On 6 July 2020 the European Commission published a Notice to Stakeholders on the Withdrawal of the UK and EU Rules in the Field of Data Protection (the "Notice"). This Notice provides an update to the previous Notice to Stakeholders which had been issued by the Commission on 9 January 2018 (the "previous Notice"). These Notices were published in order to remind all stakeholders of the legal repercussions in relation to processing personal data which need to be considered when EU law ceases to apply to, and in, the UK at the end of the transition period on 31 December 2020.
The Notice states that following the end of the transition period any transfer of personal data to the UK, other than that governed by Article 71(1) of the Withdrawal Agreement (which shall be discussed later in this note), will not be treated as data shared within the Union. For this reason all relevant stakeholders will need to comply with the relevant Union rules applicable to transfers of personal data to third countries (countries that are not members of the EU).
The updated notice reaffirms that all transfers of personal data made to the UK after 31 December 2020 (presuming no adequacy decision is announced in the interim period) will have to be effected in accordance with the safeguards set down in Chapter V of Regulation (EU) 2016/679 (the "GDPR") which comprise of:
- standard data protection clauses;
- binding corporate rules;
- codes of conduct and certification under Article 46 of the GDPR; and
- specific derogations outlined in Article 49 of the GDPR.
The Notice also provides greater detail to stakeholders in relation to a number of these safeguards.
- Standard Data Protection Clauses
The Commission provided no new information in the Notice on personal data that may be transferred on the basis of standard protection clauses adopted by the Commission.
- Binding Corporate Rules
The Commission has stated in the Notice that binding corporate rules that were approved by the competent supervisory authority of the UK since 25 May 2018 will no longer provide an appropriate safeguard after the end of the transition period, unless these rules are subject to a new approval from a competent authority of an EU Member State confirming that they provide an appropriate safeguard for international transfer of personal data after the end of the transition period.
Binding corporate rules which had been approved before 25 May 2018 in the UK can continue to be used as a valid transfer mechanism under the GDPR after the transition period once any connection to the legal order of the UK, such as a corporate entity designated, the competent courts or the competent supervisory authority, is replaced by equivalent roles for corporate entities and competent authorities within the EU.
Further clarification on the procedure for the replacement of these bodies will be included in the forthcoming Information note by the European Data Protection Board (the "EDPR").
- Codes of Conduct and Certification under Article 46 of the GDPR
The Commission have stated in their update that while personal data may be transferred on the basis of codes of conduct or certification approved pursuant to the GDPR together with binding and enforceable commitments of the controller or processor in the third country, the approval of codes of conduct or certification by the competent supervisory authority of the UK no longer provide for appropriate safeguards after the end of the transitional period.
However, the Notice does confirm that guidance is being prepared by the EDPR in relation to codes of conduct and certification being used as transfer mechanisms.
The Notice provides no new information on the use of the derogations as a means to allow the transfer of data in specific cases.
Article 71(1) of the Withdrawal Agreement
As well as providing further information on certain safeguards, which may be used to allow for the transfer of data with the UK, the Notice also provides details of the personal data protection provision of the Withdrawal Agreement. Article 71(1) provides that the personal data of data subjects outside of the UK, where the data was:
- transmitted to the UK or otherwise processed in the UK before the end of the transition period; or
- transmitted to the UK or otherwise processed in the UK after the end of the transition period on the basis of the Withdrawal Agreement;
- will continue to be processed in the UK in accordance with the GDPR after the end of the transition period.
This provision protects data subjects whose personal data had been transmitted to the UK while the UK was still a Member State, as well as during the transition period.
This Notice has provided further clarity to stakeholders on the legal position of the UK following the end of their transitional period on 31 December 2020. It has also provided a number of updates on matters which had progressed subsequent to the publication of the previous Notice, as well as informing stakeholders of the details of Article 71(1) of the Withdrawal Agreement.
The Notice can be read in its entirety here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.