The Withdrawal Agreement

Following the UK Conservatives Party’s landslide victory in December 2019, there were immediate implications for the UK’s Withdrawal from the European Union, which resulted in the UK withdrawing from the EU on 31 January 2020. With the European Parliament’s approval of the Withdrawal Agreement, the UK is now in a transition period until 31 December 2020. That leaves a transition period of only 11 months! The question remains: what is next for data protection, in particular, data transfers from the EU to the UK?

What is next?

The good news is that nothing will change until the end of the transition period. GDPR will continue to apply in the same way as it does now. 

Starting on 1 January 2021 the UK will be a third country within the meaning of the GDPR. The European Data Protection Board already confirmed the UK’s status in a previous statement. Accordingly, a transfer mechanism is necessary for the transfer of personal data from the EU to the UK pursuant to Article 44 et seq. GDPR. Available transfer mechanisms are:

  • Standard contractual clauses
  • Ad hoc data protection clauses
  • Binding corporate rules
  • Codes of conduct and certification mechanisms
  • Derogations

Throughout the transition period, negotiations on an adequacy decision on the basis of Article 45 GDPR will take place. Adequacy decisions have previously been adopted for Argentina, New Zealand, Israel, and most recently, Japan (more on our blog). The Task Force of the European Commission for Relations with the UK confirmed in a statement of 10 January 2020 that the political will is to reach an adequacy decision before the end of the transition period:

“The Union’s data protection rules provide for a framework allowing the European Commission to recognise a third country’s data protection standards as providing an adequate level of protection, thereby facilitating transfers of personal data to that third country. On the basis of this framework, the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal, endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met. Noting that the United Kingdom will be establishing its own international transfer regime, the United Kingdom will in the same timeframe take steps to ensure the comparable facilitation of transfers of personal data to the Union, if the applicable conditions are met. The future relationship will not affect the Parties’ autonomy over their respective personal data protection rules.”

If an adequacy decision is reached before the end of the transition period, no further transfer mechanisms are necessary. Reaching the adequacy decision by the end of the year is an ambitious goal and many have doubts that this is possible. Thus, organisations must have a back-up plan.

What should organisations do?

There is no immediate need for action. Organisations can still transfer personal data to the UK until the end of 2020 without a transfer mechanism. In order to be able to transfer personal data to the UK after the transition period, organisations should take the following steps:

  • Follow the developments around the adequacy decision. If an adequacy decision is reached during the transition period, there is no need for further action.
  • Identify the processing activities of the organisation that imply a data transfer from the EU to the UK.
  • Prepare an alternative transfer mechanism (likely standard contractual clauses) that can be implemented by 1 January 2021.
  • Include the transfer in the internal documentation and privacy policy. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.