only way it will be possible to transfer data to the UK.
The UK is currently in a transition period (which will last until December 31 of this year), and EU law remains applicable in all areas, including data protection regulations. However, it is essential to know what the legal situation will be after the transition period ends, and the guarantees that must be provided to transfer data to the UK.
The mechanisms provided by the GDPR include the option that, a priori, appears most likely, i.e., the European Commission adopting an adequacy decision regarding the UK, establishing that the it offers a level of protection equivalent to that of the EU. On July 9, 2020, the European Commission published a communication stating that “the EU will use its best endeavors to complete the assessment of the UK regime by the end of 2020 with a view to possibly adopting an adequacy decision if the United Kingdom meets the applicable conditions.” The Commission is currently conducting this assessment and has held various technical meetings with its UK counterparts to collect the information required.
In any case, until an adequacy decision is adopted, in accordance with article 71 of the Agreement on withdrawal between the UK and the EU, EU law will continue to apply with regard to processing the following personal data:
- Data processed in the UK before the end of the transition period under EU law; and
- Data processed in the UK after the end of the transition period based on the Agreement on withdrawal.
If the Commission does not adopt an adequacy decision for the UK, personal data can only be processed if adequate guarantees are offered under article 46 of the GDPR. The different guarantees that can be provided notably include:
- Submitting to binding corporate rules approved by the competent authority under article 47 of the GDPR;
- Using the standard data protection clauses adopted by the Commission;
- Preparing a code of conduct approved under article 40 of the GDPR; and
- Creating a certification mechanism approved under article 42 of the GDPR.
On July 16, in the Schrems II judgment, the CJEU advised that, for the Commission to adopt an adequacy decision or to consider sufficient guarantees offered, the third state must guarantee data subjects an equivalent level of protection of the fundamental rights and freedoms to the GDPR. You can find more information on this highly significant resolution here.
Finally, in the absence of an adequacy decision or adequate guarantees, the exceptions envisaged in article 49 of the GDPR must be mentioned; these allow personal data to be transferred to a third country in specific situations. For example, this applies when the data subject has explicitly consented to the specific transfer after being informed of the possible risks, or when the transfer is necessary to perform an agreement entered into with the data subject and the data controller.
Authors: Sergi Gálvez and Ainhoa Rey
Don’t miss our content
Subscribe