Last month, the European Commission published a notice (the "Notice") to stakeholders providing an update on personal data transfers after the end of the Brexit transition period on 31 December 2020 (the "Brexit Transition Period"). The Notice seeks to keep interested parties informed on the legal considerations concerning transfers of personal data from the EU to the UK after the Brexit Transition Period.
What is the status of EU personal data transfers to the UK after 31 December 2020?
The Notice makes it clear that, with the exception of personal data governed by Article 71(1) of the Brexit Withdrawal Agreement (the "Withdrawal Agreement"), any transfer of personal data to the UK after the Brexit Transition Period will not be treated as sharing of personal data within the European Union. Consequently, European Union ("EU") rules surrounding personal data transfers to third countries (such as non-EU member states, or countries which have not received a European Commission adequacy decision) will apply to personal data transfers to the UK.
The European General Data Protection Regulation ("GDPR") prohibits the transfer of personal data from the EEA to non-EEA countries unless certain specific safeguards (contained in Chapter 5 of the GDPR) are applied as the appropriate basis for any transfer. Such appropriate safeguards include:
- Standard data protection contractual clauses (see our recent alert on the Court of Justice of the European Union's recent decision on the validity of these standard contractual clauses);
- Binding corporate rules;
- Codes of conduct and certification;
- Certain derogations contained in Article 49 of the GDPR; and
- A European Commission adequacy decision.
Interested parties seeking to transfer personal data from the EEA to the UK after the Brexit Transition Period will need to consider their proposed data flows and understand the basis on which they will seek to validate such transfers.
Separation provisions of the Withdrawal Agreement
The Notice also briefly discusses Article 71(1) of the Withdrawal Agreement, which outlines instances in which personal data of data subjects located outside of the UK ("Non-UK Data Subjects") will continue to be processed in the UK in accordance with the GDPR after the Brexit Transition Period. These instances include where personal data:
- is transmitted to the UK or otherwise processed in the UK before the end of the transition period; or
- is transmitted to the UK or otherwise processed in the UK after the end of the transition period on the basis of the Withdrawal Agreement.
The European Commission notes that Article 71(1) of the Withdrawal Agreement seeks to ensure continued personal data protection for Non-UK Data Subjects whose personal data was transferred to the UK before the UK left the European Union and during the Brexit Transition Period, as well as Non-UK Data Subjects whose personal data is processed in the UK after the end of the transition period on the basis of the Withdrawal Agreement.